diff --git a/charts/matomo/Chart.yaml b/charts/matomo/Chart.yaml new file mode 100644 index 00000000..93e2e3e1 --- /dev/null +++ b/charts/matomo/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v2 +appVersion: "5.3.2" +description: A Helm chart for Matomo +name: matomo +version: 11.0.53 diff --git a/charts/matomo/templates/NOTES.txt b/charts/matomo/templates/NOTES.txt new file mode 100644 index 00000000..8b291f1c --- /dev/null +++ b/charts/matomo/templates/NOTES.txt @@ -0,0 +1,26 @@ +Thank you for installing {{ .Chart.Name }} from Digitalist. + +{{- if empty (.Values.matomo.dashboard.hostname) -}} +############################################################################### +### ERROR: You didn't provide a host for matomo dashboard ### +############################################################################### +{{- end -}} + +{{- if empty (.Values.matomo.tracker.hostname) -}} +############################################################################### +### ERROR: You didn't provide a host for matomo tracker ### +############################################################################### +{{- end -}} + +Your release is named {{ .Release.Name }}. + +At post install, job tuns on the install, and creates the first +site, this could fail a couple of times, but should succeed in the end. + +After installation is complete, you can access your website by this url: +{{ .Values.matomo.dashboard.hostname }} + +To learn more about the release, try: + + $ helm status {{ .Release.Name }} + $ helm get all {{ .Release.Name }} \ No newline at end of file diff --git a/charts/matomo/templates/_helpers.tpl b/charts/matomo/templates/_helpers.tpl new file mode 100644 index 00000000..f581face --- /dev/null +++ b/charts/matomo/templates/_helpers.tpl @@ -0,0 +1,91 @@ +{{/* Generate basic labels */}} +{{- define "matomo.labels" }} + labels: + app.kubernetes.io/name: {{ .name }} + app.kubernetes.io/instance: {{ .instance }} + app.kubernetes.io/component: {{ .component }} + app.kubernetes.io/part-of: {{ .partOf }} + app.kubernetes.io/managed-by: {{ .managedBy }} +{{- end }} + +{{- define "matomo.images.pullSecrets" -}} + {{- $pullSecrets := list }} + + {{- if .global }} + {{- range .global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} + +{{- define "matomo.license" -}} + {{- if .Values.matomo.license }} +- name: MATOMO_LICENSE + valueFrom: + secretKeyRef: + name: {{ .Values.matomo.license.secretKeyRef.name }} + key: {{ .Values.matomo.license.secretKeyRef.key }} + {{- end -}} +{{- end -}} + +{{- define "matomo.init" -}} +initContainers: + - name: matomo-init + image: {{.Values.matomo.image}} + securityContext: + runAsUser: {{.Values.matomo.runAsUser}} + privileged: false + allowPrivilegeEscalation: false + imagePullPolicy: Always + env: + - name: MATOMO_FIRST_USER_NAME + value: {{.Values.matomo.dashboard.firstuser.username}} + - name: MATOMO_FIRST_USER_EMAIL + value: {{.Values.matomo.dashboard.firstuser.email}} + - name: MATOMO_FIRST_USER_PASSWORD + value: {{.Values.matomo.dashboard.firstuser.password}} + - name: MATOMO_DB_HOST + value: {{.Values.db.hostname}} + - name: MATOMO_DB_NAME + value: {{.Values.db.name}} +{{ if .Values.db.prefix }} + - name: MATOMO_DB_PREFIX + value: {{.Values.db.prefix}} +{{ end }} + - name: MATOMO_DB_USERNAME + value: {{.Values.db.username}} + - name: MATOMO_DB_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.db.password.secretKeyRef.name }} + key: {{ .Values.db.password.secretKeyRef.key }} +{{ include "matomo.license" . | nindent 4 }} + command: [ 'sh' , '-c' , 'rsync -crlOt --no-owner --no-group --no-perms /usr/src/matomo/ /var/www/html/ && {{.Values.matomo.installCommand}}' ] + resources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 100m + memory: 128Mi + volumeMounts: + - name: static-data + mountPath: /var/www/html + - name: matomo-configuration + mountPath: /tmp/matomo/ + readOnly: true + +{{- end -}} \ No newline at end of file diff --git a/charts/matomo/templates/configmap-matomo-cronjob-php.yaml b/charts/matomo/templates/configmap-matomo-cronjob-php.yaml new file mode 100644 index 00000000..8dfafa99 --- /dev/null +++ b/charts/matomo/templates/configmap-matomo-cronjob-php.yaml @@ -0,0 +1,44 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: matomo-cronjob-php + namespace: {{.Values.namespace}} +{{- if .Values.matomo.php }} +data: + zz-global.ini: | + expose_php={{ .Values.matomo.php.expose_php | default "Off" }} + opcache.memory_consumption={{ .Values.matomo.php.opcache_memory_consumption | default "512" }} + opcache.jit_buffer_size={{ .Values.matomo.php.opcache_jit_buffer_size | default "256M" }} + opcache.jit={{ .Values.matomo.php.opcache_jit | default "1235" }} + max_execution_time={{ .Values.matomo.php.max_execution_time | default "0" }} + post_max_size={{ .Values.matomo.php.post_max_size | default "1500M" }} + upload_max_filesize={{ .Values.matomo.php.upload_max_filesize | default "32M" }} + max_input_time={{ .Values.matomo.php.max_input_time | default "3600" }} + max_file_uploads={{ .Values.matomo.php.opcache_max_file_upload| default "300" }} + memory_limit={{ .Values.matomo.php.memory_limit | default "2G" }} + display_errors={{ .Values.matomo.php.display_errors | default "Off" }} + error_reporting={{ .Values.matomo.php.error_reporting | default "22527" }} + mysqli.reconnect={{ .Values.matomo.php.mysqli_reconnect | default "On" }} + mysqli.allow_local_infile={{ .Values.matomo.php.mysqli_allow_local_infile | default "On" }} + default_socket_timeout={{ .Values.matomo.php.default_socket_timeout | default "20" }} + max_input_vars={{ .Values.matomo.php.max_input_vars | default "2000" }} +{{ else }} +data: + zz-global.ini: | + expose_php=Off + opcache.memory_consumption=512 + opcache.jit_buffer_size=256M + opcache.jit=1235 + max_execution_time=0 + post_max_size=1500M + upload_max_filesize=32M + max_input_time=1800 + max_file_uploads="300" + memory_limit=2G + display_errors=Off + error_reporting="22527" + mysqli.reconnect=On + mysqli.allow_local_infile=On + default_socket_timeout=20 + max_input_vars=2000 +{{- end }} diff --git a/charts/matomo/templates/configmap-matomo-dashboard-php.yaml b/charts/matomo/templates/configmap-matomo-dashboard-php.yaml new file mode 100644 index 00000000..cf38487d --- /dev/null +++ b/charts/matomo/templates/configmap-matomo-dashboard-php.yaml @@ -0,0 +1,46 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: matomo-dashboard-php + namespace: {{.Values.namespace}} +{{- if .Values.matomo.php }} +data: + zz-global.ini: | + expose_php={{ .Values.matomo.php.expose_php | default "Off" }} + opcache.memory_consumption={{ .Values.matomo.php.opcache_memory_consumption | default "512" }} + opcache.interned_strings_buffer={{ .Values.matomo.php.opcache_interned_strings_buffer | default "16" }} + opcache.save_comments={{ .Values.matomo.php.opcache_save_comments | default "1" }} + opcache.jit_buffer_size={{ .Values.matomo.php.opcache_jit_buffer_size | default "256M" }} + opcache.jit={{ .Values.matomo.php.opcache_jit | default "1235" }} + max_execution_time={{ .Values.matomo.php.max_execution_time | default "300" }} + post_max_size={{ .Values.matomo.php.post_max_size | default "1500M" }} + upload_max_filesize={{ .Values.matomo.php.upload_max_filesize | default "32M" }} + max_input_time={{ .Values.matomo.php.max_input_time | default "3600" }} + max_file_uploads={{ .Values.matomo.php.opcache_max_file_upload| default "300" }} + memory_limit={{ .Values.matomo.php.memory_limit | default "2G" }} + display_errors={{ .Values.matomo.php.display_errors | default "Off" }} + error_reporting={{ .Values.matomo.php.error_reporting | default "22527" }} + mysqli.reconnect={{ .Values.matomo.php.mysqli_reconnect | default "On" }} + mysqli.allow_local_infile={{ .Values.matomo.php.mysqli_allow_local_infile | default "On" }} + default_socket_timeout={{ .Values.matomo.php.default_socket_timeout | default "20" }} +{{ else }} +data: + zz-global.ini: | + expose_php=Off + opcache.memory_consumption=512 + opcache.interned_strings_buffer=16 + opcache.save_comments=1 + opcache.jit_buffer_size=256M + opcache.jit=1235 + max_execution_time=300 + post_max_size=1500M + upload_max_filesize=32M + max_input_time=3600 + max_file_uploads="300" + memory_limit=2G + display_errors=Off + error_reporting="22527" + mysqli.reconnect="On" + mysqli.allow_local_infile="On" + default_socket_timeout="20" +{{- end }} diff --git a/charts/matomo/templates/configmap-matomo-disable-xdebug.yaml b/charts/matomo/templates/configmap-matomo-disable-xdebug.yaml new file mode 100644 index 00000000..c8e4dfad --- /dev/null +++ b/charts/matomo/templates/configmap-matomo-disable-xdebug.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: matomo-disable-xdebug + namespace: {{.Values.namespace}} +data: + docker-php-ext-xdebug.ini: | + ; turned off diff --git a/charts/matomo/templates/configmap-matomo-phpfpm-tracker.yaml b/charts/matomo/templates/configmap-matomo-phpfpm-tracker.yaml new file mode 100644 index 00000000..17746c70 --- /dev/null +++ b/charts/matomo/templates/configmap-matomo-phpfpm-tracker.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: matomo-phpfpm-tracker + namespace: {{.Values.namespace}} +{{- if .Values.matomo.tracker.phpfpm }} +data: + zz-global.conf: | + [www] + pm = {{ .Values.matomo.tracker.phpfpm.type | default "ondemand" }} + pm.max_children = {{ .Values.matomo.tracker.phpfpm.max_children | default 75 }} + pm.process_idle_timeout = {{ .Values.matomo.tracker.phpfpm.process_idle_timeout | default "600s" }} + pm.max_requests = {{ .Values.matomo.tracker.phpfpm.max_requests | default 500 }} + pm.start_servers = {{ .Values.matomo.tracker.phpfpm.start_servers | default 5 }} + pm.min_spare_servers = {{ .Values.matomo.tracker.phpfpm.min_spare_servers | default 5 }} + pm.max_spare_servers = {{ .Values.matomo.tracker.phpfpm.max_spare_servers | default 75 }} + php_admin_value[memory_limit] = {{ .Values.matomo.tracker.phpfpm.memory_limit | default "2048M" }} + pm.status_path = {{ .Values.matomo.tracker.phpfpm.status_path | default "/status" }} +{{ else }} +data: + zz-global.conf: | + [www] + pm = "ondemand" + pm.max_children = 75 + pm.process_idle_timeout = "10s" + pm.max_requests = 500 + pm.start_servers = 5 + pm.min_spare_servers = 5 + pm.max_spare_servers = 75 + php_admin_value[memory_limit] = "2048M" + pm.status_path = "/status" +{{- end }} \ No newline at end of file diff --git a/charts/matomo/templates/configmap-matomo-phpfpm.yaml b/charts/matomo/templates/configmap-matomo-phpfpm.yaml new file mode 100644 index 00000000..f73bc49a --- /dev/null +++ b/charts/matomo/templates/configmap-matomo-phpfpm.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: matomo-phpfpm + namespace: {{.Values.namespace}} +{{- if .Values.matomo.phpfpm }} +data: + zz-global.conf: | + [www] + pm = {{ .Values.matomo.phpfpm.type | default "ondemand" }} + pm.max_children = {{ .Values.matomo.phpfpm.max_children | default 100 }} + pm.start_servers = {{ .Values.matomo.phpfpm.start_servers | default 5 }} + pm.min_spare_servers = {{ .Values.matomo.phpfpm.min_spare_servers | default 5 }} + pm.max_spare_servers = {{ .Values.matomo.phpfpm.max_spare_servers | default 75 }} + pm.max_requests = {{ .Values.matomo.phpfpm.max_requests | default 500 }} + pm.process_idle_timeout = {{ .Values.matomo.phpfpm.process_idle_timeout | default "480s" }} + php_admin_value[memory_limit] = {{ .Values.matomo.phpfpm.memory_limit | default "2048M" }} + pm.status_path = {{ .Values.matomo.phpfpm.status_path | default "/status" }} +{{ else }} +data: + zz-global.conf: | + [www] + php_admin_value[memory_limit] = "2048M" + pm ="ondemand" + pm.max_children = 100 + pm.start_servers = 5 + pm.min_spare_servers = 5 + pm.max_spare_servers = 75 + pm.max_requests = 500 + pm.process_idle_timeout = "480s" + pm.status_path = "/status" +{{- end }} \ No newline at end of file diff --git a/charts/matomo/templates/configmap-matomo-scheduledtasks-php.yaml b/charts/matomo/templates/configmap-matomo-scheduledtasks-php.yaml new file mode 100644 index 00000000..9c7437a8 --- /dev/null +++ b/charts/matomo/templates/configmap-matomo-scheduledtasks-php.yaml @@ -0,0 +1,44 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: matomo-scheduledtasks-php + namespace: {{.Values.namespace}} +{{- if .Values.matomo.cronJobs.scheduledTasks.php }} +data: + zz-global.ini: | + expose_php={{ .Values.matomo.cronJobs.scheduledTasks.php.expose_php | default "Off" }} + opcache.memory_consumption={{ .Values.matomo.cronJobs.scheduledTasks.php.opcache_memory_consumption | default "512" }} + opcache.jit_buffer_size={{ .Values.matomo.cronJobs.scheduledTasks.php.opcache_jit_buffer_size | default "256M" }} + opcache.jit={{ .Values.matomo.cronJobs.scheduledTasks.php.opcache_jit | default "1235" }} + max_execution_time={{ .Values.matomo.cronJobs.scheduledTasks.php.max_execution_time | default "0" }} + post_max_size={{ .Values.matomo.cronJobs.scheduledTasks.php.post_max_size | default "1500M" }} + upload_max_filesize={{ .Values.matomo.cronJobs.scheduledTasks.php.upload_max_filesize | default "32M" }} + max_input_time={{ .Values.matomo.cronJobs.scheduledTasks.php.max_input_time | default "3600" }} + max_file_uploads={{ .Values.matomo.cronJobs.scheduledTasks.php.opcache_max_file_upload| default "300" }} + memory_limit={{ .Values.matomo.cronJobs.scheduledTasks.php.memory_limit | default "4G" }} + display_errors={{ .Values.matomo.cronJobs.scheduledTasks.php.display_errors | default "Off" }} + error_reporting={{ .Values.matomo.cronJobs.scheduledTasks.php.error_reporting | default "22527" }} + mysqli.reconnect={{ .Values.matomo.cronJobs.scheduledTasks.php.mysqli_reconnect | default "On" }} + mysqli.allow_local_infile={{ .Values.matomo.cronJobs.scheduledTasks.php.mysqli_allow_local_infile | default "On" }} + default_socket_timeout={{ .Values.matomo.cronJobs.scheduledTasks.php.default_socket_timeout | default "20" }} + max_input_vars={{ .Values.matomo.cronJobs.scheduledTasks.php.max_input_vars | default "2000" }} +{{ else }} +data: + zz-global.ini: | + expose_php=Off + opcache.memory_consumption=512 + opcache.jit_buffer_size=256M + opcache.jit=1235 + max_execution_time=0 + post_max_size=1500M + upload_max_filesize=32M + max_input_time=1800 + max_file_uploads="300" + memory_limit=4G + display_errors=Off + error_reporting="22527" + mysqli.reconnect=On + mysqli.allow_local_infile=On + default_socket_timeout=20 + max_input_vars=2000 +{{- end }} diff --git a/charts/matomo/templates/configmap-matomo.yaml b/charts/matomo/templates/configmap-matomo.yaml new file mode 100644 index 00000000..906d7438 --- /dev/null +++ b/charts/matomo/templates/configmap-matomo.yaml @@ -0,0 +1,130 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: matomo-configuration + namespace: {{.Values.namespace}} +{{- if .Values.matomo.config }} +data: + install.json: |- + {{ .Values.matomo.config | toJson }} +{{ else }} +data: + install.json: | + { + "PluginsInstalled": [ + "Diagnostics", + "DBStats", + "Login", + "CoreAdminHome", + "UsersManager", + "SitesManager", + "Installation", + "Monolog", + "Intl", + "CorePluginsAdmin", + "CoreHome", + "WebsiteMeasurable", + "CoreVisualizations", + "Proxy", + "API", + "Transitions", + "Actions", + "Referrers", + "UserLanguage", + "DevicesDetection", + "Goals", + "SEO", + "Events", + "UserCountry", + "GeoIp2", + "VisitsSummary", + "VisitFrequency", + "VisitTime", + "VisitorInterest", + "CoreUpdater", + "CoreConsole", + "UserCountryMap", + "Live", + "ImageGraph", + "Annotations", + "Insights", + "Morpheus", + "Contents", + "DevicePlugins", + "UserId", + "CustomJsTracker", + "ExtraTools", + "LanguagesManager", + "SegmentEditor", + "Dashboard", + "ScheduledReports", + "PrivacyManager", + "CustomVariables", + "IntranetMeasurable", + "Widgetize", + "MultiSites", + "Ecommerce", + "RssWidget", + "Feedback", + "TwoFactorAuth", + "MobileMessaging", + "Overlay", + "BulkTracking", + "Resolution", + "Heartbeat", + "Marketplace", + "ProfessionalServices", + "UserConsole" + ], + "Site": { + "name": "Localhost", + "url": "https://localhost" + }, + "Config": { + "log": { + "log_level": "ERROR" + }, + "General": { + "show_update_notification_to_superusers_only": 1, + "noreply_email_address": "noreply@digitalistgroup.com", + "enable_framed_pages": 1, + "enable_framed_settings": 1, + "enable_trusted_host_check": 0, + "enable_plugin_update_communication": 0, + "enable_auto_update": 0, + "enable_installer": 0, + "enable_internet_features": 0, + "enable_plugins_admin": 0, + "enable_plugin_upload": 0, + "enable_geolocation_admin": 1, + "proxy_client_headers[]": "HTTP_X_FORWARDED_FOR", + "browser_archiving_disabled_enforce": 1, + "enable_browser_archiving_triggering": 0, + "archiving_range_force_on_browser_request": 0, + "enable_sql_optimize_queries": 0, + "enabled_periods_UI": "day,week,month,year,range", + "enabled_periods_API": "day,week,month,year,range", + "session_save_handler": "dbtable", + "enable_marketplace": 0, + "enable_general_settings_admin": 0, + "piwik_pro_ads_enabled": 0, + "assume_secure_protocol": 1, + "cors_domains[]": "*", + "datatable_archiving_maximum_rows_referrers": 2000, + "datatable_archiving_maximum_rows_subtable_referrers": 2000, + "datatable_archiving_maximum_rows_actions": 2000, + "datatable_archiving_maximum_rows_subtable_actions": 2000, + "datatable_archiving_maximum_rows_events": 2000, + "datatable_archiving_maximum_rows_subtable_events": 2000, + "datatable_archiving_maximum_rows_custom_variables": 2000, + "datatable_archiving_maximum_rows_subtable_custom_variables": 2000, + "time_before_today_archive_considered_outdated": 2700, + "time_before_week_archive_considered_outdated": 10800, + "time_before_month_archive_considered_outdated": 32400, + "time_before_year_archive_considered_outdated": 64800, + "time_before_range_archive_considered_outdated": 10800 + } + } + } + +{{ end }} \ No newline at end of file diff --git a/charts/matomo/templates/configmap-nginx-matomo-dashboard.yaml b/charts/matomo/templates/configmap-nginx-matomo-dashboard.yaml new file mode 100644 index 00000000..ffd9a69c --- /dev/null +++ b/charts/matomo/templates/configmap-nginx-matomo-dashboard.yaml @@ -0,0 +1,308 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: nginx-matomo-dashboard + namespace: {{.Values.namespace}} +data: + nginx.conf: | + worker_processes {{ .Values.matomo.dashboard.nginx.nginxWorkerProcesses | default 5 }}; + load_module modules/ngx_http_geoip2_module.so; + events { + worker_connections 768; + } + pid /tmp/nginx.pid; + http { + geoip2 /usr/share/geoip/GeoLite2-Country.mmdb { + $geoip2_data_country_code default=SE source=$http_x_forwarded_for country iso_code; + } + client_max_body_size 200M; + server_tokens off; + client_body_timeout 600s; + client_header_timeout 600s; + client_body_temp_path /tmp/client_temp; + proxy_temp_path /tmp/proxy_temp_path; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + include /etc/nginx/mime.types; + default_type application/octet-stream; + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + log_format main_geo '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for" ' + '$geoip2_data_country_code'; + access_log /var/log/nginx/access.log main_geo; + sendfile on; + keepalive_timeout 0; + + server { + listen [::]:8080 default_server; + listen 8080 default_server; + server_name _; + root /var/www/html; + index index.php; + error_page 404 /404.html; + location = 404.html { + root /usr/share/nginx/html; + } + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + proxy_read_timeout 600s; + proxy_send_timeout 600s; + proxy_connect_timeout 600s; + ## Redirects all requests to index.php and Matomo. + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + + location ~ js/container_.*_preview\.js$ { + expires off; + add_header Cache-Control 'private, no-cache, no-store'; + } + + location ~* /(js)/.*.(js|php)$ { + expires 30s; + add_header Cache-Control "public, no-transform"; + allow all; + } + + location = /favicon.ico { + log_not_found off; + access_log off; + } + + ## Allow access to index.php to make dashboard work. + location ~ ^/(index).php { + try_files $uri =404; + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + proxy_read_timeout 600s; + proxy_send_timeout 600s; + proxy_connect_timeout 600s; + fastcgi_read_timeout 600s; + fastcgi_send_timeout 600s; + proxy_set_header Connection ""; + proxy_http_version 1.1; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + + fastcgi_param HTTP_PROXY ""; + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + fastcgi_param PHP_VALUE "max_execution_time=3600 + post_max_size=1500M + upload_max_filesize=32M + max_input_time=3600 + max_file_uploads=300"; + include fastcgi_params; + } + + ## Allow access to heatmapsessionsrecording plugin is needed to make it work. + location = /plugins/HeatmapSessionRecording/configs.php { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + fastcgi_read_timeout 120s; + fastcgi_send_timeout 120s; + fastcgi_param HTTP_PROXY ""; + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include fastcgi_params; + } + + ## Allow access to static media files. + location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ { + allow all; + ## Cache images,CSS,JS and webfonts for an hour + ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade + expires 1h; + add_header Pragma public; + add_header Cache-Control "public"; + } + # location ~ ^/(status)$ { + # access_log off; + + # # allow 127.0.0.1; + # # allow 1.2.3.4; + # # deny all; + + # fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + # fastcgi_index index.php; + # include fastcgi_params; + # ## Now the port or socket of the php-fpm pool we want the status of + # fastcgi_pass 127.0.0.1:9000; + # # fastcgi_pass unix:/run/php-fpm/your_socket.sock; + # } + ## Deny access to all other .php files. + location ~* ^.+\.php$ { + deny all; + return 403; + } + + ## Deny access to key matomo folders and files that dashboard should not serve. + location ~ /(config|tmp|core|lang|libs|vendor|plugins|misc/user|piwik.js|piwik.php|matomo.js|matomo.php) { + deny all; + return 403; + } + + ## Deny access to all files starting with ".ht" + location ~ /\.ht { + deny all; + return 403; + } + + ## Deny access to Markdown files + location ~* ^.+\.md$ { + deny all; + return 403; + } + ## Deny access to compose.json and package.json + location ~ ^/[^.]*\.json$ { + deny all; + return 403; + } + ## Deny access to compose.lock and other lock files in root + location ~ ^/[^.]*\.lock$ { + deny all; + return 403; + } + } + } + fastcgi_params: | + fastcgi_param COUNTRY_CODE $geoip2_data_country_code; + fastcgi_param QUERY_STRING $query_string; + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param CONTENT_TYPE $content_type; + fastcgi_param CONTENT_LENGTH $content_length; + + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param SCRIPT_NAME $fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; + fastcgi_param REQUEST_URI $request_uri; + fastcgi_param DOCUMENT_URI $document_uri; + fastcgi_param DOCUMENT_ROOT $document_root; + fastcgi_param SERVER_PROTOCOL $server_protocol; + + fastcgi_param GATEWAY_INTERFACE CGI/1.1; + fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + + fastcgi_param REMOTE_ADDR $remote_addr; + fastcgi_param REMOTE_PORT $remote_port; + fastcgi_param SERVER_ADDR $server_addr; + fastcgi_param SERVER_PORT $server_port; + fastcgi_param SERVER_NAME $server_name; + + fastcgi_param HTTPS $https; + + # PHP only, required if PHP was built with --enable-force-cgi-redirect + fastcgi_param REDIRECT_STATUS 200; + mime.types: | + types { + text/html html htm shtml; + text/css css; + text/xml xml; + image/gif gif; + image/jpeg jpeg jpg; + application/javascript js; + application/atom+xml atom; + application/rss+xml rss; + + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; + + image/png png; + image/svg+xml svg svgz; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/webp webp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; + + font/woff woff; + font/woff2 woff2; + + application/java-archive jar war ear; + application/json json; + application/mac-binhex40 hqx; + application/msword doc; + application/pdf pdf; + application/postscript ps eps ai; + application/rtf rtf; + application/vnd.apple.mpegurl m3u8; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/vnd.ms-excel xls; + application/vnd.ms-fontobject eot; + application/vnd.ms-powerpoint ppt; + application/vnd.oasis.opendocument.graphics odg; + application/vnd.oasis.opendocument.presentation odp; + application/vnd.oasis.opendocument.spreadsheet ods; + application/vnd.oasis.opendocument.text odt; + application/vnd.openxmlformats-officedocument.presentationml.presentation + pptx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet + xlsx; + application/vnd.openxmlformats-officedocument.wordprocessingml.document + docx; + application/vnd.wap.wmlc wmlc; + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xspf+xml xspf; + application/zip zip; + + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream iso img; + application/octet-stream msi msp msm; + + audio/midi mid midi kar; + audio/mpeg mp3; + audio/ogg ogg; + audio/x-m4a m4a; + audio/x-realaudio ra; + + video/3gpp 3gpp 3gp; + video/mp2t ts; + video/mp4 mp4; + video/mpeg mpeg mpg; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-m4v m4v; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-ms-wmv wmv; + video/x-msvideo avi; + } diff --git a/charts/matomo/templates/configmap-nginx-matomo-tracker.yaml b/charts/matomo/templates/configmap-nginx-matomo-tracker.yaml new file mode 100644 index 00000000..de08053d --- /dev/null +++ b/charts/matomo/templates/configmap-nginx-matomo-tracker.yaml @@ -0,0 +1,289 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: nginx-matomo-tracker + namespace: {{.Values.namespace}} +data: + nginx.conf: | + worker_processes {{ .Values.matomo.tracker.nginx.nginxWorkerProcesses | default 5 }}; + load_module modules/ngx_http_geoip2_module.so; + events { + worker_connections 768; + } + pid /tmp/nginx.pid; + http { + geoip2 /usr/share/geoip/GeoLite2-Country.mmdb { + $geoip2_data_country_code default=SE source=$http_x_forwarded_for country iso_code; + } + client_max_body_size 200M; + server_tokens off; + client_body_temp_path /tmp/client_temp; + proxy_temp_path /tmp/proxy_temp_path; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + include /etc/nginx/mime.types; + default_type application/octet-stream; + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + log_format main_geo '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for" ' + '$geoip2_data_country_code'; + access_log /var/log/nginx/access.log main_geo; + sendfile on; + keepalive_timeout 0; + + map $args $method { + default 0; + "~UserFeedback.saveFeedback" 1; + "~UserFeedback.getForm" 1; + } + server { + listen [::]:8080 default_server; + listen 8080 default_server; + server_name _; + root /var/www/html; + index matomo.php; + add_header Referrer-Policy origin always; # make sure outgoing links don't show the URL to the Matomo instance + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + + location ~ ^/(node_modules/jquery/dist/jquery)\.js$ { + proxy_ignore_headers Cache-Control; + allow all; + } + location ~ ^/(node_modules/jquery/dist/jquery)\.js$ { + proxy_ignore_headers Cache-Control; + allow all; + } + + location ~* \.(js|css)$ { + proxy_ignore_headers Cache-Control; + add_header Access-Control-Allow-Origin *; + allow all; + } + + location = /favicon.ico { + log_not_found off; + access_log off; + } + ## only allow accessing the following php files + location ~ ^/(matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs)\.php$ { + include fastcgi_params; + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + try_files $fastcgi_script_name =404; # protects against CVE-2019-11043. + fastcgi_pass 127.0.0.1:9000; + fastcgi_read_timeout 240s; + fastcgi_param HTTP_PROXY ""; + fastcgi_index matomo.php; + } + location ~ ^/(status)$ { + access_log off; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_pass 127.0.0.1:9000; + } + + ## serve all other files normally + location / { + try_files $uri $uri/ =404; + } + ## disable all access to the following directories + location ~ ^/(config|tmp|core|lang) { + deny all; + return 403; # replace with 404 to not show these directories exist + } + location ~ /\.ht { + deny all; + return 403; + } + location ~ js/container_.*_preview\.js$ { + expires off; + add_header Cache-Control 'private, no-cache, no-store'; + } + location ~ \.(gif|ico|jpg|png|svg|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ { + allow all; + ## Cache images,CSS and webfonts for an hour + ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade + expires 1h; + add_header Pragma public; + add_header Cache-Control "public"; + } + location ~ \.(js)$ { + allow all; + ## Cache JS for 5 minutes + ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade + expires 5m; + add_header Pragma public; + add_header Cache-Control "public"; + } + location ~ ^/(libs|vendor|plugins|misc|node_modules) { + deny all; + return 403; + } + ## properly display textfiles in root directory + location ~/(.*\.md|LEGALNOTICE|LICENSE) { + default_type text/plain; + } + + location ~* ^.+\.php$ { + try_files $uri =404; + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + proxy_read_timeout 600s; + proxy_send_timeout 600s; + proxy_connect_timeout 75s; + fastcgi_read_timeout 600s; + fastcgi_send_timeout 600s; + proxy_set_header Connection ""; + proxy_http_version 1.1; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + fastcgi_param HTTP_PROXY ""; + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include fastcgi_params; + if ( $method = 0 ) { + return 403; + } + } + } + } + fastcgi_params: | + fastcgi_param COUNTRY_CODE $geoip2_data_country_code; + fastcgi_param QUERY_STRING $query_string; + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param CONTENT_TYPE $content_type; + fastcgi_param CONTENT_LENGTH $content_length; + + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param SCRIPT_NAME $fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; + fastcgi_param REQUEST_URI $request_uri; + fastcgi_param DOCUMENT_URI $document_uri; + fastcgi_param DOCUMENT_ROOT $document_root; + fastcgi_param SERVER_PROTOCOL $server_protocol; + + fastcgi_param GATEWAY_INTERFACE CGI/1.1; + fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + + fastcgi_param REMOTE_ADDR $remote_addr; + fastcgi_param REMOTE_PORT $remote_port; + fastcgi_param SERVER_ADDR $server_addr; + fastcgi_param SERVER_PORT $server_port; + fastcgi_param SERVER_NAME $server_name; + + fastcgi_param HTTPS $https; + + # PHP only, required if PHP was built with --enable-force-cgi-redirect + fastcgi_param REDIRECT_STATUS 200; + mime.types: | + types { + text/html html htm shtml; + text/css css; + text/xml xml; + image/gif gif; + image/jpeg jpeg jpg; + application/javascript js; + application/atom+xml atom; + application/rss+xml rss; + + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; + + image/png png; + image/svg+xml svg svgz; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/webp webp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; + + font/woff woff; + font/woff2 woff2; + + application/java-archive jar war ear; + application/json json; + application/mac-binhex40 hqx; + application/msword doc; + application/pdf pdf; + application/postscript ps eps ai; + application/rtf rtf; + application/vnd.apple.mpegurl m3u8; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/vnd.ms-excel xls; + application/vnd.ms-fontobject eot; + application/vnd.ms-powerpoint ppt; + application/vnd.oasis.opendocument.graphics odg; + application/vnd.oasis.opendocument.presentation odp; + application/vnd.oasis.opendocument.spreadsheet ods; + application/vnd.oasis.opendocument.text odt; + application/vnd.openxmlformats-officedocument.presentationml.presentation + pptx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet + xlsx; + application/vnd.openxmlformats-officedocument.wordprocessingml.document + docx; + application/vnd.wap.wmlc wmlc; + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xspf+xml xspf; + application/zip zip; + + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream iso img; + application/octet-stream msi msp msm; + + audio/midi mid midi kar; + audio/mpeg mp3; + audio/ogg ogg; + audio/x-m4a m4a; + audio/x-realaudio ra; + + video/3gpp 3gpp 3gp; + video/mp2t ts; + video/mp4 mp4; + video/mpeg mpeg mpg; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-m4v m4v; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-ms-wmv wmv; + video/x-msvideo avi; + } diff --git a/charts/matomo/templates/configmap-pre-upgrade-extras.yaml b/charts/matomo/templates/configmap-pre-upgrade-extras.yaml new file mode 100644 index 00000000..fd95932d --- /dev/null +++ b/charts/matomo/templates/configmap-pre-upgrade-extras.yaml @@ -0,0 +1,24 @@ +{{ if .Values.extraConfigMaps.create -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: matomo-pre-upgrade-additional-config-maps + namespace: {{.Values.namespace}} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + partOf: matomo + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "-6" + "helm.sh/hook-delete-policy": hook-succeeded +data: +{{- if and .Values.extraConfigMaps.create .Values.extraConfigMaps.data }} +{{- range $index, $content := .Values.extraConfigMaps.data }} + {{ $index }}: |- +{{ $content | indent 4 }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/matomo/templates/configmap-supervisor-queuedtrackingmonitor.yaml b/charts/matomo/templates/configmap-supervisor-queuedtrackingmonitor.yaml new file mode 100644 index 00000000..d00040fc --- /dev/null +++ b/charts/matomo/templates/configmap-supervisor-queuedtrackingmonitor.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: matomo-supervisor-queuedtrackingmonitor + namespace: {{.Values.namespace}} +data: + queuedtracking-monitor.ini: | + [unix_http_server] + file = /home/www-data/supervisord.sock + + [program:queuedtracking-monitor] + startretries=100 + process_name=%(program_name)s_%(process_num)02d + command=sh -c 'while ( php /var/www/html/console queuedtracking:monitor --iterations=1 );do sleep 2; done' + autostart=true + autorestart=true + user=www-data + numprocs=1 + redirect_stderr=true + stdout_events_enabled=true + stderr_events_enabled=true + stdout_logfile_maxbytes=0 + stderr_logfile_maxbytes=0 + stdout_logfile=/dev/stdout + stderr_logfile=/dev/stderr diff --git a/charts/matomo/templates/configmap-supervisor-queuedtrackingprocess.yaml b/charts/matomo/templates/configmap-supervisor-queuedtrackingprocess.yaml new file mode 100644 index 00000000..6d1b0491 --- /dev/null +++ b/charts/matomo/templates/configmap-supervisor-queuedtrackingprocess.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: matomo-supervisor-queuedtrackingprocess + namespace: {{.Values.namespace}} +data: + queuedtracking-process.ini: | + [unix_http_server] + file = /home/www-data/supervisord.sock + + [program:queuedtracking-process] + startretries=100 + process_name=%(program_name)s_%(process_num)02d + command=sh -c 'while ( php /var/www/html/console queuedtracking:process );do sleep 5; done' + autostart=true + autorestart=true + user=www-data + numprocs={{ .Values.matomo.queuedTrackingProcess.numProcs | default 1 }} + redirect_stderr=true + stdout_events_enabled=true + stderr_events_enabled=true + stdout_logfile_maxbytes=0 + stderr_logfile_maxbytes=0 + stdout_logfile=/dev/stdout + stderr_logfile=/dev/stderr diff --git a/charts/matomo/templates/configmap-supervisor-tracker.yaml b/charts/matomo/templates/configmap-supervisor-tracker.yaml new file mode 100644 index 00000000..04dbf1a1 --- /dev/null +++ b/charts/matomo/templates/configmap-supervisor-tracker.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: matomo-supervisor-tracker + namespace: {{.Values.namespace}} +data: + regenerate-matomo-js.ini: | + [unix_http_server] + file = /home/www-data/supervisord.sock + [program:php-fpm] + priority=1 + process_name=%(program_name)s_%(process_num)02d + command=php-fpm + autostart=true + autorestart=true + user=www-data + redirect_stderr=true + stdout_events_enabled=true + stderr_events_enabled=true + startretries=100 + [program:regenerate-matomo-js] + priority=2 + process_name=%(program_name)s_%(process_num)02d + command=sh -c 'while ( php /var/www/html/console custom-matomo-js:update && php /var/www/html/console tagmanager:regenerate-released-containers );do sleep 120; done' + autostart=true + autorestart=true + user=www-data + redirect_stderr=true + stdout_events_enabled=true + stderr_events_enabled=true diff --git a/charts/matomo/templates/configmaps-extras.yaml b/charts/matomo/templates/configmaps-extras.yaml new file mode 100644 index 00000000..74e53ad6 --- /dev/null +++ b/charts/matomo/templates/configmaps-extras.yaml @@ -0,0 +1,14 @@ +{{ if .Values.extraConfigMaps.create -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: matomo-additional-config-maps + namespace: {{.Values.namespace}} +data: +{{- if and .Values.extraConfigMaps.create .Values.extraConfigMaps.data }} +{{- range $index, $content := .Values.extraConfigMaps.data }} + {{ $index }}: |- +{{ $content | indent 4 }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/matomo/templates/cronjob-matomo-corearchive.yaml b/charts/matomo/templates/cronjob-matomo-corearchive.yaml new file mode 100644 index 00000000..485a370a --- /dev/null +++ b/charts/matomo/templates/cronjob-matomo-corearchive.yaml @@ -0,0 +1,61 @@ +--- +{{- if .Values.matomo.cronJobs.coreArchive.enabled }} +apiVersion: batch/v1 +kind: CronJob +metadata: + name: matomo-jobs-corearchive + namespace: {{.Values.namespace}} +spec: + schedule: {{quote .Values.matomo.cronJobs.coreArchive.schedule}} + concurrencyPolicy: {{.Values.matomo.cronJobs.coreArchive.concurrencyPolicy}} + successfulJobsHistoryLimit: 3 + failedJobsHistoryLimit: 3 + jobTemplate: + spec: + activeDeadlineSeconds: {{.Values.matomo.cronJobs.coreArchive.activeDeadlineSeconds}} + template: + spec: +{{ include "matomo.init" . | nindent 10 }} + containers: + - name: matomo-jobs-corearchive + image: {{.Values.matomo.image}} + imagePullPolicy: Always + {{- if .Values.matomo.cronJobs.coreArchive.resources }} + resources: +{{ toYaml .Values.matomo.cronJobs.coreArchive.resources | indent 14 }} + {{- end }} + securityContext: + runAsUser: {{.Values.matomo.runAsUser}} + privileged: false + allowPrivilegeEscalation: false + command: [ 'sh' , '-c' , '{{.Values.matomo.cronJobs.coreArchive.command}}' ] + env: + - name: MARIADB_MATOMO_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.db.password.secretKeyRef.name }} + key: {{ .Values.db.password.secretKeyRef.key }} + volumeMounts: + - name: static-data + mountPath: /var/www/html + - name: matomo-phpfpm + mountPath: /usr/local/etc/php-fpm.d/zz-global.conf + subPath: zz-global.conf + - name: matomo-cronjob-php + mountPath: /usr/local/etc/php/conf.d/zz-global.ini + subPath: zz-global.ini + restartPolicy: OnFailure +{{ include "matomo.images.pullSecrets" ( dict "images" (list .Values.matomo) "global" .Values.global) | nindent 10 }} + volumes: + - name: matomo-configuration + configMap: + name: matomo-configuration + - name: static-data + emptyDir: {} + - name: matomo-phpfpm + configMap: + name: matomo-phpfpm + - name: matomo-cronjob-php + configMap: + name: matomo-cronjob-php +{{- end -}} diff --git a/charts/matomo/templates/cronjob-matomo-scheduled-tasks.yaml b/charts/matomo/templates/cronjob-matomo-scheduled-tasks.yaml new file mode 100644 index 00000000..18a31afb --- /dev/null +++ b/charts/matomo/templates/cronjob-matomo-scheduled-tasks.yaml @@ -0,0 +1,57 @@ +--- +{{- if .Values.matomo.cronJobs.scheduledTasks.enabled }} +apiVersion: batch/v1 +kind: CronJob +metadata: + name: matomo-jobs-scheduled-tasks + namespace: {{.Values.namespace}} + {{- template "matomo.labels" .Values.matomo.cronJobs.scheduledTasks.labels }} +spec: + schedule: {{quote .Values.matomo.cronJobs.scheduledTasks.schedule}} + concurrencyPolicy: Forbid + successfulJobsHistoryLimit: 3 + failedJobsHistoryLimit: 3 + jobTemplate: + spec: + activeDeadlineSeconds: {{.Values.matomo.cronJobs.scheduledTasks.activeDeadlineSeconds}} + template: + spec: +{{ include "matomo.init" . | nindent 10 }} + containers: + - name: matomo-jobs-scheduledtasks + image: {{.Values.matomo.image}} + imagePullPolicy: Always + securityContext: + runAsUser: {{.Values.matomo.runAsUser}} + privileged: false + allowPrivilegeEscalation: false + command: [ 'sh' , '-c' , {{quote .Values.matomo.cronJobs.scheduledTasks.command}} ] + env: + - name: MARIADB_MATOMO_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.db.password.secretKeyRef.name }} + key: {{ .Values.db.password.secretKeyRef.key }} +{{ include "matomo.license" . | nindent 12 }} + {{- if .Values.matomo.cronJobs.scheduledTasks.resources }} + resources: +{{ toYaml .Values.matomo.cronJobs.scheduledTasks.resources | indent 14 }} + {{- end }} + volumeMounts: + - name: static-data + mountPath: /var/www/html + - name: matomo-scheduledtasks-php + mountPath: /usr/local/etc/php/conf.d/zz-global.ini + subPath: zz-global.ini + restartPolicy: OnFailure +{{ include "matomo.images.pullSecrets" ( dict "images" (list .Values.matomo) "global" .Values.global) | nindent 10 }} + volumes: + - name: matomo-configuration + configMap: + name: matomo-configuration + - name: static-data + emptyDir: {} + - name: matomo-scheduledtasks-php + configMap: + name: matomo-scheduledtasks-php +{{- end -}} diff --git a/charts/matomo/templates/deployment-matomo-cli.yaml b/charts/matomo/templates/deployment-matomo-cli.yaml new file mode 100644 index 00000000..6fd8b134 --- /dev/null +++ b/charts/matomo/templates/deployment-matomo-cli.yaml @@ -0,0 +1,79 @@ +--- +{{- if .Values.matomo.cli.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: matomo-cli + namespace: {{.Values.namespace}} + labels: + app: matomo-cli +{{- if .Values.matomo.extralabels }} +{{ toYaml .Values.matomo.extralabels | indent 4 }} +{{- end }} +spec: + replicas: {{.Values.matomo.cli.replicas}} + selector: + matchLabels: + app: matomo-cli + template: + metadata: + labels: + app: matomo-cli +{{- if .Values.matomo.extralabels }} +{{ toYaml .Values.matomo.extralabels | indent 8 }} +{{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap-matomo.yaml") . | sha256sum }} + spec: +{{ include "matomo.init" . | nindent 6 }} + containers: + - name: matomo + image: {{.Values.matomo.image}} + {{- if .Values.matomo.cli.resources }} + resources: +{{ toYaml .Values.matomo.cli.resources | indent 10 }} + {{- end }} + securityContext: + runAsUser: {{.Values.matomo.runAsUser}} + privileged: false + allowPrivilegeEscalation: false + imagePullPolicy: Always + env: + - name: MATOMO_DB_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.db.password.secretKeyRef.name }} + key: {{ .Values.db.password.secretKeyRef.key }} +{{ include "matomo.license" . | nindent 8 }} + command: [ 'sh' , '-c' , 'supervisord -n' ] + volumeMounts: + - name: static-data + mountPath: /var/www/html + - name: matomo-supervisor-tracker + mountPath: /etc/supervisor.d + readOnly: true +{{ include "matomo.images.pullSecrets" ( dict "images" (list .Values.matomo) "global" .Values.global) | nindent 6 }} + volumes: + - name: matomo-configuration + configMap: + name: matomo-configuration + - name: static-data + emptyDir: {} + - name: matomo-supervisor-tracker + configMap: + name: matomo-supervisor-tracker +--- +apiVersion: v1 +kind: Service +metadata: + name: matomo-cli + namespace: {{.Values.namespace}} + labels: + app: matomo-cli +spec: + ports: + - port: 8080 + protocol: TCP + selector: + app: matomo-cli +{{- end -}} diff --git a/charts/matomo/templates/deployment-matomo-dashboard.yaml b/charts/matomo/templates/deployment-matomo-dashboard.yaml new file mode 100644 index 00000000..aa081412 --- /dev/null +++ b/charts/matomo/templates/deployment-matomo-dashboard.yaml @@ -0,0 +1,204 @@ +--- +{{- if .Values.matomo.dashboard.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: matomo-dashboard + namespace: {{.Values.namespace}} + labels: + app: matomo-dashboard +{{- if .Values.matomo.extralabels }} +{{ toYaml .Values.matomo.extralabels | indent 4 }} +{{- end }} +spec: + replicas: {{.Values.matomo.dashboard.replicas}} + selector: + matchLabels: + app: matomo-dashboard + template: + metadata: + labels: + app: matomo-dashboard +{{- if .Values.matomo.extralabels }} +{{ toYaml .Values.matomo.extralabels | indent 8 }} +{{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap-matomo.yaml") . | sha256sum }} + spec: +{{ include "matomo.init" . | nindent 6 }} + containers: + {{- if .Values.matomo.dashboard.sidecars }} +{{ toYaml .Values.matomo.dashboard.sidecars | indent 6 }} + {{- end }} + - name: fpm-metrics + securityContext: + runAsUser: {{.Values.matomo.runAsUser}} + privileged: false + allowPrivilegeEscalation: false + image: hipages/php-fpm_exporter:2.2.0 + imagePullPolicy: Always + env: + - name: PHP_FPM_FIX_PROCESS_COUNT + value: "true" + resources: + limits: + memory: 128Mi + requests: + cpu: 15m + memory: 32Mi + - name: nginx + image: {{.Values.nginx.image}} + {{- if .Values.nginx.resources }} + resources: +{{ toYaml .Values.nginx.resources | indent 10 }} + {{- end }} + # readinessProbe: + # httpGet: + # scheme: HTTP + # path: /index.php + # port: 8080 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - "[ -f /tmp/nginx.pid ] && ps -A | grep nginx" + initialDelaySeconds: 10 + periodSeconds: 5 + securityContext: + runAsUser: {{.Values.nginx.runAsUser}} + privileged: false + allowPrivilegeEscalation: false + volumeMounts: + - name: nginx-conf + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + readOnly: true + - name: fastcgi-params + mountPath: /etc/nginx/fastcgi_params + subPath: fastcgi_params + readOnly: true + - name: mime-types + mountPath: /etc/nginx/mime.types + subPath: mime.types + readOnly: true + - name: static-data + mountPath: /var/www/html + readOnly: true + ports: + - containerPort: 8080 + - name: matomo + image: {{.Values.matomo.image}} + {{- if .Values.matomo.resources }} + resources: +{{ toYaml .Values.matomo.resources | indent 10 }} + {{- end }} + securityContext: + runAsUser: {{.Values.matomo.runAsUser}} + privileged: false + allowPrivilegeEscalation: false + imagePullPolicy: Always + env: + - name: MATOMO_DB_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.db.password.secretKeyRef.name }} + key: {{ .Values.db.password.secretKeyRef.key }} +{{ include "matomo.license" . | nindent 8 }} + ports: + - containerPort: 9000 + volumeMounts: + - name: static-data + mountPath: /var/www/html + - name: matomo-phpfpm + mountPath: /usr/local/etc/php-fpm.d/zz-global.conf + subPath: zz-global.conf + - name: matomo-dashboard-php + mountPath: /usr/local/etc/php/conf.d/zz-global.ini + subPath: zz-global.ini + {{- if .Values.xdebug.disabled }} + - name: matomo-disable-xdebug + mountPath: /usr/local/etc/php/conf.d/docker-php-ext-xdebug.ini + subPath: docker-php-ext-xdebug.ini + {{- end }} +{{- if .Values.extraVolumeMounts }} +{{ toYaml .Values.extraVolumeMounts | indent 10 }} +{{- end }} + {{- if .Values.matomo.livenessProbe }} + livenessProbe: + {{- if .Values.matomo.livenessProbe.exec }} + exec: + command: + - sh + - -c + - {{ .Values.matomo.livenessProbe.exec.command }} + initialDelaySeconds: {{ .Values.matomo.livenessProbe.initialDelaySeconds | default 10 }} + periodSeconds: {{ .Values.matomo.livenessProbe.periodSeconds | default 20 }} + timeoutSeconds: {{ .Values.matomo.livenessProbe.timeoutSeconds | default 10 }} + {{- end }} + {{- end }} + {{- if .Values.matomo.readinessProbe }} + readinessProbe: + httpGet: + path: {{ .Values.matomo.readinessProbe.httpGet.path }} + port: {{ .Values.matomo.readinessProbe.httpGet.port | default 80 }} + initialDelaySeconds: {{ .Values.matomo.livenessProbe.initialDelaySeconds | default 30 }} + periodSeconds: {{ .Values.matomo.livenessProbe.periodSeconds | default 30 }} + {{- end }} +{{ include "matomo.images.pullSecrets" ( dict "images" (list .Values.matomo) "global" .Values.global) | nindent 6 }} + volumes: + - name: nginx-conf + configMap: + name: nginx-matomo-dashboard + items: + - key: nginx.conf + path: nginx.conf + - name: fastcgi-params + configMap: + name: nginx-matomo-dashboard + items: + - key: fastcgi_params + path: fastcgi_params + - name: mime-types + configMap: + name: nginx-matomo-dashboard + items: + - key: mime.types + path: mime.types + - name: matomo-configuration + configMap: + name: matomo-configuration + - name: matomo-phpfpm + configMap: + name: matomo-phpfpm + - name: matomo-dashboard-php + configMap: + name: matomo-dashboard-php + {{- if .Values.xdebug.disabled }} + - name: matomo-disable-xdebug + configMap: + name: matomo-disable-xdebug + {{- end }} + - name: static-data + emptyDir: {} +{{- if .Values.extraVolumes }} +{{ toYaml .Values.extraVolumes | indent 6 }} +{{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + name: matomo-dashboard + namespace: {{.Values.namespace}} + labels: + app: matomo-dashboard +{{- if .Values.matomo.extralabels }} +{{ toYaml .Values.matomo.extralabels | indent 4 }} +{{- end }} +spec: + ports: + - port: 8080 + protocol: TCP + selector: + app: matomo-dashboard +{{- end -}} diff --git a/charts/matomo/templates/deployment-matomo-queuedtrackingmonitor.yaml b/charts/matomo/templates/deployment-matomo-queuedtrackingmonitor.yaml new file mode 100644 index 00000000..bb8dac72 --- /dev/null +++ b/charts/matomo/templates/deployment-matomo-queuedtrackingmonitor.yaml @@ -0,0 +1,68 @@ +--- +{{- if .Values.matomo.queuedTrackingMonitor.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: matomo-queuedtracking-monitor + namespace: {{.Values.namespace}} + labels: + app: matomo-queuedtracking-monitor +{{- if .Values.matomo.extralabels }} +{{ toYaml .Values.matomo.extralabels | indent 4 }} +{{- end }} +spec: + replicas: {{.Values.matomo.queuedTrackingMonitor.replicas | default 1}} + selector: + matchLabels: + app: matomo-queuedtracking-monitor + template: + metadata: + labels: + app: matomo-queuedtracking-monitor +{{- if .Values.matomo.extralabels }} +{{ toYaml .Values.matomo.extralabels | indent 8 }} +{{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap-matomo.yaml") . | sha256sum }} + spec: +{{ include "matomo.init" . | nindent 6 }} + containers: + - name: matomo + image: {{.Values.matomo.image}} + resources: + requests: + memory: "128Mi" + cpu: "300m" + limits: + memory: "180Mi" + cpu: "500m" + securityContext: + runAsUser: {{.Values.matomo.runAsUser}} + privileged: false + allowPrivilegeEscalation: false + imagePullPolicy: Always + env: + - name: MATOMO_DB_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.db.password.secretKeyRef.name }} + key: {{ .Values.db.password.secretKeyRef.key }} +{{ include "matomo.license" . | nindent 8 }} + command: [ 'sh' , '-c' , 'supervisord -n' ] + volumeMounts: + - name: static-data + mountPath: /var/www/html + - name: matomo-supervisor-queuedtrackingmonitor + mountPath: /etc/supervisor.d + readOnly: true +{{ include "matomo.images.pullSecrets" ( dict "images" (list .Values.matomo) "global" .Values.global) | nindent 6 }} + volumes: + - name: matomo-configuration + configMap: + name: matomo-configuration + - name: static-data + emptyDir: {} + - name: matomo-supervisor-queuedtrackingmonitor + configMap: + name: matomo-supervisor-queuedtrackingmonitor +{{- end -}} diff --git a/charts/matomo/templates/deployment-matomo-queuedtrackingprocess.yaml b/charts/matomo/templates/deployment-matomo-queuedtrackingprocess.yaml new file mode 100644 index 00000000..9daf4db1 --- /dev/null +++ b/charts/matomo/templates/deployment-matomo-queuedtrackingprocess.yaml @@ -0,0 +1,68 @@ +--- +{{- if .Values.matomo.queuedTrackingProcess.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: matomo-queuedtracking-process + namespace: {{.Values.namespace}} + labels: + app: matomo-queuedtracking-process +{{- if .Values.matomo.extralabels }} +{{ toYaml .Values.matomo.extralabels | indent 4 }} +{{- end }} +spec: + replicas: {{.Values.matomo.queuedTrackingProcess.replicas}} + selector: + matchLabels: + app: matomo-queuedtracking-process + template: + metadata: + labels: + app: matomo-queuedtracking-process +{{- if .Values.matomo.extralabels }} +{{ toYaml .Values.matomo.extralabels | indent 8 }} +{{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap-matomo.yaml") . | sha256sum }} + spec: +{{ include "matomo.init" . | nindent 6 }} + containers: + - name: matomo + image: {{.Values.matomo.image}} + resources: + requests: + memory: "128Mi" + cpu: "250m" + limits: + memory: "220Mi" + cpu: "1" + securityContext: + runAsUser: {{.Values.matomo.runAsUser}} + privileged: false + allowPrivilegeEscalation: false + imagePullPolicy: Always + env: + - name: MATOMO_DB_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.db.password.secretKeyRef.name }} + key: {{ .Values.db.password.secretKeyRef.key }} +{{ include "matomo.license" . | nindent 8 }} + command: [ 'sh' , '-c' , 'supervisord -n' ] + volumeMounts: + - name: static-data + mountPath: /var/www/html + - name: matomo-supervisor-queuedtrackingprocess + mountPath: /etc/supervisor.d + readOnly: true +{{ include "matomo.images.pullSecrets" ( dict "images" (list .Values.matomo) "global" .Values.global) | nindent 6 }} + volumes: + - name: matomo-configuration + configMap: + name: matomo-configuration + - name: static-data + emptyDir: {} + - name: matomo-supervisor-queuedtrackingprocess + configMap: + name: matomo-supervisor-queuedtrackingprocess +{{- end -}} diff --git a/charts/matomo/templates/deployment-matomo-tracker.yaml b/charts/matomo/templates/deployment-matomo-tracker.yaml new file mode 100644 index 00000000..cac0b535 --- /dev/null +++ b/charts/matomo/templates/deployment-matomo-tracker.yaml @@ -0,0 +1,179 @@ +--- +{{- if .Values.matomo.tracker.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: matomo-tracker + namespace: {{.Values.namespace}} + labels: + app: matomo-tracker +{{- if .Values.matomo.extralabels }} +{{ toYaml .Values.matomo.extralabels | indent 4 }} +{{- end }} +spec: + replicas: {{.Values.matomo.tracker.replicas}} + selector: + matchLabels: + app: matomo-tracker + template: + metadata: + labels: + app: matomo-tracker +{{- if .Values.matomo.extralabels }} +{{ toYaml .Values.matomo.extralabels | indent 8 }} +{{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap-matomo.yaml") . | sha256sum }} + spec: +{{ include "matomo.init" . | nindent 6 }} + containers: + - name: fpm-metrics + securityContext: + runAsUser: {{.Values.matomo.runAsUser}} + privileged: false + allowPrivilegeEscalation: false + image: hipages/php-fpm_exporter:2.2.0 + imagePullPolicy: Always + resources: + limits: + cpu: 40m + memory: 32Mi + requests: + cpu: 40m + memory: 32Mi + - name: nginx + image: {{.Values.nginx.image}} + {{- if .Values.matomo.tracker.nginx.resources }} + resources: +{{ toYaml .Values.matomo.tracker.nginx.resources | indent 10 }} + {{- end }} + # readinessProbe: + # httpGet: + # scheme: HTTP + # path: /matomo.js + # port: 8080 + # initialDelaySeconds: 10 + # periodSeconds: 5 + livenessProbe: + exec: + command: + - /bin/sh + - -c + - "[ -f /tmp/nginx.pid ] && ps -A | grep nginx" + initialDelaySeconds: 10 + periodSeconds: 5 + securityContext: + runAsUser: {{.Values.nginx.runAsUser}} + privileged: false + allowPrivilegeEscalation: false + volumeMounts: + - name: nginx-conf + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + readOnly: true + - name: fastcgi-params + mountPath: /etc/nginx/fastcgi_params + subPath: fastcgi_params + readOnly: true + - name: mime-types + mountPath: /etc/nginx/mime.types + subPath: mime.types + readOnly: true + - name: static-data + mountPath: /var/www/html + readOnly: true + ports: + - containerPort: 8080 + - name: matomo + image: {{.Values.matomo.image}} + {{- if .Values.matomo.tracker.resources }} + resources: +{{ toYaml .Values.matomo.tracker.resources | indent 10 }} + {{- end }} + securityContext: + runAsUser: {{.Values.matomo.runAsUser}} + privileged: false + allowPrivilegeEscalation: false + imagePullPolicy: Always + env: + - name: MATOMO_DB_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.db.password.secretKeyRef.name }} + key: {{ .Values.db.password.secretKeyRef.key }} + command: [ 'sh' , '-c' , 'supervisord -n' ] + volumeMounts: + - name: static-data + mountPath: /var/www/html + - name: matomo-supervisor-tracker + mountPath: /etc/supervisor.d + readOnly: true + - name: matomo-phpfpm-tracker + mountPath: /usr/local/etc/php-fpm.d/zz-global.conf + subPath: zz-global.conf + {{- if .Values.matomo.livenessProbe }} + livenessProbe: + {{- if .Values.matomo.livenessProbe.exec }} + exec: + command: + - sh + - -c + - {{ .Values.matomo.livenessProbe.exec.command }} + initialDelaySeconds: {{ .Values.matomo.livenessProbe.initialDelaySeconds | default 10 }} + periodSeconds: {{ .Values.matomo.livenessProbe.periodSeconds | default 20 }} + timeoutSeconds: {{ .Values.matomo.livenessProbe.timeoutSeconds | default 10 }} + {{- end }} + {{- end }} + {{- if .Values.matomo.readinessProbe }} + readinessProbe: + httpGet: + path: {{ .Values.matomo.readinessProbe.httpGet.path }} + port: {{ .Values.matomo.readinessProbe.httpGet.port | default 80 }} + initialDelaySeconds: {{ .Values.matomo.livenessProbe.initialDelaySeconds | default 5 }} + periodSeconds: {{ .Values.matomo.livenessProbe.periodSeconds | default 5 }} + {{- end }} +{{ include "matomo.images.pullSecrets" ( dict "images" (list .Values.matomo) "global" .Values.global) | nindent 6 }} + volumes: + - name: nginx-conf + configMap: + name: nginx-matomo-tracker + items: + - key: nginx.conf + path: nginx.conf + - name: fastcgi-params + configMap: + name: nginx-matomo-tracker + items: + - key: fastcgi_params + path: fastcgi_params + - name: mime-types + configMap: + name: nginx-matomo-tracker + items: + - key: mime.types + path: mime.types + - name: matomo-configuration + configMap: + name: matomo-configuration + - name: static-data + emptyDir: {} + - name: matomo-supervisor-tracker + configMap: + name: matomo-supervisor-tracker + - name: matomo-phpfpm-tracker + configMap: + name: matomo-phpfpm-tracker +--- +apiVersion: v1 +kind: Service +metadata: + name: matomo-tracker + labels: + app: matomo-tracker +spec: + ports: + - port: 8080 + protocol: TCP + selector: + app: matomo-tracker +{{- end -}} diff --git a/charts/matomo/templates/ingress-matomo-dashboard.yaml b/charts/matomo/templates/ingress-matomo-dashboard.yaml new file mode 100644 index 00000000..e10ce6c3 --- /dev/null +++ b/charts/matomo/templates/ingress-matomo-dashboard.yaml @@ -0,0 +1,57 @@ +{{- if .Values.matomo.ingress.enabled }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + labels: + app: matomo-dashboard +{{- if .Values.matomo.ingress.extralabels }} +{{ toYaml .Values.matomo.ingress.extralabels | indent 4 }} +{{- end }} + name: matomo-dashboard + namespace: {{.Values.namespace}} + annotations: + nginx.ingress.kubernetes.io/use-regex: "true" + nginx.ingress.kubernetes.io/client-body-timeout: 700s + nginx.ingress.kubernetes.io/enable-cors: "true" + nginx.ingress.kubernetes.io/proxy-body-size: 200m + nginx.ingress.kubernetes.io/proxy-read-timeout: 700s + {{- if .Values.matomo.ingress.annotations }} + {{- with .Values.matomo.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.matomo.dashboard.whitelist }} + nginx.ingress.kubernetes.io/whitelist-source-range: {{.Values.matomo.dashboard.whitelist | toPrettyJson}} + {{ else }} + {{- end }} +spec: + {{- if .Values.matomo.dashboard.ingressClassName }} + ingressClassName: {{.Values.matomo.dashboard.ingressClassName}} + {{- end }} + rules: + - host: {{.Values.matomo.dashboard.hostname}} + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + {{- if .Values.matomo.dashboard.loadbalancer }} + name: matomo-dashboard-lb + port: + number: 80 + {{ else }} + name: matomo-dashboard + port: + number: 8080 + {{- end }} + + {{- if .Values.matomo.dashboard.tls }} + tls: + - hosts: + - {{.Values.matomo.dashboard.hostname}} + {{- if .Values.matomo.dashboard.secretName }} + secretName: {{.Values.matomo.dashboard.secretName}} + {{- end -}} + {{- end -}} +{{- end -}} diff --git a/charts/matomo/templates/ingress-matomo-tracker.yaml b/charts/matomo/templates/ingress-matomo-tracker.yaml new file mode 100644 index 00000000..5ffc4c69 --- /dev/null +++ b/charts/matomo/templates/ingress-matomo-tracker.yaml @@ -0,0 +1,193 @@ +{{- if .Values.matomo.ingress.enabled }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + labels: + app: matomo-tracker +{{- if .Values.matomo.ingress.extralabels }} +{{ toYaml .Values.matomo.ingress.extralabels | indent 4 }} +{{- end }} + name: matomo-tracker + namespace: {{.Values.namespace}} + annotations: + nginx.ingress.kubernetes.io/use-regex: "true" + nginx.ingress.kubernetes.io/server-snippet: | + gzip on; + gzip_disable "MSIE [1-6]\."; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 5; + gzip_min_length 512; + gzip_buffers 16 128k; + gzip_http_version 1.1; + gzip_types + application/json + application/javascript; + {{- if .Values.matomo.ingress.annotations }} + {{- with .Values.matomo.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +spec: + {{- if .Values.matomo.tracker.ingressClassName }} + ingressClassName: {{.Values.matomo.tracker.ingressClassName}} + {{- end }} + rules: + - host: {{.Values.matomo.tracker.hostname}} + http: + paths: + - path: /index.php + pathType: ImplementationSpecific + backend: + service: + {{- if .Values.matomo.tracker.loadbalancer }} + name: matomo-tracker-lb + port: + number: 80 + {{ else }} + name: matomo-tracker + port: + number: 8080 + {{- end }} + - path: /piwik.php + pathType: ImplementationSpecific + backend: + service: + {{- if .Values.matomo.tracker.loadbalancer }} + name: matomo-tracker-lb + port: + number: 80 + {{ else }} + name: matomo-tracker + port: + number: 8080 + {{- end }} + - path: /piwik.js + pathType: ImplementationSpecific + backend: + service: + {{- if .Values.matomo.tracker.loadbalancer }} + name: matomo-tracker-lb + port: + number: 80 + {{ else }} + name: matomo-tracker + port: + number: 8080 + {{- end }} + - path: /matomo.php + pathType: ImplementationSpecific + backend: + service: + {{- if .Values.matomo.tracker.loadbalancer }} + name: matomo-tracker-lb + port: + number: 80 + {{ else }} + name: matomo-tracker + port: + number: 8080 + {{- end }} + - path: /matomo.js + pathType: ImplementationSpecific + backend: + service: + {{- if .Values.matomo.tracker.loadbalancer }} + name: matomo-tracker-lb + port: + number: 80 + {{ else }} + name: matomo-tracker + port: + number: 8080 + {{- end }} + - path: /js/.* + pathType: ImplementationSpecific + backend: + service: + {{- if .Values.matomo.tracker.loadbalancer }} + name: matomo-tracker-lb + port: + number: 80 + {{ else }} + name: matomo-tracker + port: + number: 8080 + {{- end }} + - path: /plugins/HeatmapSessionRecording/.* + pathType: ImplementationSpecific + backend: + service: + {{- if .Values.matomo.tracker.loadbalancer }} + name: matomo-tracker-lb + port: + number: 80 + {{ else }} + name: matomo-tracker + port: + number: 8080 + {{- end }} + - path: /plugins/Overlay/client/.* + pathType: ImplementationSpecific + backend: + service: + {{- if .Values.matomo.tracker.loadbalancer }} + name: matomo-tracker-lb + port: + number: 80 + {{ else }} + name: matomo-tracker + port: + number: 8080 + {{- end }} + - path: /node_modules/jquery/dist/.* + pathType: ImplementationSpecific + backend: + service: + {{- if .Values.matomo.tracker.loadbalancer }} + name: matomo-tracker-lb + port: + number: 80 + {{ else }} + name: matomo-tracker + port: + number: 8080 + {{- end }} + + - path: /plugins/UserFeedback/lib/.* + pathType: ImplementationSpecific + backend: + service: + {{- if .Values.matomo.tracker.loadbalancer }} + name: matomo-tracker-lb + port: + number: 80 + {{ else }} + name: matomo-tracker + port: + number: 8080 + {{- end }} + + - path: /plugins/UserFeedback/css/.* + pathType: ImplementationSpecific + backend: + service: + {{- if .Values.matomo.tracker.loadbalancer }} + name: matomo-tracker-lb + port: + number: 80 + {{ else }} + name: matomo-tracker + port: + number: 8080 + {{- end }} + + {{- if .Values.matomo.tracker.tls }} + tls: + - hosts: + - {{.Values.matomo.tracker.hostname}} + {{- if .Values.matomo.tracker.secretName }} + secretName: {{.Values.matomo.tracker.secretName}} + {{- end -}} + {{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/matomo/templates/loadbalancer-matomo-dashboard.yaml b/charts/matomo/templates/loadbalancer-matomo-dashboard.yaml new file mode 100644 index 00000000..22b20b27 --- /dev/null +++ b/charts/matomo/templates/loadbalancer-matomo-dashboard.yaml @@ -0,0 +1,13 @@ +{{- if .Values.matomo.dashboard.loadbalancer }} +apiVersion: v1 +kind: Service +metadata: + name: matomo-dashboard-lb +spec: + selector: + app: matomo-dashboard + ports: + - port: 80 + targetPort: 8080 + type: LoadBalancer +{{- end -}} \ No newline at end of file diff --git a/charts/matomo/templates/loadbalancer-matomo-tracker.yaml b/charts/matomo/templates/loadbalancer-matomo-tracker.yaml new file mode 100644 index 00000000..eb06ba05 --- /dev/null +++ b/charts/matomo/templates/loadbalancer-matomo-tracker.yaml @@ -0,0 +1,13 @@ +{{- if .Values.matomo.tracker.loadbalancer }} +apiVersion: v1 +kind: Service +metadata: + name: matomo-tracker-lb +spec: + selector: + app: matomo-tracker + ports: + - port: 80 + targetPort: 8080 + type: LoadBalancer +{{- end -}} \ No newline at end of file diff --git a/charts/matomo/templates/post-install-job.yaml b/charts/matomo/templates/post-install-job.yaml new file mode 100644 index 00000000..b5e4d874 --- /dev/null +++ b/charts/matomo/templates/post-install-job.yaml @@ -0,0 +1,76 @@ +{{- if .Values.matomo.postInstallCommand }} +apiVersion: batch/v1 +kind: Job +metadata: + name: matomo-post-install + namespace: {{.Values.namespace}} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + partOf: matomo + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: "{{ .Release.Name }}" + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + spec: + restartPolicy: Never +{{ include "matomo.images.pullSecrets" ( dict "images" (list .Values.matomo) "global" .Values.global) | nindent 6 }} + containers: + - name: post-install-matomo + image: {{.Values.matomo.image}} + lifecycle: + postStart: + exec: + command: [ 'sh' , '-c' , '{{.Values.matomo.installCommand}}' ] + # To do anything with Matomo, we first need to bootstrap it (curl). + command: [ 'bash' , '-c' , 'sleep {{.Values.matomo.postInstallSleepTime}}; curl -Il https://{{.Values.matomo.dashboard.hostname}}; {{.Values.matomo.postInstallCommand}}' ] + env: + - name: MATOMO_FIRST_USER_NAME + value: {{.Values.matomo.dashboard.firstuser.username}} + - name: MATOMO_FIRST_USER_EMAIL + value: {{.Values.matomo.dashboard.firstuser.email}} + - name: MATOMO_FIRST_USER_PASSWORD + value: {{.Values.matomo.dashboard.firstuser.password}} + - name: MATOMO_DB_HOST + value: {{.Values.db.hostname}} + - name: MATOMO_DB_NAME + value: {{.Values.db.name}} + {{ if .Values.db.prefix }} + - name: MATOMO_DB_PREFIX + value: {{.Values.db.prefix}} + {{ end }} + - name: MATOMO_DB_USERNAME + value: {{.Values.db.username}} + - name: MATOMO_DB_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.db.password.secretKeyRef.name }} + key: {{ .Values.db.password.secretKeyRef.key }} +{{ include "matomo.license" . | nindent 8 }} + volumeMounts: + - name: matomo-startup-config + mountPath: /var/www/html/config/config.ini.php + subPath: config.ini.php +{{- if .Values.extraVolumeMounts }} +{{ toYaml .Values.extraVolumeMounts | indent 8 }} +{{- end }} + volumes: + - name: matomo-startup-config + configMap: + name: matomo-startup-config +{{- if .Values.extraVolumes }} +{{ toYaml .Values.extraVolumes | indent 8 }} +{{- end }} +{{- end -}} + + diff --git a/charts/matomo/templates/pre-upgrade-job.yaml b/charts/matomo/templates/pre-upgrade-job.yaml new file mode 100644 index 00000000..dafd7e4c --- /dev/null +++ b/charts/matomo/templates/pre-upgrade-job.yaml @@ -0,0 +1,72 @@ +{{- if .Values.matomo.preUpgradeCommand }} +apiVersion: batch/v1 +kind: Job +metadata: + name: matomo-pre-upgrade + namespace: {{.Values.namespace}} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + partOf: matomo + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: "{{ .Release.Name }}" + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + spec: + restartPolicy: Never +{{ include "matomo.images.pullSecrets" ( dict "images" (list .Values.matomo) "global" .Values.global) | nindent 6 }} + containers: + - name: pre-upgrade-matomo + image: {{.Values.matomo.image}} + volumeMounts: + - name: matomo-startup-config + mountPath: /var/www/html/config/config.ini.php + subPath: config.ini.php + - name: matomo-pre-upgrade-additional-config-maps + mountPath: /var/www/html/config/common.config.ini.php + subPath: common.config.ini.php + # To do anything with Matomo, we first need to bootstrap it (curl). + command: [ 'bash' , '-c' , 'sleep {{.Values.matomo.preUpgradeSleepTime}}; curl -Il https://{{.Values.matomo.dashboard.hostname}}; {{.Values.matomo.preUpgradeCommand}}' ] + env: + - name: MATOMO_FIRST_USER_NAME + value: {{.Values.matomo.dashboard.firstuser.username}} + - name: MATOMO_FIRST_USER_EMAIL + value: {{.Values.matomo.dashboard.firstuser.email}} + - name: MATOMO_FIRST_USER_PASSWORD + value: {{.Values.matomo.dashboard.firstuser.password}} + - name: MATOMO_DB_HOST + value: {{.Values.db.hostname}} + - name: MATOMO_DB_NAME + value: {{.Values.db.name}} + {{ if .Values.db.prefix }} + - name: MATOMO_DB_PREFIX + value: {{.Values.db.prefix}} + {{ end }} + - name: MATOMO_DB_USERNAME + value: {{.Values.db.username}} + - name: MATOMO_DB_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.db.password.secretKeyRef.name }} + key: {{ .Values.db.password.secretKeyRef.key }} +{{ include "matomo.license" . | nindent 8 }} + volumes: + - name: matomo-startup-config + configMap: + name: matomo-startup-config +{{ if .Values.extraConfigMaps.create }} + - name: matomo-pre-upgrade-additional-config-maps + configMap: + name: matomo-pre-upgrade-additional-config-maps +{{- end }} +{{- end -}} diff --git a/charts/matomo/templates/secrets-extra.yaml b/charts/matomo/templates/secrets-extra.yaml new file mode 100644 index 00000000..97bad577 --- /dev/null +++ b/charts/matomo/templates/secrets-extra.yaml @@ -0,0 +1,15 @@ +{{- if .Values.extraSecrets.create -}} +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: matomo-extra-secrets + namespace: {{.Values.namespace}} +data: +{{- if and .Values.extraSecrets.create .Values.extraSecrets.data }} +{{- range $index, $content := .Values.extraSecrets.data }} + {{ $index }}: |- +{{ $content | indent 4 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/matomo/templates/services-extra.yaml b/charts/matomo/templates/services-extra.yaml new file mode 100644 index 00000000..cdd2318a --- /dev/null +++ b/charts/matomo/templates/services-extra.yaml @@ -0,0 +1,27 @@ +{{- range $service := .Values.extraServices }} +apiVersion: v1 +kind: Service +metadata: + name: matomo-extra-{{ $service.name }} +spec: + type: {{ $service.type }} + ports: + - port: {{ $service.port }} + targetPort: {{ $service.name }} + protocol: {{ $service.protocol }} + name: {{ $service.name }} + {{- if and ( or (eq $service.type "LoadBalancer") (eq $service.type "NodePort") ) ($service.nodePort) }} + nodePort: {{ $service.nodePort }} + {{- end }} + {{- if and (eq $service.type "LoadBalancer") ($service.loadBalancerIP) }} + loadBalancerIP: {{ $service.loadBalancerIP }} + {{- end }} + {{- if $service.clusterIP }} + clusterIP: {{ $service.clusterIP }} + {{- end }} + selector: +{{- range $index, $content := $service.selector }} + {{ $index }}: {{ $content }} +{{- end }} +--- +{{- end }} \ No newline at end of file diff --git a/charts/matomo/values.yaml b/charts/matomo/values.yaml new file mode 100644 index 00000000..f62bb38d --- /dev/null +++ b/charts/matomo/values.yaml @@ -0,0 +1,184 @@ +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## +global: + ## As: + ## imageRegistry: "docker.io" + imageRegistry: "" + ## As: + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] +namespace: matomo +matomo: + imageRegistry: "" + ## As: + ## imagePullSecrets: + ## - myRegistryKeySecretName + imagePullSecrets: [] + image: digitalist/matomo:5.2.1 + runAsUser: 82 + installCommand: ./console plugin:activate ExtraTools && ./console matomo:install --install-file=/tmp/matomo/install.json --force --do-not-drop-db + # Post install for helm chart. Starts a post-install-job. + postInstallSleepTime: 5 + postInstallCommand: "" + preUpgradeSleepTime: 5 + preUpgradeCommand: "" + extralabels: {} + ## If you have a premium license for plugins, set it here. + ## you need to create the secret before referring it. + ## As: + ## license: + ## secretKeyRef: + ## name: matomo-license + ## key: matomo-license + license: + ingress: + enabled: true + extralabels: {} + annotations: + digitalist.cloud/instance: "matomo" + cli: + replicas: 1 + enabled: true + cronJobs: + coreArchive: + enabled: true + labels: + name: matomo-jobs-corearchive + instance: matomo + component: cronjob + partOf: matomo + managedBy: helm + schedule: "*/60 * * * *" + concurrencyPolicy: Allow + activeDeadlineSeconds: 43200 + command: ./console core:archive --disable-scheduled-tasks + scheduledTasks: + php: + enabled: true + labels: + name: matomo-jobs-scheduled-tasks + instance: matomo + component: cronjob + partOf: matomo + managedBy: helm + schedule: "*/60 * * * *" + activeDeadlineSeconds: 43200 + command: ./console scheduled-tasks:run + dashboard: + sidecars: [] + ## added like this: + # sidecars: + # - name: fpm-metrics + # image: hipages/php-fpm_exporter:2.2.0 + # imagePullPolicy: IfNotPresent + # resources: + # limits: + # cpu: 500m + # memory: 256Mi + # requests: + # cpu: 40m + # memory: 32Mi + enabled: true + replicas: 1 + loadbalancer: false + hostname: my.host + tls: false + firstuser: + username: admin + password: admin123 + email: foo@example.com + nginx: + nginxWorkerProcesses: 5 + ingressClassName: "" + queuedTrackingMonitor: + enabled: true + queuedTrackingProcess: + replicas: 1 + tracker: + enabled: true + replicas: 1 + hostname: my.host + tls: false + loadbalancer: false + nginx: + resources: + nginxWorkerProcesses: 5 + phpfpm: + type: ondemand + max_children: 75 + process_idle_timeout: 600s + max_requests: 500 + ingressClassName: "" +nginx: + image: digitalist/nginx:1.21.6 + imagePullSecrets: [] + runAsUser: 100 +db: + hostname: matomo-db-mysql + password: + secretKeyRef: + name: matomo-db-mysql + key: mysql-root-password + name: matomo + username: root + prefix: matomo_ +xdebug: + disabled: 1 +extraSecrets: + create: false + data: {} +# * secrets need to base64 encoded. +# data: +# name: Zm9vCg== +# bar: YmFyCg== +extraServices: {} +# - name: foo + ## Service port type +# type: ClusterIP + ## Service protocol +# protocol: TCP + ## The container target port +# containerPort: 12001 + ## The service port +# port: 12001 +# selector: +# app: matomo-dashboard + ## The node port (only relevant for type LoadBalancer or NodePort) +# nodePort: + ## The cluster ip address (only relevant for type LoadBalancer or NodePort) +# clusterIP: + ## The loadbalancer ip address (only relevant for type LoadBalancer) +# loadBalancerIP: +extraConfigMaps: + create: true + data: {} +# data: +# my.ini: | +# extension=foo.so +# foo.socket=tcp://bar:9309 +extraVolumes: [] +# extraVolumes: +# - name: mySecretVolume +# secret: +# secretName: matomo-extra-secrets +# - name: my.ini +# configMap: +# name: matomo-additional-config-maps +# items: +# - key: "my.ini" +# path: "my.ini" +extraVolumeMounts: [] +# extraVolumeMounts: +# - name: mySecretVolume +# mountPath: /foo/secrets/mySecretVolume/ +# - name: my.ini +# mountPath: /usr/local/etc/php/conf.d/my.ini +# subPath: my.ini diff --git a/helmfile.d/plausible.yaml.gotmpl b/helmfile.d/matomo.yaml.gotmpl similarity index 50% rename from helmfile.d/plausible.yaml.gotmpl rename to helmfile.d/matomo.yaml.gotmpl index e0d36d10..ae8a9584 100644 --- a/helmfile.d/plausible.yaml.gotmpl +++ b/helmfile.d/matomo.yaml.gotmpl @@ -1,36 +1,38 @@ +# yaml-language-server: $schema=https://www.schemastore.org/helmfile.json + bases: - ../envs/environments.yaml.gotmpl repositories: -- name: plausible - url: https://imio.github.io/helm-charts +- name: bitnami + url: https://charts.bitnami.com/bitnami commonLabels: tier: system releases: -- name: plausible-analytics - namespace: plausible - chart: plausible/plausible-analytics - version: 0.4.0 - condition: plausible.enabled +- name: matomo + namespace: analytics + chart: bitnami/matomo + version: 11.0.0 + condition: matomo.enabled values: - - ../values/plausible/values/values.yaml - - ../values/plausible/values/values-{{ .Environment.Name }}.yaml + - ../values/matomo/values/values.yaml + - ../values/matomo/values/values-{{ .Environment.Name }}.yaml postRenderer: ../bin/kustomizer postRendererArgs: - - ../values/plausible/kustomize/{{ .Environment.Name }} + - ../values/matomo/kustomize/{{ .Environment.Name }} missingFileHandler: Info - name: manifests - namespace: plausible + namespace: analytics chart: manifests - condition: plausible.enabled + condition: matomo.enabled missingFileHandler: Info values: - ../values/env.yaml - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml - - ../values/plausible/env.yaml.gotmpl - - ../values/plausible/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl + - ../values/matomo/env.yaml.gotmpl + - ../values/matomo/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl hooks: - events: [ prepare, cleanup ] showlogs: true @@ -39,5 +41,5 @@ releases: - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}' - '{{`{{ .Release.Chart }}`}}' - '{{`{{ .Environment.Name }}`}}' - - ../values/plausible/manifests + - ../values/matomo/manifests - manifests diff --git a/shell.nix b/shell.nix index f064878d..eba98df3 100644 --- a/shell.nix +++ b/shell.nix @@ -40,8 +40,11 @@ pkgs.mkShellNoCC { # linkerd step-cli linkerd + + # dapr + dapr-cli ]; - ARGOCD_ENV_CLUSTER_NAME = "ekman"; + ARGOCD_ENV_CLUSTER_NAME = "oceanbox"; HELM_GIT_ACCESS_TOKEN = "glpat-xxx"; } diff --git a/values/matomo/README.md b/values/matomo/README.md new file mode 100644 index 00000000..d768fc8f --- /dev/null +++ b/values/matomo/README.md @@ -0,0 +1,4 @@ +# Matomo + +TO-DO: +- [ ] Move to Digitalist [Chart](https://github.com/Digitalist-Open-Cloud/matomo-kubernetes) diff --git a/values/matomo/env-oceanbox.yaml.gotmpl b/values/matomo/env-oceanbox.yaml.gotmpl new file mode 100644 index 00000000..ba66ea49 --- /dev/null +++ b/values/matomo/env-oceanbox.yaml.gotmpl @@ -0,0 +1,3 @@ +matomo: + enabled: {{ if eq .Environment.Name "prod" }} true {{ else }} false {{ end }} + env: prod diff --git a/values/matomo/env.yaml.gotmpl b/values/matomo/env.yaml.gotmpl new file mode 100644 index 00000000..39206aa2 --- /dev/null +++ b/values/matomo/env.yaml.gotmpl @@ -0,0 +1,4 @@ +matomo: + enabled: false + autosync: {{ if eq .Environment.Name "prod" }} false {{ else }} true {{ end }} + env: {{ .Environment.Name }} diff --git a/values/matomo/manifests/matomo.yaml b/values/matomo/manifests/matomo.yaml new file mode 100644 index 00000000..fcec61e5 --- /dev/null +++ b/values/matomo/manifests/matomo.yaml @@ -0,0 +1,42 @@ +{{- if .Values.clusterConfig.argo.enabled }} +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: matomo + namespace: argocd + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: analytics + server: https://kubernetes.default.svc + project: aux + sources: + - repoURL: {{ .Values.clusterConfig.manifests }} + targetRevision: HEAD + path: helmfile.d + plugin: + name: helmfile-cmp + env: + - name: CLUSTER_NAME + value: {{ .Values.clusterConfig.cluster }} + - name: HELMFILE_ENVIRONMENT + value: {{ .Values.matomo.env }} + - name: HELMFILE_FILE_PATH + value: analytics.yaml.gotmpl + syncPolicy: + managedNamespaceMetadata: + labels: + component: aux + syncOptions: + - CreateNamespace=true + - ApplyOutOfSyncOnly=true + # - ServerSideApply=true + {{- if .Values.matomo.autosync }} + automated: + prune: true + # selfHeal: false + {{- end }} +{{- end }} diff --git a/values/matomo/values/values-prod.yaml b/values/matomo/values/values-prod.yaml new file mode 100644 index 00000000..eb748fef --- /dev/null +++ b/values/matomo/values/values-prod.yaml @@ -0,0 +1,1120 @@ +# yaml-language-server: $schema= +# +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass +## + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s) +## +global: + security: + ## @param global.security.allowInsecureImages Allows skipping image verification + allowInsecureImages: true + +## @section Common parameters +## + +## @param usePasswordFiles Mount credentials as files instead of using environment variables +## +usePasswordFiles: true + +## @section Matomo parameters +## + +## Bitnami Matomo image version +## ref: https://hub.docker.com/r/bitnami/matomo/tags/ +## @param image.registry [default: REGISTRY_NAME] Matomo image registry +## @param image.repository [default: REPOSITORY_NAME/matomo] Matomo Image name +## @skip image.tag Matomo Image tag +## @param image.digest Matomo image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag +## @param image.pullPolicy Matomo image pull policy +## @param image.pullSecrets Specify docker-registry secret names as an array +## @param image.debug Specify if debug logs should be enabled +## +image: + registry: docker.io + repository: digitalist/matomo + tag: 5.2.1 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Set to true if you would like to see extra information on logs + ## + debug: false +## @param replicaCount Number of Matomo Pods to run (requires ReadWriteMany PVC support) +## +replicaCount: 1 +## @param matomoUsername User of the application +## ref: https://github.com/bitnami/containers/tree/main/bitnami/matomo#configuration +## +matomoUsername: admin +## @param matomoPassword Application password +## Defaults to a random 10-character alphanumeric string if not set +## ref: https://github.com/bitnami/containers/tree/main/bitnami/matomo#configuration +## +matomoPassword: "en to tre fire" +## @param matomoEmail Admin email +## ref: https://github.com/bitnami/containers/tree/main/bitnami/matomo#configuration +## +matomoEmail: user@example.com +## @param matomoWebsiteName Matomo application name +## ref: https://github.com/bitnami/containers/tree/main/bitnami/matomo#configuration +## +matomoWebsiteName: oceanbox +## @param matomoWebsiteHost Matomo application host +## ref: https://github.com/bitnami/containers/tree/main/bitnami/matomo#configuration +## +matomoWebsiteHost: https://matomo.adm.oceanbox.io +## @param matomoSkipInstall Skip Matomo installation wizard. Useful for migrations and restoring from SQL dump +## ref: https://github.com/bitnami/containers/tree/main/bitnami/matomo#configuration +## +matomoSkipInstall: false +## @param customPostInitScripts Custom post-init.d user scripts +## ref: https://github.com/bitnami/containers/tree/main/bitnami/matomo +## NOTE: supported formats are `.sh` or `.php` +## NOTE: scripts are exclusively executed during the 1st boot of the container +## e.g: +## customPostInitScripts: +## custom-post-init.sh: | +## #!/bin/bash +## echo "Hello from custom-post-init.sh" +## .htaccess: | +## RewriteEngine On +## RewriteBase / +## ... +## +customPostInitScripts: {} +## @param allowEmptyPassword Allow DB blank passwords +## ref: https://github.com/bitnami/containers/tree/main/bitnami/matomo#environment-variables +## +allowEmptyPassword: true +## @param command Override default container command (useful when using custom images) +## +command: [] +## @param args Override default container args (useful when using custom images) +## +args: [] +## @param updateStrategy.type Update strategy - only really applicable for deployments with RWO PVs attached +## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the +## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will +## terminate the single previous pod, so that the new, incoming pod can attach to the PV +## +updateStrategy: + type: RollingUpdate +## @param priorityClassName Matomo pods' priorityClassName +## +priorityClassName: "" +## @param schedulerName Name of the k8s scheduler (other than default) +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" +## @param topologySpreadConstraints Topology Spread Constraints for pod assignment +## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +## The value is evaluated as a template +## +topologySpreadConstraints: [] +## @param automountServiceAccountToken Mount Service Account token in pod +## +automountServiceAccountToken: true +## @param hostAliases [array] Add deployment host aliases +## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ +## +hostAliases: + ## Necessary for apache-exporter to work + ## + - ip: "127.0.0.1" + hostnames: + - "status.localhost" +## @param extraEnvVars Extra environment variables +## For example: +## +extraEnvVars: [] +# - name: BEARER_AUTH +# value: true +## @param extraEnvVarsCM ConfigMap containing extra env vars +## +extraEnvVarsCM: "" +## @param extraEnvVarsSecret Secret containing extra env vars (in case of sensitive data) +## +extraEnvVarsSecret: "" +## @param extraVolumes Array of extra volumes to be added to the deployment (evaluated as template). Requires setting `extraVolumeMounts` +## +extraVolumes: [] +## @param extraVolumeMounts Array of extra volume mounts to be added to the container (evaluated as template). Normally used with `extraVolumes`. +## +extraVolumeMounts: [] +## @param initContainers Add additional init containers to the pod (evaluated as a template) +## +initContainers: [] +## Pod Disruption Budget configuration +## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb +## @param pdb.create Enable/disable a Pod Disruption Budget creation +## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled +## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty. +## +pdb: + create: true + minAvailable: "" + maxUnavailable: "" +## @param sidecars Attach additional containers to the pod (evaluated as a template) +## +sidecars: [] +## @param serviceAccountName Attach serviceAccountName to the pod and sidecars +## +serviceAccountName: "" +## @param tolerations Tolerations for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] +## @param existingSecret Name of a secret with the application password +## +existingSecret: "" +## SMTP mail delivery configuration +## ref: https://github.com/bitnami/containers/tree/main/bitnami/matomo/#smtp-configuration +## @param smtpAuth SMTP authentication mechanism (options: Plain, Login, Cram-md5) +## @param smtpHost SMTP host +## @param smtpPort SMTP port +## @param smtpUser SMTP user +## @param smtpPassword SMTP password +## @param smtpProtocol SMTP Protocol (options: ssl,tls, nil) +## @param noreplyName Noreply name +## @param noreplyAddress Noreply address +## +smtpAuth: "" +smtpHost: "" +smtpPort: "" +smtpUser: "" +smtpPassword: "" +smtpProtocol: "" +noreplyName: "" +noreplyAddress: "" +## @param smtpExistingSecret The name of an existing secret with SMTP credentials +## NOTE: Must contain key `smtp-password` +## NOTE: When it's set, the `smtpPassword` parameter is ignored +## +smtpExistingSecret: "" +## @param containerPorts [object] Container ports +## +containerPorts: + http: 8080 + https: 8443 +## @param extraContainerPorts Optionally specify extra list of additional ports for Matomo container(s) +## e.g: +## extraContainerPorts: +## - name: myservice +## containerPort: 9090 +## +extraContainerPorts: [] +## Enable persistence using Persistent Volume Claims +## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ +## +persistence: + ## @param persistence.enabled Enable persistence using PVC + ## + enabled: true + ## @param persistence.storageClass PVC Storage Class for Matomo volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "" + ## @param persistence.accessModes PVC Access Mode for Matomo volume + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + ## + accessModes: + - ReadWriteOnce + ## @param persistence.size PVC Storage Request for Matomo volume + ## + size: 8Gi + ## @param persistence.dataSource Custom PVC data source + ## + dataSource: {} + ## @param persistence.existingClaim A manually managed Persistent Volume Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + ## + existingClaim: "" + ## @param persistence.hostPath If defined, the matomo-data volume will mount to the specified hostPath. + ## Requires persistence.enabled: true + ## Requires persistence.existingClaim: nil|false + ## Default: nil. + ## + hostPath: "" + ## @param persistence.annotations Persistent Volume Claim annotations + ## + annotations: {} + ## @param persistence.selector Selector to match an existing Persistent Volume for Matomo data PVC + ## If set, the PVC can't have a PV dynamically provisioned for it + ## E.g. + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} +## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAffinityPreset: "" +## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAntiAffinityPreset: soft +## Node affinity preset +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## @param nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set. +## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. +## +nodeAffinityPreset: + type: "" + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] +## @param affinity Affinity for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set +## +affinity: {} +## @param nodeSelector Node labels for pod assignment. Evaluated as a template. +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ +## +nodeSelector: {} +## Matomo container's resource requests and limits +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +## We usually recommend not to specify default resources and to leave this as a conscious +## choice for the user. This also increases chances charts run on environments with little +## resources, such as Minikube. If you do want to specify resources, uncomment the following +## lines, adjust them as necessary, and remove the curly braces after 'resources:'. +## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). +## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 +## +resourcesPreset: "micro" +## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) +## Example: +## resources: +## requests: +## cpu: 2 +## memory: 512Mi +## limits: +## cpu: 3 +## memory: 1024Mi +## +resources: {} +## Configure Pods Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param podSecurityContext.enabled Enable Matomo pods' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface +## @param podSecurityContext.supplementalGroups Set filesystem extra groups +## @param podSecurityContext.fsGroup Matomo pods' group ID +## +podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 +## Configure Container Security Context (only main container) +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container +## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup +## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot +## @param containerSecurityContext.privileged Set container's Security Context privileged +## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem +## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation +## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped +## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile +## +containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 0 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" +## Configure extra options for startup probe +## Matomo core exposes / to unauthenticated requests, making it a good +## default startup and readiness path. However, that may not always be the +## case. For example, if the image value is overridden to an image containing a +## module that alters that route, or an image that does not auto-install Matomo. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes +## @param startupProbe.enabled Enable startupProbe +## @param startupProbe.path Request path for startupProbe +## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe +## @param startupProbe.periodSeconds Period seconds for startupProbe +## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe +## @param startupProbe.failureThreshold Failure threshold for startupProbe +## @param startupProbe.successThreshold Success threshold for startupProbe +## +startupProbe: + enabled: false + path: /matomo.php + initialDelaySeconds: 600 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 5 + successThreshold: 1 +## Configure extra options for liveness probe +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes +## @param livenessProbe.enabled Enable livenessProbe +## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe +## @param livenessProbe.periodSeconds Period seconds for livenessProbe +## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe +## @param livenessProbe.failureThreshold Failure threshold for livenessProbe +## @param livenessProbe.successThreshold Success threshold for livenessProbe +## +livenessProbe: + enabled: true + initialDelaySeconds: 600 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 5 + successThreshold: 1 +## Configure extra options for readiness probe +## Matomo core exposes / to unauthenticated requests, making it a good +## default startup and readiness path. However, that may not always be the +## case. For example, if the image value is overridden to an image containing a +## module that alters that route, or an image that does not auto-install Matomo. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes +## @param readinessProbe.enabled Enable readinessProbe +## @param readinessProbe.path Request path for readinessProbe +## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe +## @param readinessProbe.periodSeconds Period seconds for readinessProbe +## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe +## @param readinessProbe.failureThreshold Failure threshold for readinessProbe +## @param readinessProbe.successThreshold Success threshold for readinessProbe +## +readinessProbe: + enabled: true + path: /matomo.php + initialDelaySeconds: 30 + periodSeconds: 5 + timeoutSeconds: 1 + failureThreshold: 5 + successThreshold: 1 +## @param customStartupProbe Override default startup probe +## +customStartupProbe: {} +## @param customLivenessProbe Override default liveness probe +## +customLivenessProbe: {} +## @param customReadinessProbe Override default readiness probe +## +customReadinessProbe: {} +## @param lifecycleHooks LifecycleHook to set additional configuration at startup Evaluated as a template +## +lifecycleHooks: {} +## @param podAnnotations Pod annotations +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} +## @param podLabels Add additional labels to the pod (evaluated as a template) +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} +## @section Traffic Exposure Parameters +## + +## Kubernetes configuration. For minikube, set this to NodePort, elsewhere use LoadBalancer +## +service: + ## @param service.type Kubernetes Service type + ## + type: LoadBalancer + ## @param service.ports.http Service HTTP port + ## @param service.ports.https Service HTTPS port + ## + ports: + http: 80 + https: 443 + ## @param service.loadBalancerSourceRanges Restricts access for LoadBalancer (only with `service.type: LoadBalancer`) + ## e.g: + ## loadBalancerSourceRanges: + ## - 0.0.0.0/0 + ## + loadBalancerSourceRanges: [] + ## @param service.loadBalancerIP loadBalancerIP for the Matomo Service (optional, cloud specific) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param service.nodePorts [object] Kubernetes node port + ## nodePorts: + ## http: + ## https: + ## + nodePorts: + http: "" + https: "" + ## @param service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param service.clusterIP Matomo service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param service.annotations Additional custom annotations for Matomo service + ## + annotations: {} + ## @param service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} +## Configure the ingress resource that allows you to access the +## Matomo installation. Set up the URL +## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ +## +ingress: + ## @param ingress.enabled Enable ingress controller resource + ## + enabled: true + ## @param ingress.pathType Ingress Path type + ## + pathType: ImplementationSpecific + ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: nginx + ## @param ingress.hostname Default host for the ingress resource + ## + hostname: "matomo.adm.oceanbox.io" + ## @param ingress.path The Path to Matomo. You may need to set this to '/*' in order to use this + ## with ALB ingress controllers. + ## + path: / + ## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## For a full list of possible ingress annotations, please see + ## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + nginx.ingress.kubernetes.io/enable-cors: "true" + nginx.ingress.kubernetes.io/backend-protocol: HTTP + nginx.ingress.kubernetes.io/proxy-buffer-size: 128k + nginx.ingress.kubernetes.io/ssl-redirect: "true" + ## @param ingress.tls Enable TLS configuration for the hostname defined at ingress.hostname parameter + ## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }} + ## You can use the ingress.secrets parameter to create this TLS secret or relay on cert-manager to create it + ## + tls: true + ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets + ## key and certificate should start with -----BEGIN CERTIFICATE----- or + ## -----BEGIN RSA PRIVATE KEY----- + ## + ## name should line up with a tlsSecret set further up + ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set + ## + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## Example: + ## - name: matomo.local-tls + ## key: + ## certificate: + ## + secrets: [] + ## @param ingress.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: example.local + ## http: + ## path: / + ## backend: + ## service: + ## name: example-svc + ## port: + ## name: http + ## + extraRules: [] +## @section Database parameters +## + +## MariaDB chart configuration +## https://github.com/bitnami/charts/blob/main/bitnami/mariadb/values.yaml +## +mariadb: + ## @param mariadb.enabled Whether to deploy a mariadb server to satisfy the applications database requirements + ## To use an external database set this to false and configure the externalDatabase parameters + ## + enabled: true + ## @param mariadb.architecture MariaDB architecture (`standalone` or `replication`) + ## + architecture: standalone + ## MariaDB Authentication parameters + ## @param mariadb.auth.rootPassword Password for the MariaDB `root` user + ## @param mariadb.auth.database Database name to create + ## @param mariadb.auth.username Database user to create + ## @param mariadb.auth.password Password for the database + ## + auth: + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/mariadb#setting-the-root-password-on-first-run + ## + rootPassword: "" + ## ref: https://github.com/bitnami/containers/blob/main/bitnami/mariadb/README.md#creating-a-database-on-first-run + ## + database: bitnami_matomo + ## ref: https://github.com/bitnami/containers/blob/main/bitnami/mariadb/README.md#creating-a-database-user-on-first-run + ## + username: bn_matomo + password: "" + primary: + ## Enable persistence using Persistent Volume Claims + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ + ## @param mariadb.primary.persistence.enabled Enable database persistence using PVC + ## @param mariadb.primary.persistence.storageClass MariaDB primary persistent volume storage Class + ## @param mariadb.primary.persistence.accessModes Database Persistent Volume Access Modes + ## @param mariadb.primary.persistence.size Database Persistent Volume Size + ## @param mariadb.primary.persistence.hostPath Set path in case you want to use local host path volumes (not recommended in production) + ## @param mariadb.primary.persistence.existingClaim Name of an existing `PersistentVolumeClaim` for MariaDB primary replicas + ## + persistence: + enabled: true + ## mariadb data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "" + accessModes: + - ReadWriteOnce + size: 8Gi + hostPath: "" + existingClaim: "" + ## MariaDB primary container's resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param mariadb.primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "micro" + ## @param mariadb.primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} +## External database configuration +## @param externalDatabase.host Host of the existing database +## @param externalDatabase.port Port of the existing database +## @param externalDatabase.user Existing username in the external db +## @param externalDatabase.password Password for the above username +## @param externalDatabase.database Name of the existing database +## @param externalDatabase.existingSecret Name of a secret containing the database credentials +## +externalDatabase: + host: "" + port: 3306 + user: bn_matomo + password: "" + database: bitnami_matomo + existingSecret: "" +## @section Volume Permissions parameters +## + +## Init containers parameters: +## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section. +## +volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes volume permissions in the data directory (for cases where the default k8s `runAsUser` and `fsUser` values do not work) + ## + enabled: false + ## @param volumePermissions.image.registry [default: REGISTRY_NAME] Init container volume-permissions image registry + ## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] Init container volume-permissions image name + ## @skip volumePermissions.image.tag Init container volume-permissions image tag + ## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy + ## @param volumePermissions.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + registry: docker.io + repository: bitnami/os-shell + tag: 12-debian-12-r50 + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init containers' resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "small" + ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} +## @section Metrics parameters +## + +## Prometheus Exporter / Metrics +## +metrics: + ## @param metrics.enabled Start a exporter side-car + ## + enabled: false + ## @param metrics.image.registry [default: REGISTRY_NAME] Apache exporter image registry + ## @param metrics.image.repository [default: REPOSITORY_NAME/apache-exporter] Apache exporter image repository + ## @skip metrics.image.tag Apache exporter image tag + ## @param metrics.image.digest Apache exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param metrics.image.pullPolicy Image pull policy + ## @param metrics.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + registry: docker.io + repository: bitnami/apache-exporter + tag: 1.0.10-debian-12-r55 + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "small" + ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## + resources: {} + ## + ## @param metrics.podAnnotations [object] Additional annotations for Metrics exporter pod + ## + podAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9117" +## @section Certificate injection parameters +## + +## Add custom certificates and certificate authorities to matomo container +## +certificates: + ## @param certificates.customCertificate.certificateSecret Secret containing the certificate and key to add + ## @param certificates.customCertificate.chainSecret.name Name of the secret containing the certificate chain + ## @param certificates.customCertificate.chainSecret.key Key of the certificate chain file inside the secret + ## @param certificates.customCertificate.certificateLocation Location in the container to store the certificate + ## @param certificates.customCertificate.keyLocation Location in the container to store the private key + ## @param certificates.customCertificate.chainLocation Location in the container to store the certificate chain + ## + customCertificate: + certificateSecret: "" + chainSecret: + name: secret-name + key: secret-key + certificateLocation: /etc/ssl/certs/ssl-cert-snakeoil.pem + keyLocation: /etc/ssl/private/ssl-cert-snakeoil.key + chainLocation: /etc/ssl/certs/mychain.pem + ## @param certificates.customCAs Defines a list of secrets to import into the container trust store + ## + customCAs: [] + ## @param certificates.command Override default container command (useful when using custom images) + ## + command: [] + ## @param certificates.args Override default container args (useful when using custom images) + ## + args: [] + ## @param certificates.extraEnvVars Container sidecar extra environment variables (eg proxy) + ## + extraEnvVars: [] + ## @param certificates.extraEnvVarsCM ConfigMap containing extra env vars + ## + extraEnvVarsCM: "" + ## @param certificates.extraEnvVarsSecret Secret containing extra env vars (in case of sensitive data) + ## + extraEnvVarsSecret: "" + ## @param certificates.image.registry [default: REGISTRY_NAME] Container sidecar registry + ## @param certificates.image.repository [default: REPOSITORY_NAME/os-shell] Container sidecar image + ## @skip certificates.image.tag Container sidecar image tag + ## @param certificates.image.digest Container sidecar image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param certificates.image.pullPolicy Container sidecar image pull policy + ## @param certificates.image.pullSecrets Container sidecar image pull secrets + ## + image: + registry: docker.io + repository: bitnami/os-shell + tag: 12-debian-12-r50 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] +## @section NetworkPolicy parameters +## + +## Network Policy configuration +## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +## +networkPolicy: + ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} +## @section CronJob parameters +## +cronjobs: + taskScheduler: + ## @param cronjobs.taskScheduler.enabled Whether to enable scheduled mail-to-task CronJob + ## + enabled: true + ## @param cronjobs.taskScheduler.schedule Kubernetes CronJob schedule + ## + schedule: "*/5 * * * *" + ## @param cronjobs.taskScheduler.serviceAccountName Attach serviceAccountName to the pod of the CronJob + ## + serviceAccountName: "" + ## @param cronjobs.taskScheduler.automountServiceAccountToken Mount Service Account token in pod of the CronJob + ## + automountServiceAccountToken: true + ## @param cronjobs.taskScheduler.suspend Whether to create suspended CronJob + ## + suspend: false + ## @param cronjobs.taskScheduler.affinity Affinity for CronJob pod assignment + ## + affinity: {} + ## @param cronjobs.taskScheduler.nodeSelector Node labels for CronJob pod assignment. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param cronjobs.taskScheduler.tolerations Tolerations for CronJob pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param cronjobs.taskScheduler.command Override default container command (useful when using custom images) + ## + command: [] + ## @param cronjobs.taskScheduler.args Override default container args (useful when using custom images) + ## + args: [] + ## @param + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param cronjobs.taskScheduler.containerSecurityContext.enabled Enabled containers' Security Context + ## @param cronjobs.taskScheduler.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param cronjobs.taskScheduler.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param cronjobs.taskScheduler.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param cronjobs.taskScheduler.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param cronjobs.taskScheduler.containerSecurityContext.privileged Set container's Security Context privileged + ## @param cronjobs.taskScheduler.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param cronjobs.taskScheduler.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param cronjobs.taskScheduler.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param cronjobs.taskScheduler.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 0 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## @param cronjobs.taskScheduler.podAnnotations Additional pod annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param cronjobs.taskScheduler.podLabels Additional pod labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param cronjobs.taskScheduler.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + + ## Persistence using Persistent Volume Claims for the taskScheduler CronJob + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ + ## @param cronjobs.taskScheduler.persistence.enabled Enable persistence using Persistent Volume Claims + ## @param cronjobs.taskScheduler.persistence.existingClaim A manually managed Persistent Volume Claim + ## + persistence: + enabled: true + existingClaim: "" + + ## Configure Pods Security Context for the taskScheduler CronJob + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param cronjobs.taskScheduler.podSecurityContext.enabled Enable Task scheduler cronjob pods' Security Context + ## @param cronjobs.taskScheduler.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param cronjobs.taskScheduler.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param cronjobs.taskScheduler.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param cronjobs.taskScheduler.podSecurityContext.fsGroup Task scheduler cronjob pods' group ID + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + + ## @param cronjobs.taskScheduler.extraEnvVars Extra environment variables for the taskScheduler CronJob + extraEnvVars: [] + + ## @param cronjobs.taskScheduler.initContainers Additional init containers for the taskScheduler CronJob + ## + initContainers: [] + archive: + ## @param cronjobs.archive.enabled Whether to enable scheduled mail-to-task CronJob + ## + enabled: true + ## @param cronjobs.archive.schedule Kubernetes CronJob schedule + ## + schedule: "*/5 * * * *" + ## @param cronjobs.archive.serviceAccountName Attach serviceAccountName to the pod of the CronJob + ## + serviceAccountName: "" + ## @param cronjobs.archive.automountServiceAccountToken Mount Service Account token in pod of the CronJob + ## + automountServiceAccountToken: true + ## @param cronjobs.archive.suspend Whether to create suspended CronJob + ## + suspend: false + ## @param cronjobs.archive.affinity Affinity for CronJob pod assignment + ## + affinity: {} + ## @param cronjobs.archive.tolerations Tolerations for CronJob pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param cronjobs.archive.nodeSelector Node labels for CronJob pod assignment. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param cronjobs.archive.command Override default container command (useful when using custom images) + ## + command: [] + ## @param cronjobs.archive.args Override default container args (useful when using custom images) + ## + args: [] + ## @param + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param cronjobs.archive.containerSecurityContext.enabled Enabled containers' Security Context + ## @param cronjobs.archive.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param cronjobs.archive.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param cronjobs.archive.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param cronjobs.archive.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param cronjobs.archive.containerSecurityContext.privileged Set container's Security Context privileged + ## @param cronjobs.archive.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param cronjobs.archive.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param cronjobs.archive.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param cronjobs.archive.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 0 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## @param cronjobs.archive.podAnnotations Additional pod annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param cronjobs.archive.podLabels Additional pod labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + + ## @param cronjobs.archive.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + # NOTE: If not defined, this will fallback to the main resources request/limit to preserve backwards compatibility. This behaviour might be DEPRECATED + # in upcoming versions of the chart + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + + ## Persistence using Persistent Volume Claims for the archive CronJob + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ + ## @param cronjobs.archive.persistence.enabled Enable persistence using Persistent Volume Claims + ## @param cronjobs.archive.persistence.existingClaim A manually managed Persistent Volume Claim + ## + persistence: + enabled: true + existingClaim: "" + + ## Configure Pods Security Context for the archive CronJob + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param cronjobs.archive.podSecurityContext.enabled Enable Archive cronjob pods' Security Context + ## @param cronjobs.archive.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param cronjobs.archive.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param cronjobs.archive.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param cronjobs.archive.podSecurityContext.fsGroup Archive cronjob pods' group ID + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + + ## @param cronjobs.archive.extraEnvVars Extra environment variables for the archive CronJob + extraEnvVars: [] + + ## @param cronjobs.archive.initContainers Additional init containers for the archive CronJob + ## + initContainers: []