Merge pull request #802 from Haferbeck-IT/main

feat(helm): Added features/fixes to helm chart

Author: CodeWithCJ

helm/CHANGELOG.md

@@ -0,0 +1,36 @@
+# Changelog
+
+## 0.2.0
+
+### Breaking Changes
+
+- **`readOnlyRootFilesystem` now enabled** for server, frontend, and garmin containers. Writable paths (`/tmp`, nginx cache/run dirs) are mounted as `emptyDir`. If you mount custom writable paths, add corresponding `emptyDir` volumes.
+- **Image tags default to `appVersion`** instead of `latest`. Set `server.image.tag` / `frontend.image.tag` / `garmin.image.tag` explicitly to override. @davmacario
+- **Server uses `Recreate` strategy** instead of `RollingUpdate` — required because the server PVCs are `ReadWriteOnce`.
+
+### Features
+
+- **Configurable health probes** — `livenessProbe` and `readinessProbe` for all four components (server, frontend, garmin, postgresql) are now defined in `values.yaml` and fully overridable.
+- **`extraEnv` / `extraEnvFrom`** added to all deployments (server, frontend, garmin) for injecting custom environment variables or referencing external ConfigMaps/Secrets.
+- **Configurable mount paths** — `server.persistence.backup.mountPath`, `uploads.mountPath`, and `tempUploads.mountPath` are now exposed in values.
+- **Per-PVC `storageClass`** — `server.persistence.backup.storageClass` and `uploads.storageClass` can override `global.storageClass`.
+- **`nameOverride` / `fullnameOverride`** support added.
+- **PostgreSQL `podSecurityContext` / `containerSecurityContext`** moved from hardcoded template to `values.yaml` (consistent with all other components).
+- **Configurable ESO API version** — `externalSecrets.apiVersion` (default `v1`) allows using `v1beta1` for ESO < 0.10.0.
+
+### Bug Fixes
+
+- **OIDC/SMTP secrets validated** — `required` function ensures `clientId`/`clientSecret` (OIDC) and `username`/`password` (SMTP) are set when the chart creates these secrets, preventing empty secret data.
+- **OIDC configmap validated** — `providerSlug`, `providerName`, and `issuerUrl` are now `required` when `config.oidc.enabled=true`.
+- **Frontend `readOnlyRootFilesystem`** — nginx writable directories (`/var/cache/nginx`, `/var/run`, `/etc/nginx/conf.d`, `/tmp`) mounted as `emptyDir`.
+- **Garmin `readOnlyRootFilesystem`** — `/tmp` mounted as `emptyDir`.
+- **Server `/tmp`** mounted as `emptyDir` for `readOnlyRootFilesystem` support.
+- **Database secret helper deduplicated** — `sparkyfitness.databaseSecretName` and `sparkyfitness.createDatabaseSecret` refactored to remove redundant branching between bundled/external PostgreSQL.
+
+### Chores
+
+- Chart `appVersion` pinned to `v0.16.4.7` (was `latest`).
+
+## 0.1.0
+
+- Initial release.

helm/README.md

@@ -1,7 +1,6 @@
 # Sparkyfitness Helm Chart
 
-
-> [!WARNING]
+> [!NOTE]
 > **Community Contribution:** This Helm chart and Kubernetes support are community-provided. The Sparkyfitness maintainers do not currently use Kubernetes and cannot provide full review or official support for this installation method.
 
 A Helm chart for deploying [Sparkyfitness](https://github.com/CodeWithCJ/SparkyFitness) on Kubernetes.

helm/chart/Chart.yaml

@@ -2,5 +2,5 @@ apiVersion: v2
 name: sparkyfitness
 description: Sparkyfitness fitness tracking application
 type: application
-version: 0.1.0
-appVersion: "latest"
+version: 0.2.0
+appVersion: "v0.16.4.7"

helm/chart/templates/_helpers.tpl

@@ -40,12 +40,12 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 
 {{/*
 Build a container image string with optional global.imageRegistry prefix.
-Usage: {{ include "sparkyfitness.image" (dict "image" .Values.server.image "global" .Values.global) }}
+Usage: {{ include "sparkyfitness.image" (dict "image" .Values.server.image "global" .Values.global "appVersion" .Chart.AppVersion) }}
 */}}
 {{- define "sparkyfitness.image" -}}
 {{- $registry := .global.imageRegistry | default "" -}}
 {{- $repo := .image.repository -}}
-{{- $tag := .image.tag | default "latest" -}}
+{{- $tag := .image.tag | default .appVersion -}}
 {{- if $registry -}}
 {{- printf "%s/%s:%s" $registry $repo $tag -}}
 {{- else -}}
@@ -143,20 +143,17 @@ App database secret name (limited-privilege user): existingSecret > chart-manage
 
 {{/*
 Database credentials secret name.
+Resolves: postgresql.auth or externalDatabase.auth → existingSecret > chart-managed.
 */}}
 {{- define "sparkyfitness.databaseSecretName" -}}
+{{- $dbAuth := .Values.externalDatabase.auth -}}
 {{- if .Values.postgresql.enabled -}}
-  {{- if .Values.postgresql.auth.existingSecret -}}
-    {{- .Values.postgresql.auth.existingSecret -}}
-  {{- else -}}
-    {{- include "sparkyfitness.fullname" . }}-postgres
-  {{- end -}}
+  {{- $dbAuth = .Values.postgresql.auth -}}
+{{- end -}}
+{{- if $dbAuth.existingSecret -}}
+  {{- $dbAuth.existingSecret -}}
 {{- else -}}
-  {{- if .Values.externalDatabase.auth.existingSecret -}}
-    {{- .Values.externalDatabase.auth.existingSecret -}}
-  {{- else -}}
-    {{- include "sparkyfitness.fullname" . }}-postgres
-  {{- end -}}
+  {{- include "sparkyfitness.fullname" . }}-postgres
 {{- end -}}
 {{- end }}
 
@@ -208,18 +205,12 @@ true
 Whether the chart should create the database credentials secret.
 */}}
 {{- define "sparkyfitness.createDatabaseSecret" -}}
+{{- $dbAuth := .Values.externalDatabase.auth -}}
 {{- if .Values.postgresql.enabled -}}
-  {{- if not .Values.postgresql.auth.existingSecret -}}
-    {{- if not (and .Values.externalSecrets.enabled .Values.externalSecrets.postgres.enabled) -}}
-true
-    {{- end -}}
-  {{- end -}}
-{{- else -}}
-  {{- if not .Values.externalDatabase.auth.existingSecret -}}
-    {{- if not (and .Values.externalSecrets.enabled .Values.externalSecrets.postgres.enabled) -}}
+  {{- $dbAuth = .Values.postgresql.auth -}}
+{{- end -}}
+{{- if and (not $dbAuth.existingSecret) (not (and .Values.externalSecrets.enabled .Values.externalSecrets.postgres.enabled)) -}}
 true
-    {{- end -}}
-  {{- end -}}
 {{- end -}}
 {{- end }}
 
@@ -244,6 +235,7 @@ http://{{ $host }}
 {{- else if .Values.config.frontendUrl -}}
 {{- .Values.config.frontendUrl -}}
 {{- else -}}
+{{- /* 3004 is the SparkyFitness server's default development port */ -}}
 http://localhost:3004
 {{- end -}}
 {{- end }}

helm/chart/templates/frontend/deployment.yaml

@@ -27,19 +27,35 @@ spec:
       {{- end }}
       containers:
         - name: frontend
-          image: {{ include "sparkyfitness.image" (dict "image" .Values.frontend.image "global" .Values.global) }}
+          image: {{ include "sparkyfitness.image" (dict "image" .Values.frontend.image "global" .Values.global "appVersion" .Chart.AppVersion) }}
           imagePullPolicy: {{ .Values.frontend.image.pullPolicy }}
           ports:
             - name: http
               containerPort: {{ .Values.frontend.port }}
               protocol: TCP
+          {{- with .Values.frontend.livenessProbe }}
+          livenessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.frontend.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.frontend.extraEnvFrom }}
+          envFrom:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           env:
             - name: SPARKY_FITNESS_FRONTEND_URL
               value: {{ include "sparkyfitness.frontendUrl" . | quote }}
             - name: SPARKY_FITNESS_SERVER_HOST
               value: {{ include "sparkyfitness.fullname" . }}-server
             - name: SPARKY_FITNESS_SERVER_PORT
               value: {{ .Values.server.port | quote }}
+            {{- range $k, $v := .Values.frontend.extraEnv }}
+            - name: {{ $k }}
+              value: {{ $v | quote }}
+            {{- end }}
           {{- with .Values.frontend.containerSecurityContext }}
           securityContext:
             {{- toYaml . | nindent 12 }}
@@ -48,3 +64,21 @@ spec:
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          volumeMounts:
+            - name: tmp
+              mountPath: /tmp
+            - name: nginx-cache
+              mountPath: /var/cache/nginx
+            - name: nginx-run
+              mountPath: /var/run
+            - name: nginx-conf
+              mountPath: /etc/nginx/conf.d
+      volumes:
+        - name: tmp
+          emptyDir: {}
+        - name: nginx-cache
+          emptyDir: {}
+        - name: nginx-run
+          emptyDir: {}
+        - name: nginx-conf
+          emptyDir: {}

helm/chart/templates/garmin/deployment.yaml

@@ -28,19 +28,35 @@ spec:
       {{- end }}
       containers:
         - name: garmin
-          image: {{ include "sparkyfitness.image" (dict "image" .Values.garmin.image "global" .Values.global) }}
+          image: {{ include "sparkyfitness.image" (dict "image" .Values.garmin.image "global" .Values.global "appVersion" .Chart.AppVersion) }}
           imagePullPolicy: {{ .Values.garmin.image.pullPolicy }}
           ports:
             - name: http
               containerPort: {{ .Values.garmin.port }}
               protocol: TCP
+          {{- with .Values.garmin.livenessProbe }}
+          livenessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.garmin.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.garmin.extraEnvFrom }}
+          envFrom:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           env:
             - name: GARMIN_MICROSERVICE_URL
               value: "http://{{ include "sparkyfitness.fullname" . }}-garmin:{{ .Values.garmin.port }}"
             - name: GARMIN_SERVICE_PORT
               value: {{ .Values.garmin.port | quote }}
             - name: GARMIN_SERVICE_IS_CN
               value: {{ .Values.config.garmin.isChinaRegion | quote }}
+            {{- range $k, $v := .Values.garmin.extraEnv }}
+            - name: {{ $k }}
+              value: {{ $v | quote }}
+            {{- end }}
           {{- with .Values.garmin.containerSecurityContext }}
           securityContext:
             {{- toYaml . | nindent 12 }}
@@ -49,4 +65,10 @@ spec:
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          volumeMounts:
+            - name: tmp
+              mountPath: /tmp
+      volumes:
+        - name: tmp
+          emptyDir: {}
 {{- end }}

helm/chart/templates/secrets/externalsecret-app.yaml

@@ -1,5 +1,5 @@
 {{- if and .Values.externalSecrets.enabled .Values.externalSecrets.app.enabled }}
-apiVersion: external-secrets.io/v1
+apiVersion: external-secrets.io/{{ .Values.externalSecrets.apiVersion }}
 kind: ExternalSecret
 metadata:
   name: {{ include "sparkyfitness.fullname" . }}-app

helm/chart/templates/secrets/externalsecret-appdb.yaml

@@ -1,5 +1,5 @@
 {{- if and .Values.externalSecrets.enabled .Values.externalSecrets.appdb.enabled }}
-apiVersion: external-secrets.io/v1
+apiVersion: external-secrets.io/{{ .Values.externalSecrets.apiVersion }}
 kind: ExternalSecret
 metadata:
   name: {{ include "sparkyfitness.fullname" . }}-appdb

helm/chart/templates/secrets/externalsecret-oidc.yaml

@@ -1,5 +1,5 @@
 {{- if and .Values.externalSecrets.enabled .Values.externalSecrets.oidc.enabled }}
-apiVersion: external-secrets.io/v1
+apiVersion: external-secrets.io/{{ .Values.externalSecrets.apiVersion }}
 kind: ExternalSecret
 metadata:
   name: {{ include "sparkyfitness.fullname" . }}-oidc

helm/chart/templates/secrets/externalsecret-postgres.yaml

@@ -1,5 +1,5 @@
 {{- if and .Values.externalSecrets.enabled .Values.externalSecrets.postgres.enabled }}
-apiVersion: external-secrets.io/v1
+apiVersion: external-secrets.io/{{ .Values.externalSecrets.apiVersion }}
 kind: ExternalSecret
 metadata:
   name: {{ include "sparkyfitness.fullname" . }}-postgres