Skip to content

Commit

Permalink
Fix the nginx template (#12)
Browse files Browse the repository at this point in the history
  • Loading branch information
asbiin authored Oct 22, 2024
1 parent 6ec6bc6 commit 772c7af
Show file tree
Hide file tree
Showing 18 changed files with 390 additions and 214 deletions.
10 changes: 10 additions & 0 deletions .github/tests/external_database.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
internalDatabase:
enabled: false

externalDatabase:
enabled: true
type: mysql
user: root
password: root
database: monica
host: %DB_HOST%
3 changes: 2 additions & 1 deletion .github/workflows/docs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,9 @@ on:
types: [opened, synchronize, reopened]

jobs:
release:
docs:
runs-on: ubuntu-latest
name: Helm docs
steps:
- name: Checkout
uses: actions/checkout@v4
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ env:

jobs:
release:
name: Release Charts
runs-on: ubuntu-latest
steps:
- name: Checkout
Expand Down
35 changes: 28 additions & 7 deletions .github/workflows/tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ env:

jobs:
linter:
name: Lint chart files
runs-on: ubuntu-latest
steps:
- name: Checkout
Expand Down Expand Up @@ -39,24 +40,32 @@ jobs:
fail-fast: false
matrix:
test_cases:
# test the plain helm chart with nothing changed
- name: Default - no custom values

# test the helm chart with postgresql subchart enabled
- name: PostgreSQL enabled
helm_args: '--set=internalDatabase.enabled=false --set=postgresql.enabled=true'

# test the helm chart with mariadb subchart enabled
- name: Mariadb enabled
helm_args: '--set=internalDatabase.enabled=false --set=mariadb.enabled=true'

# test the helm chart with redis, queue and more
- name: Nodeport service enabled
helm_args: '--set=service.type=NodePort --set=service.nodePort=30001'

- name: nginx enabled
helm_args: '--set=nginx.enabled=true --set=image.tag=main-fpm'

- name: Horizontal Pod Autoscaling Enabled
helm_args: '--set=hpa.enabled=true --set=hpa.minPods=2 --set=hpa.maxPods=3 --set=hpa.targetCPUUtilizationPercentage=75'

- name: Redis and queue enabled
file: redis.yaml

# test the helm chart with meilisearch
- name: Meilisearch and queue enabled
file: meilisearch.yaml
file: meilisearch.yaml

# - name: External database
# external_database: true
# file: external_database.yaml

steps:
- name: Checkout
Expand Down Expand Up @@ -92,5 +101,17 @@ jobs:
if: matrix.test_cases.file != ''
run: cp .github/tests/${{ matrix.test_cases.file }} charts/monica/ci/test-values.yaml

- name: Create mysql database
if: matrix.test_cases.external_database
run: |
sudo systemctl start mysql.service
mysql --protocol=tcp -u root -proot -e "CREATE DATABASE IF NOT EXISTS monica CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
hostname -I
IFS=' '
read -ra hostname <<< $(hostname -I)
DB_HOST=${hostname[1]}
sed -i "s/%DB_HOST%/$DB_HOST/" charts/monica/ci/test-values.yaml
- name: Run chart-testing (install)
run: ct install --config ct.yaml --helm-extra-args '--timeout 600s' --target-branch ${{ github.event.repository.default_branch }} --helm-extra-set-args "--set=image.repository=ghcr.io/monicahq/monica-next --set=image.tag=main ${{ matrix.test_cases.helm_args }}"
if: steps.list-changed.outputs.changed == 'true'
run: ct install --config ct.yaml --helm-extra-args '--timeout 600s' --target-branch ${{ github.event.repository.default_branch }} --helm-extra-set-args "${{ matrix.test_cases.helm_args }}"
4 changes: 2 additions & 2 deletions charts/monica/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@ apiVersion: v2
name: monica
description: A Helm chart for Kubernetes to install Monica
type: application
version: 1.0.7
version: 1.0.8
appVersion: "5.0.0"
icon: https://www.monicahq.com/favicon.ico
icon: https://raw.githubusercontent.com/monicahq/monica/aa98c09/public/img/favicon.svg
maintainers:
- name: MonicaHQ
url: https://github.com/monicahq/monica
Expand Down
25 changes: 24 additions & 1 deletion charts/monica/README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# monica

![Version: 1.0.7](https://img.shields.io/badge/Version-1.0.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square)
![Version: 1.0.8](https://img.shields.io/badge/Version-1.0.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square)

A Helm chart for Kubernetes to install Monica

Expand Down Expand Up @@ -42,6 +42,10 @@ Kubernetes: `>=1.16.0-0`
| externalDatabase.type | string | `"mysql"` | |
| externalDatabase.user | string | `"monica"` | |
| fullnameOverride | string | `""` | |
| hpa.cputhreshold | int | `60` | |
| hpa.enabled | bool | `false` | |
| hpa.maxPods | int | `10` | |
| hpa.minPods | int | `1` | |
| image.pullPolicy | string | `"IfNotPresent"` | |
| image.repository | string | `"ghcr.io/monicahq/monica-next"` | |
| image.tag | string | `"main"` | |
Expand All @@ -53,6 +57,12 @@ Kubernetes: `>=1.16.0-0`
| internalDatabase.enabled | bool | `true` | |
| internalDatabase.name | string | `"/var/www/html/database/monica.sqlite"` | |
| lifecycle | object | `{}` | |
| livenessProbe.enabled | bool | `true` | |
| livenessProbe.failureThreshold | int | `3` | |
| livenessProbe.initialDelaySeconds | int | `10` | |
| livenessProbe.periodSeconds | int | `10` | |
| livenessProbe.successThreshold | int | `1` | |
| livenessProbe.timeoutSeconds | int | `5` | |
| mariadb.architecture | string | `"standalone"` | |
| mariadb.auth.database | string | `"monica"` | |
| mariadb.auth.password | string | `"secret"` | |
Expand Down Expand Up @@ -92,6 +102,7 @@ Kubernetes: `>=1.16.0-0`
| monica.strategy.type | string | `"Recreate"` | |
| nameOverride | string | `""` | |
| nginx.config.default | bool | `true` | |
| nginx.containerPort | int | `80` | |
| nginx.enabled | bool | `false` | |
| nginx.image.pullPolicy | string | `"IfNotPresent"` | |
| nginx.image.repository | string | `"nginx"` | |
Expand All @@ -109,6 +120,12 @@ Kubernetes: `>=1.16.0-0`
| postgresql.global.postgresql.auth.password | string | `"secret"` | |
| postgresql.global.postgresql.auth.username | string | `"monica"` | |
| postgresql.primary.persistence.enabled | bool | `false` | |
| readinessProbe.enabled | bool | `true` | |
| readinessProbe.failureThreshold | int | `3` | |
| readinessProbe.initialDelaySeconds | int | `10` | |
| readinessProbe.periodSeconds | int | `10` | |
| readinessProbe.successThreshold | int | `1` | |
| readinessProbe.timeoutSeconds | int | `5` | |
| redis.auth.enabled | bool | `true` | |
| redis.auth.password | string | `"secret"` | |
| redis.enabled | bool | `false` | |
Expand All @@ -122,6 +139,12 @@ Kubernetes: `>=1.16.0-0`
| serviceAccount.annotations | object | `{}` | |
| serviceAccount.create | bool | `true` | |
| serviceAccount.name | string | `""` | |
| startupProbe.enabled | bool | `false` | |
| startupProbe.failureThreshold | int | `30` | |
| startupProbe.initialDelaySeconds | int | `30` | |
| startupProbe.periodSeconds | int | `10` | |
| startupProbe.successThreshold | int | `1` | |
| startupProbe.timeoutSeconds | int | `5` | |
| tests.unitTests.resources.limits.cpu | string | `"200m"` | |
| tests.unitTests.resources.limits.memory | string | `"256Mi"` | |
| tests.unitTests.resources.requests.cpu | string | `"100m"` | |
Expand Down
129 changes: 129 additions & 0 deletions charts/monica/files/nginx-config.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
upstream php-handler {
server 127.0.0.1:9000;
}

server {
listen {{ .Values.nginx.containerPort | default 80 }};
listen [::]:{{ .Values.nginx.containerPort | default 80 }};

## HSTS ##
# Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
# WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/.
# This form will add the domain to a hardcoded list that is shipped in all major browsers and getting
# removed from this list could take several months.
#
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;

add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;

# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;

root /var/www/html/public;

index index.php index.html index.htm;

charset utf-8;

location / {
try_files $uri $uri/ /index.php?$query_string;
}

location ~ ^/(?:robots.txt|security.txt) {
allow all;
log_not_found off;
access_log off;
}

error_page 404 500 502 503 504 /index.php;

location ~ /\.well-known/(?:carddav|caldav) {
return 301 $scheme://$host/dav;
}
location = /.well-known/security.txt {
return 301 $scheme://$host/security.txt;
}
location ~ /\.(?!well-known).* {
deny all;
}

# set max upload size
client_max_body_size 10G;
fastcgi_buffers 64 4K;

# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;

location ~ \.php(?:$|/) {
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
# Check that the PHP script exists before passing it
# try_files $fastcgi_script_name =404;
fastcgi_pass php-handler;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
}

# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff2?|svg|gif|json)$ {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
## HSTS ##
# Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
# Note it is intended to have those duplicated to the ones above.
# WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/.
# This form will add the domain to a hardcoded list that is shipped in all major browsers and getting
# removed from this list could take several months.
#
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Optional: Don't log access to assets
access_log off;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$request_uri;
# Optional: Don't log access to assets
access_log off;
}

# deny access to .htaccess files
location ~ /\.ht {
deny all;
}
}
16 changes: 16 additions & 0 deletions charts/monica/templates/NOTES.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ .Values.monica.host }}{{ $.Values.ingress.path }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "monica.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get svc -w {{ include "monica.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "monica.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "monica.fullname" . }} {{ .Values.service.port }}:{{ .Values.service.port }} &
echo "Visit http://127.0.0.1:{{ .Values.service.port }} to use your application"
{{- end }}
5 changes: 2 additions & 3 deletions charts/monica/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -35,12 +35,12 @@ Create chart name and version as used by the chart label.
Common labels
*/}}
{{- define "monica.labels" -}}
helm.sh/chart: {{ include "monica.chart" . }}
{{ include "monica.selectorLabels" . }}
helm.sh/chart: {{ include "monica.chart" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if or .Chart.AppVersion .Values.image.tag }}
app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}

{{/*
Expand All @@ -49,7 +49,6 @@ Selector labels
{{- define "monica.selectorLabels" -}}
app.kubernetes.io/name: {{ include "monica.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: app
{{- end -}}

{{/*
Expand Down
Loading

0 comments on commit 772c7af

Please sign in to comment.