increment chart version

* Update Helm release rabbitmq to v14

* update chart

* align comments for readability

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: alexlebens <alexanderlebens@gmail.com>

.github/renovate.json

@@ -7,11 +7,9 @@
     ],
     "timezone": "US/Mountain",
     "schedule": [
-        "after 10am every weekday",
-        "before 5pm every weekday"
-    ],
-    "labels": [
+        "every weekday"
     ],
+    "labels": [],
     "packageRules": [
         {
             "description": "Disables for non major Renovate version",
@@ -41,51 +39,72 @@
             "automerge": false
         },
         {
-            "description": "Generate image updates on Tuesdays",
+            "description": "Label service images",
             "matchPackageNames": [
-                "linuxserver/calibre",
-                "homeassistant/home-assistant",
-                "linuxserver/code-server",
-                "ghcr.io/gethomepage/homepage",
                 "ghcr.io/alex1989hu/kubelet-serving-cert-approver",
-                "rmcrackan/libation",
-                "outlinewiki/outline",
-                "ghcr.io/cloudnative-pg/postgresql"
+                "ghcr.io/cloudnative-pg/postgresql",
+                "redis/redis-stack-server"
             ],
             "matchDatasources": [
                 "docker"
             ],
-            "schedule": [
-                "after 10am on tuesday",
-                "before 5pm on tuesday"
-            ],
             "addLabels": [
-                "upgrade",
-                "weekly",
+                "service",
                 "image"
             ],
-            "bumpVersion": "minor",
             "automerge": false,
             "minimumReleaseAge": "3 days"
         },
         {
-            "description": "Generate application charts on Tuesdays",
+            "description": "Label service charts",
             "matchPackageNames": [
+                "elasticsearch",
                 "redis"
             ],
             "matchDatasources": [
                 "helm"
             ],
-            "schedule": [
-                "after 10am on tuesday",
-                "before 5pm on tuesday"
-            ],
             "addLabels": [
-                "upgrade",
-                "weekly",
+                "serivce",
+                "chart"
+            ],
+            "automerge": false,
+            "minimumReleaseAge": "3 days"
+        },
+        {
+            "description": "Label application images",
+            "matchPackageNames": [
+                "bbilly1/tubearchivist-jf",
+                "bbilly1/tubearchivist",
+                "freshrss/freshrss",
+                "ghcr.io/gethomepage/homepage",
+                "homeassistant/home-assistant",
+                "linuxserver/calibre",
+                "linuxserver/code-server",
+                "linuxserver/cops",
+                "outlinewiki/outline",
+                "rmcrackan/libation"
+            ],
+            "matchDatasources": [
+                "docker"
+            ],
+            "addLabels": [
+                "application",
+                "image"
+            ],
+            "automerge": false,
+            "minimumReleaseAge": "3 days"
+        },
+        {
+            "description": "Label application charts",
+            "matchPackageNames": [],
+            "matchDatasources": [
+                "helm"
+            ],
+            "addLabels": [
+                "application",
                 "chart"
             ],
-            "bumpVersion": "minor",
             "automerge": false,
             "minimumReleaseAge": "3 days"
         }

charts/calibre-server/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: calibre-server
-version: 0.0.5
+version: 0.0.6
 description: Chart for Calibre content database
 keywords:
   - media

charts/calibre-server/values.yaml

@@ -31,7 +31,7 @@ ingressRoute:
   http:
     host:
   authentik:
-    outpost: authentik-proxy-outpost
+    outpost:
     port: 9000
 persistence:
   config:

charts/cops/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: cops
+version: 0.0.3
+description: Chart for Calibre OPDS (and HTML) PHP Server
+keywords:
+  - calibre
+  - OPDS
+sources:
+  - https://github.com/seblucas/cops
+maintainers:
+  - name: alexlebens
+appVersion: 1.1.3

charts/cops/README.md

@@ -0,0 +1,22 @@
+## Introduction
+
+[Calibre OPDS (and HTML) PHP Server](https://github.com/seblucas/cops)
+
+COPS's main advantages are :
+
+ - No need for many dependencies.
+ - No need for a lot of CPU or RAM.
+ - Not much code.
+ - Search is available.
+ - It was fun to code.
+
+This chart bootstraps a [COPS](https://github.com/seblucas/cops) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+## Prerequisites
+
+- Kubernetes
+- Helm
+
+## Parameters
+
+See the [values files](values.yaml).

charts/cops/templates/deployment.yaml

@@ -0,0 +1,82 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.deployment.replicas }}
+  strategy:
+    type: {{ .Values.deployment.strategy }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ .Release.Name }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ .Release.Name }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+      serviceAccountName: {{ .Release.Name }}
+      containers:
+        - name: {{ .Release.Name }}
+          image: "{{ .Values.deployment.image.repository }}:{{ .Values.deployment.image.tag }}"
+          imagePullPolicy: {{ .Values.deployment.image.imagePullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.http.port }}
+              protocol: TCP
+          volumeMounts:
+            - mountPath: /config
+              name: cops-config
+            - mountPath: /books
+              name: cops-books
+          resources:
+            {{- toYaml .Values.deployment.resources | nindent 12 }}
+          env:
+          {{- range $k,$v := .Values.deployment.env }}
+            - name: {{ $k }}
+              value: {{ $v | quote }}
+          {{- end }}
+          {{- with .Values.deployment.envFrom }}
+          envFrom:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}            
+          livenessProbe:
+            httpGet:
+              path: /
+              port: {{ .Values.service.http.port }}
+            initialDelaySeconds: 0
+            failureThreshold: 5
+            timeoutSeconds: 1
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /
+              port: {{ .Values.service.http.port }}
+            initialDelaySeconds: 0
+            failureThreshold: 5
+            timeoutSeconds: 1
+            periodSeconds: 10
+          startupProbe:
+            httpGet:
+              path: /
+              port: {{ .Values.service.http.port }}
+            initialDelaySeconds: 5
+            failureThreshold: 30
+            periodSeconds: 10
+            timeoutSeconds: 1
+      volumes:
+        - name: cops-config
+          persistentVolumeClaim:
+            claimName: cops-config
+        - name: cops-books
+          persistentVolumeClaim:
+            claimName: {{ .Values.persistence.books.claimName }}

charts/cops/templates/ingress.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    {{- toYaml .Values.ingress.annotations | nindent 4 }}
+spec:
+  ingressClassName: {{ .Values.ingress.className }}
+  tls:
+    - hosts:
+      - {{ .Values.ingress.host }}
+      secretName: {{ .Release.Name }}-secret-tls
+  rules:
+    - host: {{ .Values.ingress.host }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Release.Name }}
+                port:
+                  name: http
+{{- end }}

charts/cops/templates/persistant-volume-claim.yaml

@@ -0,0 +1,19 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: cops-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: {{ .Values.persistence.config.storageSize }}
+  storageClassName: {{ .Values.persistence.config.storageClassName }}
+  volumeMode: {{ .Values.persistence.config.volumeMode }}

charts/cops/templates/pod.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ .Release.Name }}-test-connection"
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    "helm.sh/hook": test-success
+spec:
+  restartPolicy: Never
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: ['{{ .Release.Name }}:{{ .Values.service.http.port }}']
+      resources:
+        limits:
+          cpu: 500m
+          memory: 1Gi
+        requests:
+          cpu: 50m
+          memory: 256Mi

charts/cops/templates/service-account.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}

charts/cops/templates/service.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  type: ClusterIP
+  externalTrafficPolicy:
+  ports:
+    - port: {{ .Values.service.http.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}

charts/cops/values.yaml

@@ -0,0 +1,36 @@
+deployment:
+  replicas: 1
+  strategy: Recreate
+  image:
+    repository: linuxserver/cops
+    tag: 2.3.1-ls185
+    imagePullPolicy: IfNotPresent
+  env:
+    PGID: "1000"
+    PUID: "1000"
+    TZ: UTC
+  envFrom:        
+  resources:    
+    limits:
+      cpu: 500m
+      memory: 1Gi
+    requests:
+      cpu: 50m
+      memory: 256Mi
+serviceAccount:
+  create: true
+service:
+  http:
+    port: 80
+ingress:
+  enabled: false
+  annotations:
+  className:
+  host:
+persistence:
+  config:
+    storageClassName: default
+    storageSize: 5Gi
+    volumeMode: Filesystem
+  books:
+    claimName:

charts/freshrss/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: freshrss
+version: 0.0.3
+description: Chart for Freshrss
+keywords:
+  - rss
+sources:
+  - https://github.com/FreshRSS/FreshRSS
+maintainers:
+  - name: alexlebens
+icon: https://avatars.githubusercontent.com/u/9414285?s=48&v=4
+appVersion: "1.23.1"

charts/freshrss/README.md

@@ -0,0 +1,18 @@
+## Introduction
+
+[FreshRSS](https://github.com/FreshRSS/FreshRSS)
+
+FreshRSS is a self-hosted RSS feed aggregator.
+
+It is lightweight, easy to work with, powerful, and customizable.
+
+This chart bootstraps a [FreshRSS](https://github.com/FreshRSS/FreshRSS) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+## Prerequisites
+
+- Kubernetes
+- Helm
+
+## Parameters
+
+See the [values files](values.yaml).

charts/freshrss/templates/deployment.yaml

@@ -0,0 +1,76 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.deployment.replicas }}
+  strategy:
+    type: {{ .Values.deployment.strategy }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ .Release.Name }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ .Release.Name }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+      serviceAccountName: {{ .Release.Name }}
+      containers:
+        - name: {{ .Release.Name }}
+          image: "{{ .Values.deployment.image.repository }}:{{ .Values.deployment.image.tag }}"
+          imagePullPolicy: {{ .Values.deployment.image.imagePullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.http.port }}
+              protocol: TCP
+          volumeMounts:
+            - name: {{ .Release.Name }}-config
+              mountPath: /config
+          resources:
+            {{- toYaml .Values.deployment.resources | nindent 12 }}
+          env:
+            - name: LISTEN
+              value: "0.0.0.0:{{ .Values.service.http.port }}"
+          {{- range $k,$v := .Values.deployment.env }}
+            - name: {{ $k }}
+              value: {{ $v | quote }}
+          {{- end }}
+          {{- with .Values.deployment.envFrom }}
+          envFrom:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          livenessProbe:
+            tcpSocket:
+              port: {{ .Values.service.http.port }}
+            initialDelaySeconds: 0
+            failureThreshold: 3
+            timeoutSeconds: 1
+            periodSeconds: 10
+          readinessProbe:
+            tcpSocket:
+              port: {{ .Values.service.http.port }}
+            initialDelaySeconds: 0
+            failureThreshold: 3
+            timeoutSeconds: 1
+            periodSeconds: 10
+          startupProbe:
+            tcpSocket:
+              port: {{ .Values.service.http.port }}
+            initialDelaySeconds: 0
+            failureThreshold: 30
+            timeoutSeconds: 1
+            periodSeconds: 5
+      volumes:
+        - name: {{ .Release.Name }}-config
+          persistentVolumeClaim:
+            claimName: {{ .Release.Name }}-config

charts/freshrss/templates/ingress.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    {{- toYaml .Values.ingress.annotations | nindent 4 }}
+spec:
+  ingressClassName: {{ .Values.ingress.className }}
+  tls:
+    - hosts:
+      - {{ .Values.ingress.host }}
+      secretName: {{ .Release.Name }}-secret-tls
+  rules:
+    - host: {{ .Values.ingress.host }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Release.Name }}
+                port:
+                  name: http
+{{- end }}

charts/freshrss/templates/persistant-volume-claim.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ .Release.Name }}-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: {{ .Values.persistence.config.storageSize }}
+  storageClassName: {{ .Values.persistence.config.storageClassName }}
+  volumeMode: {{ .Values.persistence.config.volumeMode }}

charts/freshrss/templates/pod.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ .Release.Name }}-test-connection"
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    "helm.sh/hook": test-success
+spec:
+  restartPolicy: Never
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: ['{{ .Release.Name }}:{{ .Values.service.http.port }}']
+      resources:
+        limits:
+          cpu: 500m
+          memory: 1Gi
+        requests:
+          cpu: 50m
+          memory: 256Mi

charts/freshrss/templates/service-account.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}

charts/freshrss/templates/service.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  type: ClusterIP
+  ports:
+    - port: {{ .Values.service.http.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}

charts/freshrss/values.yaml

@@ -0,0 +1,33 @@
+deployment:
+  replicas: 1
+  strategy: Recreate
+  image:
+    repository: freshrss/freshrss
+    tag: 1.23.1
+    imagePullPolicy: IfNotPresent
+  env:
+    PGID: "568"
+    PUID: "568"
+    TZ: UTC
+    FRESHRSS_ENV: production
+  envFrom:
+  resources:
+    limits:
+      cpu: 500m
+      memory: 1Gi
+    requests:
+      cpu: 50m
+      memory: 256Mi
+service:
+  http:
+    port: 80
+ingress:
+  enabled: true
+  className:
+  annotations:
+  host:
+persistence:
+  config:
+    storageClassName: default
+    storageSize: 5Gi
+    volumeMode: Filesystem

charts/home-assistant/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: home-assistant
-version: 0.0.15
+version: 0.1.10
 description: Chart for Home Assistant
 keywords:
   - home-automation
@@ -9,4 +9,4 @@ sources:
 maintainers:
   - name: alexlebens
 icon: https://avatars.githubusercontent.com/u/13844975?s=200&v=4
-appVersion: v2024.2.5
+appVersion: v2024.4.3

charts/home-assistant/templates/deployment.yaml

@@ -4,7 +4,7 @@ metadata:
   name: home-assistant
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/name: {{ .Release.Name }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
@@ -16,15 +16,15 @@ spec:
     type: {{ .Values.deployment.strategy }}
   selector:
     matchLabels:
-      app.kubernetes.io/name: home-assistant
+      app.kubernetes.io/name: {{ .Release.Name }}
       app.kubernetes.io/instance: {{ .Release.Name }}
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: home-assistant
+        app.kubernetes.io/name: {{ .Release.Name }}
         app.kubernetes.io/instance: {{ .Release.Name }}
     spec:
-      serviceAccountName: home-assistant
+      serviceAccountName: {{ .Release.Name }}
       automountServiceAccountToken: true
       containers:
         - name: {{ .Release.Name }}
@@ -95,4 +95,4 @@ spec:
       volumes:
         - name: home-assistant-config
           persistentVolumeClaim:
-            claimName: home-assistant-config
+            claimName: "{{ .Release.Name }}-config"

charts/home-assistant/templates/ingress-route.yaml

@@ -2,14 +2,14 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
-  name: home-assistant
+  name: {{ .Release.Name }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/name: {{ .Release.Name }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
-    app.kubernetes.io/part-of: home-assistant
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   entryPoints:
     - websecure
@@ -22,7 +22,7 @@ spec:
       priority: 10
       services:
         - kind: Service
-          name: home-assistant
+          name: {{ .Release.Name }}
           port: {{ .Values.service.http.port }}
     - kind: Rule
       match: "Host(`{{ .Values.ingressRoute.host }}`) && PathPrefix(`/outpost.goauthentik.io/`)"
@@ -38,23 +38,33 @@ spec:
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
-  name: home-assistant-codeserver
+  name: "{{ .Release.Name }}-codeserver"
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/name: {{ .Release.Name }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
-    app.kubernetes.io/part-of: home-assistant
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   entryPoints:
     - websecure
   routes:
     - kind: Rule
       match: "Host(`{{ .Values.codeserver.ingressRoute.host }}`)"
+      middlewares:
+        - name: "authentik-{{ .Release.Name }}"
+          namespace: {{ .Release.Namespace }}      
       priority: 10
       services:
         - kind: Service
-          name: home-assistant-codeserver
+          name: "{{ .Release.Name }}-codeserver"
           port: {{ .Values.codeserver.service.http.port }}
+    - kind: Rule
+      match: "Host(`{{ .Values.ingressRoute.host }}`) && PathPrefix(`/outpost.goauthentik.io/`)"
+      priority: 15
+      services:
+        - kind: Service
+          name: {{ .Values.ingressRoute.authentik.outpost }}
+          port: {{ .Values.ingressRoute.authentik.port }}          
 {{- end }}

charts/home-assistant/templates/persistant-volume-claim.yaml

@@ -1,10 +1,10 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
-  name: home-assistant-config
+  name: "{{ .Release.Name }}-config"
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/name: {{ .Release.Name }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web

charts/home-assistant/templates/prometheus-rule.yaml

@@ -2,14 +2,14 @@
 apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:
-  name: home-assistant
+  name: {{ .Release.Name }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/name: {{ .Release.Name }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
-    app.kubernetes.io/part-of: home-assistant
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   groups:
     - name: {{ .Release.Name }}

charts/home-assistant/templates/service-account.yaml

@@ -1,11 +1,11 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: home-assistant
+  name: {{ .Release.Name }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/name: {{ .Release.Name }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
-    app.kubernetes.io/part-of: home-assistant
+    app.kubernetes.io/part-of: {{ .Release.Name }}

charts/home-assistant/templates/service-monitor.yaml

@@ -2,18 +2,18 @@
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
-  name: home-assistant
+  name: {{ .Release.Name }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/name: {{ .Release.Name }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
-    app.kubernetes.io/part-of: home-assistant
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: home-assistant
+      app.kubernetes.io/name: {{ .Release.Name }}
       app.kubernetes.io/instance: {{ .Release.Name }}
   endpoints:
     - port: http

charts/home-assistant/templates/service.yaml

@@ -1,10 +1,10 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: home-assistant
+  name: {{ .Release.Name }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/name: {{ .Release.Name }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
@@ -17,7 +17,7 @@ spec:
       protocol: TCP
       name: http
   selector:
-    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/name: {{ .Release.Name }}
     app.kubernetes.io/instance: {{ .Release.Name }}
 
 ---
@@ -25,10 +25,10 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  name: home-assistant-codeserver
+  name: "{{ .Release.Name }}-codeserver"
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/name: {{ .Release.Name }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
@@ -41,6 +41,6 @@ spec:
       protocol: TCP
       name: codeserver-http
   selector:
-    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/name: {{ .Release.Name }}
     app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}

charts/home-assistant/values.yaml

@@ -3,7 +3,7 @@ deployment:
   strategy: Recreate
   image:
     repository: homeassistant/home-assistant
-    tag: 2024.3.0
+    tag: 2024.4.3
     imagePullPolicy: IfNotPresent
   env:
     TZ: UTC
@@ -22,7 +22,7 @@ ingressRoute:
   enabled: true
   host:
   authentik:
-    outpost: authentik-proxy-outpost
+    outpost:
     port: 9000
 metrics:
   enabled: false
@@ -56,7 +56,7 @@ codeserver:
   enabled: false
   image:
     repository: linuxserver/code-server
-    tag: 4.22.0
+    tag: 4.23.1
     imagePullPolicy: IfNotPresent
   env:
     TZ: UTC

charts/homepage/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: homepage
-version: 0.0.7
+version: 0.0.11
 description: Chart for benphelps homepage
 keywords:
   - dashboard
@@ -9,4 +9,4 @@ sources:
 maintainers:
   - name: alexlebens
 icon: https://github.com/benphelps/homepage/blob/de584eae8f12a0d257e554e9511ef19bd2a1232c/public/mstile-150x150.png
-appVersion: v0.8.9
+appVersion: v0.8.12

charts/homepage/values.yaml

@@ -3,7 +3,7 @@ deployment:
   strategy: Recreate
   image:
     repository: ghcr.io/gethomepage/homepage
-    tag: v0.8.9
+    tag: v0.8.12
     imagePullPolicy: IfNotPresent
   env:
   envFrom:
@@ -20,7 +20,7 @@ service:
 ingressRoute:
   host:
   authentik:
-    outpost: authentik-proxy-outpost
+    outpost:
     port: 9000
 config:
   bookmarks:

charts/libation/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: libation
-version: 0.0.5
+version: 0.0.6
 description: Import library from audible
 keywords:
   - audiobooks

charts/libation/values.yaml

@@ -6,8 +6,8 @@ image:
   pullPolicy: IfNotPresent
 persistence:
   config:
-    storageClassName: nfs-client
+    storageClassName: default
     storageSize: 1Gi
     volumeMode: Filesystem
   books:
-    claimName: libation-nfs-storage
+    claimName:

charts/matrix-hookshot/Chart.yaml

@@ -0,0 +1,14 @@
+apiVersion: v2
+name: matrix-hookshot
+version: 0.1.1
+description: Chart for Matrix Hookshot
+keywords:
+  - matrix
+  - matrix-hookshot
+  - webhook
+sources:
+  - https://github.com/matrix-org/matrix-hookshot
+maintainers:
+  - name: alexlebens
+icon: https://avatars.githubusercontent.com/u/8418310?s=48&v=4
+appVersion: "5.3.0"

charts/matrix-hookshot/templates/_helpers.tpl

@@ -0,0 +1,43 @@
+{{/*
+Helper for secret name
+*/}}
+{{- define "hookshot.secretName" -}}
+{{- if .Values.hookshot.existingSecret }}
+{{- printf "%s" .Values.hookshot.existingSecret -}}
+{{- else }}
+{{- printf "matrix-hookshot-config-secret" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+
+{{/*
+Helper for registration secret name
+*/}}
+{{- define "hookshot.registrationSecretName" -}}
+{{- if .Values.hookshot.existingRegistrationSecret }}
+{{- printf "%s" .Values.hookshot.existingRegistrationSecret -}}
+{{- else }}
+{{- printf "matrix-hookshot-registration-secret" }}
+{{- end }}
+{{- end }}
+
+{{/*
+Helper for passkey secret name
+*/}}
+{{- define "hookshot.passkeySecretName" -}}
+{{- if .Values.hookshot.existingPasskeySecret }}
+{{- printf "%s" .Values.hookshot.existingPasskeySecret -}}
+{{- else }}
+{{- printf "matrix-hookshot-passkey-secret" }}
+{{- end }}
+{{- end }}
+
+{{/*
+Helper for passkey file name
+*/}}
+{{- define "hookshot.passFile" -}}
+{{- if .Values.hookshot.config.passFile }}
+{{- printf "%s" .Values.hookshot.config.passFile -}}
+{{- else }}
+{{- printf "passkey.pem" }}
+{{- end }}
+{{- end }}

charts/matrix-hookshot/templates/deployment.yaml

@@ -0,0 +1,79 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: matrix-hookshot
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-hookshot
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.deployment.replicas }}
+  strategy:
+    type: {{ .Values.deployment.strategy }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: matrix-hookshot
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: matrix-hookshot
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+      serviceAccountName: matrix-hookshot
+      automountServiceAccountToken: true
+      containers:
+        - name: matrix-hookshot
+          image: "{{ .Values.deployment.image.repository }}:{{ .Values.deployment.image.tag }}"
+          imagePullPolicy: {{ .Values.deployment.image.imagePullPolicy }}
+          ports:
+            - name: webhook
+              containerPort: {{ .Values.service.webhook.port }}
+              protocol: TCP
+            - name: metrics
+              containerPort: {{ .Values.service.metrics.port }}
+              protocol: TCP
+            - name: appservice
+              containerPort: {{ .Values.service.appservice.port }}
+              protocol: TCP
+            - name: widgets
+              containerPort: {{ .Values.service.widgets.port }}
+              protocol: TCP              
+          env:
+          {{- range $k,$v := .Values.deployment.env }}
+            - name: {{ $k }}
+              value: {{ $v | quote }}
+          {{- end }}
+          {{- with .Values.deployment.envFrom }}
+          envFrom:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          resources:
+            {{- toYaml .Values.deployment.resources | nindent 12 }}
+          volumeMounts:
+            - name: config
+              mountPath: /data/config.yml
+              subPath: config.yml
+              readOnly: true
+            - name: registration
+              mountPath: /data/registration.yml
+              subPath: registration.yml
+              readOnly: true
+            - name: passkey
+              mountPath: "/data/{{ template "hookshot.passFile" . }}"
+              subPath: {{ template "hookshot.passFile" . }}
+              readOnly: true
+      volumes:
+        - name: config
+          secret:
+            secretName: {{ template "hookshot.secretName" . }}
+        - name: registration
+          secret:
+            secretName: {{ template "hookshot.registrationSecretName" . }}
+        - name: passkey
+          secret:
+            secretName: {{ template "hookshot.passkeySecretName" . }}

charts/matrix-hookshot/templates/ingress.yaml

@@ -0,0 +1,100 @@
+{{- if .Values.ingress.webhook.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: matrix-hookshot-webhook
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-hookshot-webhook
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    {{- toYaml .Values.ingress.webhook.annotations | nindent 4 }}
+spec:
+  ingressClassName: {{ .Values.ingress.webhook.className }}
+  tls:
+    - hosts:
+        - {{ .Values.ingress.webhook.host }}
+      secretName: {{ .Release.Name }}-webhook-secret-tls
+  rules:
+    - host: {{ .Values.ingress.webhook.host }}
+      http:
+        paths:
+          - path: /webhook/
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Release.Name }}
+                port:
+                  name: webhook
+{{- end }}
+
+---
+{{- if .Values.ingress.appservice.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: matrix-hookshot-appservice
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-hookshot-appservice
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    {{- toYaml .Values.ingress.appservice.annotations | nindent 4 }}
+spec:
+  ingressClassName: {{ .Values.ingress.appservice.className }}
+  tls:
+    - hosts:
+        - {{ .Values.ingress.appservice.host }}
+      secretName: {{ .Release.Name }}-appservice-secret-tls
+  rules:
+    - host: {{ .Values.ingress.appservice.host }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Release.Name }}
+                port:
+                  name: appservice
+{{- end }}
+
+---
+{{- if .Values.ingress.widgets.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: matrix-hookshot-widgets
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-hookshot-widgets
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    {{- toYaml .Values.ingress.widgets.annotations | nindent 4 }}
+spec:
+  ingressClassName: {{ .Values.ingress.widgets.className }}
+  tls:
+    - hosts:
+        - {{ .Values.ingress.widgets.host }}
+      secretName: {{ .Release.Name }}-widgets-secret-tls
+  rules:
+    - host: {{ .Values.ingress.widgets.host }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Release.Name }}
+                port:
+                  name: widgets
+{{- end }}

charts/matrix-hookshot/templates/pod.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: matrix-hookshot-test-connection
+  labels:
+    app.kubernetes.io/name: matrix-hookshot-test-connection
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    "helm.sh/hook": test-success
+spec:
+  restartPolicy: Never
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: ['matrix-hookshot:{{ .Values.service.webhook.port }}']
+      resources:
+        limits:
+          cpu: 500m
+          memory: 1Gi
+        requests:
+          cpu: 50m
+          memory: 256Mi

charts/matrix-hookshot/templates/secret.yaml

@@ -0,0 +1,52 @@
+{{- if not .Values.hookshot.existingSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: matrix-hookshot-config-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-hookshot-config
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+data:
+  config.yml: |
+{{ toYaml .Values.hookshot.config | indent 4 }}
+{{- end }}
+
+---
+{{- if not .Values.hookshot.existingRegistrationSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: matrix-hookshot-registration-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-hookshot-registration
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+data:
+  registration.yml: |
+{{ toYaml .Values.hookshot.registration | indent 4 }}
+{{- end }}
+
+---
+{{- if not .Values.hookshot.existingPasskeySecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: matrix-hookshot-passkey-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-hookshot-passkey
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+data:
+  {{ .Values.hookshot.config.passFile }}: |
+{{ toYaml .Values.hookshot.passkey | indent 4 }}
+{{- end }}

charts/matrix-hookshot/templates/service-account.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: matrix-hookshot
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-hookshot
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}

charts/matrix-hookshot/templates/service-monitor.yaml

@@ -0,0 +1,23 @@
+{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: matrix-hookshot
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-hookshot
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  endpoints:
+    - port: metrics
+      interval: {{ .Values.metrics.serviceMonitor.interval }}
+      scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
+      path: /metrics
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: matrix-hookshot
+      app.kubernetes.io/instance: {{ .Release.Name }}      
+{{- end }}

charts/matrix-hookshot/templates/service.yaml

@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: matrix-hookshot
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-hookshot
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.webhook.port }}
+      targetPort: webhook
+      protocol: TCP
+      name: webhook
+    - port: {{ .Values.service.metrics.port }}
+      targetPort: metrics
+      protocol: TCP
+      name: metrics
+    - port: {{ .Values.service.appservice.port }}
+      targetPort: appservice
+      protocol: TCP
+      name: appservice
+    - port: {{ .Values.service.widgets.port }}
+      targetPort: widgets
+      protocol: TCP
+      name: widgets      
+  selector:
+    app.kubernetes.io/name: matrix-hookshot
+    app.kubernetes.io/instance: {{ .Release.Name }}

charts/matrix-hookshot/values.yaml

@@ -0,0 +1,248 @@
+deployment:
+  replicas: 1
+  strategy: Recreate
+  image:
+    repository: halfshot/matrix-hookshot
+    tag: "5.3.0"
+    imagePullPolicy: IfNotPresent
+  env: {}
+  envFrom: []
+  resources:
+    limits:
+      memory: 512Mi
+      cpu: 100m
+    requests:
+      memory: 256Mi
+      cpu: 50m
+service:
+  type: ClusterIP
+  webhook:
+    port: 9000
+  metrics:
+    port: 9001
+  appservice:
+    port: 9002
+  widgets:
+    port: 9003
+ingress:
+  webhook:
+    enabled: false
+    className: ""
+    annotations: {}
+    host: ""
+  appservice:
+    enabled: false
+    className: ""
+    annotations: {}
+    host: ""
+  widgets:
+    enabled: false
+    className: ""
+    annotations: {}
+    host: ""
+metrics:
+  enabled: false
+  serviceMonitor:
+    enabled: false
+    interval: 15s
+    scrapeTimeout: 5s
+
+# Reference the following for examples
+# https://matrix-org.github.io/matrix-hookshot/latest/setup/sample-configuration.html
+hookshot:
+
+  # config.yml contents
+  existingSecret: ""
+  config:
+    bridge:
+      domain: example.com
+      url: http://localhost:8008
+      mediaUrl: https://example.com
+      port: 9993
+      bindAddress: 0.0.0.0
+    passFile: passkey.pem
+    logging:
+      level: info
+      colorize: true
+      json: false
+      timestampFormat: HH:mm:ss:SSS
+    listeners:
+      - port: 9000
+        bindAddress: 0.0.0.0
+        resources:
+          - webhooks
+      - port: 9001
+        bindAddress: 0.0.0.0
+        resources:
+          - metrics
+          - provisioning
+      - port: 9003
+        bindAddress: 0.0.0.0
+        resources:
+          - widgets
+
+    # github:
+    #  # (Optional) Configure this to enable GitHub support
+    #  auth:
+    #    # Authentication for the GitHub App.
+    #    id: 123
+    #    privateKeyFile: github-key.pem
+    #  webhook:
+    #    # Webhook settings for the GitHub app.
+    #    secret: secrettoken
+    #  oauth:
+    #    # (Optional) Settings for allowing users to sign in via OAuth.
+    #    client_id: foo
+    #    client_secret: bar
+    #    redirect_uri: https://example.com/oauth/
+    #  defaultOptions:
+    #    # (Optional) Default options for GitHub connections.
+    #    showIssueRoomLink: false
+    #    hotlinkIssues:
+    #      prefix: "#"
+    #  userIdPrefix:
+    #    # (Optional) Prefix used when creating ghost users for GitHub accounts.
+    #    _github_
+
+    # gitlab:
+    #  # (Optional) Configure this to enable GitLab support
+    #  instances:
+    #    gitlab.com:
+    #      url: https://gitlab.com
+    #  webhook:
+    #    secret: secrettoken
+    #    publicUrl: https://example.com/hookshot/
+    #  userIdPrefix:
+    #    # (Optional) Prefix used when creating ghost users for GitLab accounts.
+    #    _gitlab_
+    #  commentDebounceMs:
+    #    # (Optional) Aggregate comments by waiting this many miliseconds before posting them to Matrix. Defaults to 5000 (5 seconds)
+    #    5000
+
+    # figma:
+    #  # (Optional) Configure this to enable Figma support
+    #  publicUrl: https://example.com/hookshot/
+    #  instances:
+    #    your-instance:
+    #      teamId: your-team-id
+    #      accessToken: your-personal-access-token
+    #      passcode: your-webhook-passcode
+
+    # jira:
+    #  # (Optional) Configure this to enable Jira support. Only specify `url` if you are using a On Premise install (i.e. not atlassian.com)
+    #  webhook:
+    #    # Webhook settings for JIRA
+    #    secret: secrettoken
+    #  oauth:
+    #    # (Optional) OAuth settings for connecting users to JIRA. See documentation for more information
+    #    client_id: foo
+    #    client_secret: bar
+    #    redirect_uri: https://example.com/oauth/
+
+    # generic:
+    #  # (Optional) Support for generic webhook events.
+    #  #'allowJsTransformationFunctions' will allow users to write short transformation snippets in code, and thus is unsafe in untrusted environments
+
+    #  enabled: false
+    #  enableHttpGet: false
+    #  urlPrefix: https://example.com/webhook/
+    #  userIdPrefix: _webhooks_
+    #  allowJsTransformationFunctions: false
+    #  waitForComplete: false
+
+    # feeds:
+    #  # (Optional) Configure this to enable RSS/Atom feed support
+    #  enabled: false
+    #  pollConcurrency: 4
+    #  pollIntervalSeconds: 600
+    #  pollTimeoutSeconds: 30
+
+    # provisioning:
+    #  # (Optional) Provisioning API for integration managers
+    #  secret: "!secretToken"
+
+    # bot:
+    #  # (Optional) Define profile information for the bot user
+    #  displayname: Hookshot Bot
+    #  avatar: mxc://half-shot.uk/2876e89ccade4cb615e210c458e2a7a6883fe17d
+
+    # serviceBots:
+    #  # (Optional) Define additional bot users for specific services
+    #  - localpart: feeds
+    #    displayname: Feeds
+    #    avatar: ./assets/feeds_avatar.png
+    #    prefix: "!feeds"
+    #    service: feeds
+
+    # metrics:
+    #  # (Optional) Prometheus metrics support
+    #  enabled: true
+
+    # cache:
+    #  # (Optional) Cache options for large scale deployments.
+    #  # For encryption to work, this must be configured.
+    #  redisUri: redis://localhost:6379
+
+    # queue:
+    #  # (Optional) Message queue configuration options for large scale deployments.
+    #  # For encryption to work, this must not be configured.
+    #  redisUri: redis://localhost:6379
+
+    # widgets:
+    #  # (Optional) EXPERIMENTAL support for complimentary widgets
+    #  addToAdminRooms: false
+    #  disallowedIpRanges:
+    #    - 127.0.0.0/8
+    #    - 10.0.0.0/8
+    #    - 172.16.0.0/12
+    #    - 192.168.0.0/16
+    #    - 100.64.0.0/10
+    #    - 192.0.0.0/24
+    #    - 169.254.0.0/16
+    #    - 192.88.99.0/24
+    #    - 198.18.0.0/15
+    #    - 192.0.2.0/24
+    #    - 198.51.100.0/24
+    #    - 203.0.113.0/24
+    #    - 224.0.0.0/4
+    #    - ::1/128
+    #    - fe80::/10
+    #    - fc00::/7
+    #    - 2001:db8::/32
+    #    - ff00::/8
+    #    - fec0::/10
+    #  roomSetupWidget:
+    #    addOnInvite: false
+    #  publicUrl: https://example.com/widgetapi/v1/static/
+    #  branding:
+    #    widgetTitle: Hookshot Configuration
+
+    # sentry:
+    #  # (Optional) Configure Sentry error reporting
+    #  dsn: https://examplePublicKey@o0.ingest.sentry.io/0
+    #  environment: production
+
+    # permissions:
+    #  # (Optional) Permissions for using the bridge. See docs/setup.md#permissions for help
+    #  - actor: example.com
+    #    services:
+    #      - service: "*"
+    #        level: admin
+
+  # registration.yml contents
+  existingRegistrationSecret: ""
+  registration:
+    id: matrix-hookshot
+    as_token: ""
+    hs_token: ""
+    namespaces:
+      rooms: []
+      users: []
+    sender_localpart: hookshot
+    url: "http://example.com"
+    rate_limited: false
+
+  # A passkey used to encrypt tokens stored inside the bridge.
+  # Run openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096 to generate
+  existingPasskeySecret: ""
+  passkey: ""

charts/mautrix-discord/Chart.yaml

@@ -0,0 +1,15 @@
+apiVersion: v2
+name: mautrix-discord
+version: 0.0.2
+description: Chart for Matrix Discord Bridge
+keywords:
+  - matrix
+  - mautrix-discord
+  - bridge
+  - discord
+sources:
+  - https://github.com/mautrix/discord
+maintainers:
+  - name: alexlebens
+icon: https://avatars.githubusercontent.com/u/88519669?s=48&v=4
+appVersion: v0.6.5

charts/mautrix-discord/templates/_helpers.tpl

@@ -0,0 +1,41 @@
+{{/*
+Helper for secret name
+*/}}
+{{- define "mautrix-discord.secretName" -}}
+{{- if .Values.mautrixDiscord.existingSecret }}
+{{- printf "%s" .Values.mautrixDiscord.existingSecret -}}
+{{- else }}
+{{- printf "mautrix-discord-config-secret" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+
+{{/*
+Helper for registration secret name
+*/}}
+{{- define "mautrix-discord.registrationSecretName" -}}
+{{- if .Values.mautrixDiscord.existingRegistrationSecret }}
+{{- printf "%s" .Values.mautrixDiscord.existingRegistrationSecret -}}
+{{- else }}
+{{- printf "mautrix-discord-registration-secret" }}
+{{- end }}
+{{- end }}
+
+{{/*
+Generate registration.yaml if not from existing secret
+*/}}
+{{- define "mautrix-discord.registration-yaml" -}}
+id: {{ .Values.mautrixDiscord.config.appservice.id | quote }}
+as_token: {{ .Values.mautrixDiscord.config.appservice.as_token | quote }}
+hs_token: {{ .Values.mautrixDiscord.config.appservice.hs_token | quote }}
+namespaces:
+  users:
+    - regex: {{ printf "^@discordbot:%s$" (replace "." "\\." .Values.mautrixDiscord.config.homeserver.domain) }}
+      exclusive: true
+    - regex: {{ printf "^@%s:%s$" (replace "{{.}}" ".*" (tpl .Values.mautrixDiscord.config.bridge.username_template .)) (replace "." "\\." .Values.mautrixDiscord.config.homeserver.domain) }}
+      exclusive: true
+url: {{ .Values.mautrixDiscord.config.appservice.address | quote }}
+sender_localpart: {{ .Values.mautrixDiscord.registration.sender_localpart | quote }}
+rate_limited: {{ .Values.mautrixDiscord.registration.rate_limited }}
+de.sorunome.msc2409.push_ephemeral: true
+push_ephemeral: true
+{{- end -}}

charts/mautrix-discord/templates/deployment.yaml

@@ -0,0 +1,96 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mautrix-discord
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: mautrix-discord
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.deployment.replicas }}
+  strategy:
+    type: {{ .Values.deployment.strategy }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: mautrix-discord
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: mautrix-discord
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+      serviceAccountName: mautrix-discord
+      automountServiceAccountToken: true
+      containers:
+        - name: mautrix-discord
+          image: "{{ .Values.deployment.image.repository }}:{{ .Values.deployment.image.tag }}"
+          imagePullPolicy: {{ .Values.deployment.image.imagePullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+          env:
+          {{- range $k,$v := .Values.deployment.env }}
+            - name: {{ $k }}
+              value: {{ $v | quote }}
+          {{- end }}
+          {{- with .Values.deployment.envFrom }}
+          envFrom:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          livenessProbe:
+            httpGet:
+              path: /_matrix/mau/live
+              port: http
+            failureThreshold: {{ .Values.deployment.probes.liveness.failureThreshold }}
+            periodSeconds: {{ .Values.deployment.probes.liveness.periodSeconds }}
+          readinessProbe:
+            httpGet:
+              path: /_matrix/mau/ready
+              port: http
+            failureThreshold: {{ .Values.deployment.probes.readiness.failureThreshold }}
+            periodSeconds: {{ .Values.deployment.probes.readiness.periodSeconds }}
+          resources:
+            {{- toYaml .Values.deployment.resources | nindent 12 }}
+          volumeMounts:
+            - name: config
+              mountPath: /data/config.yaml
+              subPath: config.yaml
+              readOnly: true
+            - name: registration
+              mountPath: /data/registration.yaml
+              subPath: registration.yaml
+              readOnly: true
+            - name: data
+              mountPath: /data
+      volumes:
+        - name: config
+          secret:
+            secretName: {{ template "mautrix-discord.secretName" . }}
+        - name: registration
+          secret:
+            secretName: {{ template "mautrix-discord.registrationSecretName" . }}
+        - name: data
+          {{- if .Values.persistence.enabled }}
+          persistentVolumeClaim:
+            claimName: {{ .Values.persistence.existingClaim | default "mautrix-discord-data" }}
+          {{- else }}
+          emptyDir: {}
+          {{- end }}
+      {{- with .Values.deployment.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.deployment.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.deployment.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

charts/mautrix-discord/templates/ingress.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: mautrix-discord
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: mautrix-discord
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    {{- toYaml .Values.ingress.annotations | nindent 4 }}
+spec:
+  ingressClassName: {{ .Values.ingress.className }}
+  tls:
+    - hosts:
+        - {{ .Values.ingress.host }}
+      secretName: {{ .Release.Name }}-secret-tls
+  rules:
+    - host: {{ .Values.ingress.host }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: mautrix-discord
+                port:
+                  name: http
+{{- end }}

charts/mautrix-discord/templates/persistent-volume-claim.yaml

@@ -0,0 +1,26 @@
+{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: mautrix-discord-data
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: mautrix-discord
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  accessModes:
+    - {{ .Values.persistence.accessMode | quote }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.size | quote }}
+  {{- if .Values.persistence.storageClass }}
+  {{- if not .Values.persistence.storageClass }}
+  storageClassName: ""
+  {{- else }}
+  storageClassName: {{ .Values.persistence.storageClass | quote }}
+  {{- end }}
+  {{- end }}
+{{- end }}

charts/mautrix-discord/templates/secret.yaml

@@ -0,0 +1,33 @@
+{{- if not .Values.mautrixDiscord.existingSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mautrix-discord-config-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: mautrix-discord-config
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+data:
+  config.yaml: |
+{{ toYaml .Values.mautrixDiscord.config | indent 4 }}
+{{- end }}
+
+---
+{{- if not .Values.mautrixDiscord.existingRegistrationSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mautrix-discord-registration-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: mautrix-discord-registration
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+data:
+  registration.yaml: {{ include "mautrix-discord.registration-yaml" . | b64enc | quote }}
+{{- end }}

charts/mautrix-discord/templates/service-account.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: mautrix-discord
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: mautrix-discord
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}

charts/mautrix-discord/templates/service.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: mautrix-discord
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: mautrix-discord
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  type: {{ .Values.service.type }}
+  clusterIP: {{ .Values.service.clusterIP | quote }}
+  externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }}
+  publishNotReadyAddresses: {{ .Values.service.publishNotReadyAddresses }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: mautrix-discord
+    app.kubernetes.io/instance: {{ .Release.Name }}

charts/mautrix-discord/values.yaml

@@ -0,0 +1,427 @@
+deployment:
+  replicas: 1
+  strategy: Recreate
+  image:
+    repository: dock.mau.dev/mautrix/discord
+    tag: v0.6.5
+    imagePullPolicy: IfNotPresent
+  env: {}
+  envFrom: []
+  resources:
+    limits:
+      memory: 128Mi
+      cpu: 200m
+    requests:
+      memory: 64Mi
+      cpu: 50m
+  probes:
+    liveness:
+      failureThreshold: 5
+      periodSeconds: 10
+    readiness:
+      failureThreshold: 5
+      periodSeconds: 10
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+serviceAccount:
+  create: true
+  annotations: {}
+service:
+  type: ClusterIP
+  clusterIP: None
+  port: 29334
+  externalTrafficPolicy: ""
+  publishNotReadyAddresses: true
+ingress:
+  enabled: false
+  className: ""
+  annotations: {}
+  host: ""
+persistence:
+  enabled: false
+  existingClaim: ""
+  storageClass: ""
+  accessMode: ReadWriteOnce
+  size: 500Mi
+
+
+# Reference the following for examples
+# https://github.com/mautrix/discord/blob/main/example-config.yaml
+mautrixDiscord:
+
+  # config.yml contents
+  existingSecret: ""
+  config:
+    # Homeserver details.
+    homeserver:
+        # The address that this appservice can use to connect to the homeserver.
+        address: https://matrix.example.com
+        # Publicly accessible base URL for media, used for avatars in relay mode.
+        # If not set, the connection address above will be used.
+        public_address: null
+        # The domain of the homeserver (also known as server_name, used for MXIDs, etc).
+        domain: example.com
+
+        # What software is the homeserver running?
+        # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
+        software: standard
+        # The URL to push real-time bridge status to.
+        # If set, the bridge will make POST requests to this URL whenever a user's discord connection state changes.
+        # The bridge will use the appservice as_token to authorize requests.
+        status_endpoint: null
+        # Endpoint for reporting per-message status.
+        message_send_checkpoint_endpoint: null
+        # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
+        async_media: false
+
+        # Should the bridge use a websocket for connecting to the homeserver?
+        # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,
+        # mautrix-asmux (deprecated), and hungryserv (proprietary).
+        websocket: false
+        # How often should the websocket be pinged? Pinging will be disabled if this is zero.
+        ping_interval_seconds: 0
+
+    # Application service host/registration related details.
+    # Changing these values requires regeneration of the registration.
+    appservice:
+        # The address that the homeserver can use to connect to this appservice.
+        address: http://localhost:29334
+
+        # The hostname and port where this appservice should listen.
+        hostname: 0.0.0.0
+        port: 29334
+
+        # Database config.
+        database:
+            # The database type. "sqlite3-fk-wal" and "postgres" are supported.
+            type: postgres
+            # The database URI.
+            #   SQLite: A raw file path is supported, but `file:<path>?_txlock=immediate` is recommended.
+            #           https://github.com/mattn/go-sqlite3#connection-string
+            #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
+            #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
+            uri: postgres://user:password@host/database?sslmode=disable
+            # Maximum number of connections. Mostly relevant for Postgres.
+            max_open_conns: 20
+            max_idle_conns: 2
+            # Maximum connection idle time and lifetime before they're closed. Disabled if null.
+            # Parsed with https://pkg.go.dev/time#ParseDuration
+            max_conn_idle_time: null
+            max_conn_lifetime: null
+
+        # The unique ID of this appservice.
+        id: discord
+        # Appservice bot details.
+        bot:
+            # Username of the appservice bot.
+            username: discordbot
+            # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
+            # to leave display name/avatar as-is.
+            displayname: Discord bridge bot
+            avatar: mxc://maunium.net/nIdEykemnwdisvHbpxflpDlC
+
+        # Whether or not to receive ephemeral events via appservice transactions.
+        # Requires MSC2409 support (i.e. Synapse 1.22+).
+        ephemeral_events: true
+
+        # Should incoming events be handled asynchronously?
+        # This may be necessary for large public instances with lots of messages going through.
+        # However, messages will not be guaranteed to be bridged in the same order they were sent in.
+        async_transactions: false
+
+        # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
+        as_token: "This value is generated when generating the registration"
+        hs_token: "This value is generated when generating the registration"
+
+    # Bridge config
+    bridge:
+        # Localpart template of MXIDs for Discord users.
+        # {{.}} is replaced with the internal ID of the Discord user.
+        username_template: discord_{{.}}
+        # Displayname template for Discord users. This is also used as the room name in DMs if private_chat_portal_meta is enabled.
+        # Available variables:
+        #   .ID - Internal user ID
+        #   .Username - Legacy display/username on Discord
+        #   .GlobalName - New displayname on Discord
+        #   .Discriminator - The 4 numbers after the name on Discord
+        #   .Bot - Whether the user is a bot
+        #   .System - Whether the user is an official system user
+        #   .Webhook - Whether the user is a webhook and is not an application
+        #   .Application - Whether the user is an application
+        displayname_template: '{{or .GlobalName .Username}}{{if .Bot}} (bot){{end}}'
+        # Displayname template for Discord channels (bridged as rooms, or spaces when type=4).
+        # Available variables:
+        #   .Name - Channel name, or user displayname (pre-formatted with displayname_template) in DMs.
+        #   .ParentName - Parent channel name (used for categories).
+        #   .GuildName - Guild name.
+        #   .NSFW - Whether the channel is marked as NSFW.
+        #   .Type - Channel type (see values at https://github.com/bwmarrin/discordgo/blob/v0.25.0/structs.go#L251-L267)
+        channel_name_template: '{{if or (eq .Type 3) (eq .Type 4)}}{{.Name}}{{else}}#{{.Name}}{{end}}'
+        # Displayname template for Discord guilds (bridged as spaces).
+        # Available variables:
+        #   .Name - Guild name
+        guild_name_template: '{{.Name}}'
+        # Whether to explicitly set the avatar and room name for private chat portal rooms.
+        # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms.
+        # If set to `always`, all DM rooms will have explicit names and avatars set.
+        # If set to `never`, DM rooms will never have names and avatars set.
+        private_chat_portal_meta: default
+
+        portal_message_buffer: 128
+
+        # Number of private channel portals to create on bridge startup.
+        # Other portals will be created when receiving messages.
+        startup_private_channel_create_limit: 5
+        # Should the bridge send a read receipt from the bridge bot when a message has been sent to Discord?
+        delivery_receipts: false
+        # Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
+        message_status_events: false
+        # Whether the bridge should send error notices via m.notice events when a message fails to bridge.
+        message_error_notices: true
+        # Should the bridge use space-restricted join rules instead of invite-only for guild rooms?
+        # This can avoid unnecessary invite events in guild rooms when members are synced in.
+        restricted_rooms: true
+        # Should the bridge automatically join the user to threads on Discord when the thread is opened on Matrix?
+        # This only works with clients that support thread read receipts (MSC3771 added in Matrix v1.4).
+        autojoin_thread_on_open: true
+        # Should inline fields in Discord embeds be bridged as HTML tables to Matrix?
+        # Tables aren't supported in all clients, but are the only way to emulate the Discord inline field UI.
+        embed_fields_as_tables: true
+        # Should guild channels be muted when the portal is created? This only meant for single-user instances,
+        # it won't mute it for all users if there are multiple Matrix users in the same Discord guild.
+        mute_channels_on_create: false
+        # Should the bridge update the m.direct account data event when double puppeting is enabled.
+        # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
+        # and is therefore prone to race conditions.
+        sync_direct_chat_list: false
+        # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
+        # This field will automatically be changed back to false after it, except if the config file is not writable.
+        resend_bridge_info: false
+        # Should incoming custom emoji reactions be bridged as mxc:// URIs?
+        # If set to false, custom emoji reactions will be bridged as the shortcode instead, and the image won't be available.
+        custom_emoji_reactions: true
+        # Should the bridge attempt to completely delete portal rooms when a channel is deleted on Discord?
+        # If true, the bridge will try to kick Matrix users from the room. Otherwise, the bridge only makes ghosts leave.
+        delete_portal_on_channel_delete: false
+        # Should the bridge delete all portal rooms when you leave a guild on Discord?
+        # This only applies if the guild has no other Matrix users on this bridge instance.
+        delete_guild_on_leave: true
+        # Whether or not created rooms should have federation enabled.
+        # If false, created portal rooms will never be federated.
+        federate_rooms: true
+        # Prefix messages from webhooks with the profile info? This can be used along with a custom displayname_template
+        # to better handle webhooks that change their name all the time (like ones used by bridges).
+        prefix_webhook_messages: false
+        # Bridge webhook avatars?
+        enable_webhook_avatars: true
+        # Should the bridge upload media to the Discord CDN directly before sending the message when using a user token,
+        # like the official client does? The other option is sending the media in the message send request as a form part
+        # (which is always used by bots and webhooks).
+        use_discord_cdn_upload: true
+        # Should mxc uris copied from Discord be cached?
+        # This can be `never` to never cache, `unencrypted` to only cache unencrypted mxc uris, or `always` to cache everything.
+        # If you have a media repo that generates non-unique mxc uris, you should set this to never.
+        cache_media: unencrypted
+        # Settings for converting Discord media to custom mxc:// URIs instead of reuploading.
+        # More details can be found at https://docs.mau.fi/bridges/go/discord/direct-media.html
+        direct_media:
+            # Should custom mxc:// URIs be used instead of reuploading media?
+            enabled: false
+            # The server name to use for the custom mxc:// URIs.
+            # This server name will effectively be a real Matrix server, it just won't implement anything other than media.
+            # You must either set up .well-known delegation from this domain to the bridge, or proxy the domain directly to the bridge.
+            server_name: discord-media.example.com
+            # Optionally a custom .well-known response. This defaults to `server_name:443`
+            well_known_response:
+            # The bridge supports MSC3860 media download redirects and will use them if the requester supports it.
+            # Optionally, you can force redirects and not allow proxying at all by setting this to false.
+            allow_proxy: true
+            # Matrix server signing key to make the federation tester pass, same format as synapse's .signing.key file.
+            # This key is also used to sign the mxc:// URIs to ensure only the bridge can generate them.
+            server_key: generate
+        # Settings for converting animated stickers.
+        animated_sticker:
+            # Format to which animated stickers should be converted.
+            # disable - No conversion, send as-is (lottie JSON)
+            # png - converts to non-animated png (fastest)
+            # gif - converts to animated gif
+            # webm - converts to webm video, requires ffmpeg executable with vp9 codec and webm container support
+            # webp - converts to animated webp, requires ffmpeg executable with webp codec/container support
+            target: webp
+            # Arguments for converter. All converters take width and height.
+            args:
+                width: 320
+                height: 320
+                fps: 25 # only for webm, webp and gif (2, 5, 10, 20 or 25 recommended)
+        # Servers to always allow double puppeting from
+        double_puppet_server_map:
+            example.com: https://example.com
+        # Allow using double puppeting from any server with a valid client .well-known file.
+        double_puppet_allow_discovery: false
+        # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
+        #
+        # If set, double puppeting will be enabled automatically for local users
+        # instead of users having to find an access token and run `login-matrix`
+        # manually.
+        login_shared_secret_map:
+            example.com: foobar
+
+        # The prefix for commands. Only required in non-management rooms.
+        command_prefix: '!discord'
+        # Messages sent upon joining a management room.
+        # Markdown is supported. The defaults are listed below.
+        management_room_text:
+            # Sent when joining a room.
+            welcome: "Hello, I'm a Discord bridge bot."
+            # Sent when joining a management room and the user is already logged in.
+            welcome_connected: "Use `help` for help."
+            # Sent when joining a management room and the user is not logged in.
+            welcome_unconnected: "Use `help` for help or `login` to log in."
+            # Optional extra text sent when joining a management room.
+            additional_help: ""
+
+        # Settings for backfilling messages.
+        backfill:
+            # Limits for forward backfilling.
+            forward_limits:
+                # Initial backfill (when creating portal). 0 means backfill is disabled.
+                # A special unlimited value is not supported, you must set a limit. Initial backfill will
+                # fetch all messages first before backfilling anything, so high limits can take a lot of time.
+                initial:
+                    dm: 0
+                    channel: 0
+                    thread: 0
+                # Missed message backfill (on startup).
+                # 0 means backfill is disabled, -1 means fetch all messages since last bridged message.
+                # When using unlimited backfill (-1), messages are backfilled as they are fetched.
+                # With limits, all messages up to the limit are fetched first and backfilled afterwards.
+                missed:
+                    dm: 0
+                    channel: 0
+                    thread: 0
+            # Maximum members in a guild to enable backfilling. Set to -1 to disable limit.
+            # This can be used as a rough heuristic to disable backfilling in channels that are too active.
+            # Currently only applies to missed message backfill.
+            max_guild_members: -1
+
+        # End-to-bridge encryption support options.
+        #
+        # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
+        encryption:
+            # Allow encryption, work in group chat rooms with e2ee enabled
+            allow: false
+            # Default to encryption, force-enable encryption in all portals the bridge creates
+            # This will cause the bridge bot to be in private chats for the encryption to work properly.
+            default: false
+            # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
+            appservice: false
+            # Require encryption, drop any unencrypted messages.
+            require: false
+            # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
+            # You must use a client that supports requesting keys from other users to use this feature.
+            allow_key_sharing: false
+            # Should users mentions be in the event wire content to enable the server to send push notifications?
+            plaintext_mentions: false
+            # Options for deleting megolm sessions from the bridge.
+            delete_keys:
+                # Beeper-specific: delete outbound sessions when hungryserv confirms
+                # that the user has uploaded the key to key backup.
+                delete_outbound_on_ack: false
+                # Don't store outbound sessions in the inbound table.
+                dont_store_outbound: false
+                # Ratchet megolm sessions forward after decrypting messages.
+                ratchet_on_decrypt: false
+                # Delete fully used keys (index >= max_messages) after decrypting messages.
+                delete_fully_used_on_decrypt: false
+                # Delete previous megolm sessions from same device when receiving a new one.
+                delete_prev_on_new_session: false
+                # Delete megolm sessions received from a device when the device is deleted.
+                delete_on_device_delete: false
+                # Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
+                periodically_delete_expired: false
+                # Delete inbound megolm sessions that don't have the received_at field used for
+                # automatic ratcheting and expired session deletion. This is meant as a migration
+                # to delete old keys prior to the bridge update.
+                delete_outdated_inbound: false
+            # What level of device verification should be required from users?
+            #
+            # Valid levels:
+            #   unverified - Send keys to all device in the room.
+            #   cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
+            #   cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
+            #   cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
+            #                           Note that creating user signatures from the bridge bot is not currently possible.
+            #   verified - Require manual per-device verification
+            #              (currently only possible by modifying the `trust` column in the `crypto_device` database table).
+            verification_levels:
+                # Minimum level for which the bridge should send keys to when bridging messages from WhatsApp to Matrix.
+                receive: unverified
+                # Minimum level that the bridge should accept for incoming Matrix messages.
+                send: unverified
+                # Minimum level that the bridge should require for accepting key requests.
+                share: cross-signed-tofu
+            # Options for Megolm room key rotation. These options allow you to
+            # configure the m.room.encryption event content. See:
+            # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
+            # more information about that event.
+            rotation:
+                # Enable custom Megolm room key rotation settings. Note that these
+                # settings will only apply to rooms created after this option is
+                # set.
+                enable_custom: false
+                # The maximum number of milliseconds a session should be used
+                # before changing it. The Matrix spec recommends 604800000 (a week)
+                # as the default.
+                milliseconds: 604800000
+                # The maximum number of messages that should be sent with a given a
+                # session before changing it. The Matrix spec recommends 100 as the
+                # default.
+                messages: 100
+
+                # Disable rotating keys when a user's devices change?
+                # You should not enable this option unless you understand all the implications.
+                disable_device_change_key_rotation: false
+
+        # Settings for provisioning API
+        provisioning:
+            # Prefix for the provisioning API paths.
+            prefix: /_matrix/provision
+            # Shared secret for authentication. If set to "generate", a random secret will be generated,
+            # or if set to "disable", the provisioning API will be disabled.
+            shared_secret: generate
+            # Enable debug API at /debug with provisioning authentication.
+            debug_endpoints: false
+
+        # Permissions for using the bridge.
+        # Permitted values:
+        #    relay - Talk through the relaybot (if enabled), no access otherwise
+        #     user - Access to use the bridge to chat with a Discord account.
+        #    admin - User level and some additional administration tools
+        # Permitted keys:
+        #        * - All Matrix users
+        #   domain - All users on that homeserver
+        #     mxid - Specific user
+        permissions:
+            "*": relay
+            "example.com": user
+            "@admin:example.com": admin
+
+    # Logging config. See https://github.com/tulir/zeroconfig for details.
+    logging:
+        min_level: debug
+        writers:
+        - type: stdout
+          format: pretty-colored
+        - type: file
+          format: json
+          filename: ./logs/mautrix-discord.log
+          max_size: 100
+          max_backups: 10
+          compress: true
+
+  # registration.yml contents
+  existingRegistrationSecret: ""
+  registration:
+    rate_limited: false
+    sender_localpart: discordbridgebot

charts/mautrix-whatsapp/Chart.yaml

@@ -0,0 +1,15 @@
+apiVersion: v2
+name: mautrix-whatsapp
+version: 0.0.3
+description: Chart for Matrix Whatsapp Bridge
+keywords:
+  - matrix
+  - mautrix-whatsapp
+  - bridge
+  - whatsapp
+sources:
+  - https://github.com/mautrix/whatsapp
+maintainers:
+  - name: alexlebens
+icon: https://avatars.githubusercontent.com/u/88519669?s=48&v=4
+appVersion: v0.10.7

charts/mautrix-whatsapp/templates/_helpers.tpl

@@ -0,0 +1,41 @@
+{{/*
+Helper for secret name
+*/}}
+{{- define "mautrix-whatsapp.secretName" -}}
+{{- if .Values.mautrixWhatsapp.existingSecret }}
+{{- printf "%s" .Values.mautrixWhatsapp.existingSecret -}}
+{{- else }}
+{{- printf "mautrix-whatsapp-config-secret" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+
+{{/*
+Helper for registration secret name
+*/}}
+{{- define "mautrix-whatsapp.registrationSecretName" -}}
+{{- if .Values.mautrixWhatsapp.existingRegistrationSecret }}
+{{- printf "%s" .Values.mautrixWhatsapp.existingRegistrationSecret -}}
+{{- else }}
+{{- printf "mautrix-whatsapp-registration-secret" }}
+{{- end }}
+{{- end }}
+
+{{/*
+Generate registration.yaml if not from existing secret
+*/}}
+{{- define "mautrix-whatsapp.registration-yaml" -}}
+id: {{ .Values.mautrixWhatsapp.config.appservice.id | quote }}
+as_token: {{ .Values.mautrixWhatsapp.config.appservice.as_token | quote }}
+hs_token: {{ .Values.mautrixWhatsapp.config.appservice.hs_token | quote }}
+namespaces:
+  users:
+    - regex: {{ printf "^@whatsappbot:%s$" (replace "." "\\." .Values.mautrixWhatsapp.config.homeserver.domain) }}
+      exclusive: true
+    - regex: {{ printf "^@%s:%s$" (replace "{{.}}" ".*" (tpl .Values.mautrixWhatsapp.config.bridge.username_template .)) (replace "." "\\." .Values.mautrixWhatsapp.config.homeserver.domain) }}
+      exclusive: true
+url: {{ .Values.mautrixWhatsapp.config.appservice.address | quote }}
+sender_localpart: {{ .Values.mautrixWhatsapp.registration.sender_localpart | quote }}
+rate_limited: {{ .Values.mautrixWhatsapp.registration.rate_limited }}
+de.sorunome.msc2409.push_ephemeral: true
+push_ephemeral: true
+{{- end -}}

charts/mautrix-whatsapp/templates/deployment.yaml

@@ -0,0 +1,96 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mautrix-whatsapp
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: mautrix-whatsapp
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.deployment.replicas }}
+  strategy:
+    type: {{ .Values.deployment.strategy }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: mautrix-whatsapp
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: mautrix-whatsapp
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+      serviceAccountName: mautrix-whatsapp
+      automountServiceAccountToken: true
+      containers:
+        - name: mautrix-whatsapp
+          image: "{{ .Values.deployment.image.repository }}:{{ .Values.deployment.image.tag }}"
+          imagePullPolicy: {{ .Values.deployment.image.imagePullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+          env:
+          {{- range $k,$v := .Values.deployment.env }}
+            - name: {{ $k }}
+              value: {{ $v | quote }}
+          {{- end }}
+          {{- with .Values.deployment.envFrom }}
+          envFrom:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          livenessProbe:
+            httpGet:
+              path: /_matrix/mau/live
+              port: http
+            failureThreshold: {{ .Values.deployment.probes.liveness.failureThreshold }}
+            periodSeconds: {{ .Values.deployment.probes.liveness.periodSeconds }}
+          readinessProbe:
+            httpGet:
+              path: /_matrix/mau/ready
+              port: http
+            failureThreshold: {{ .Values.deployment.probes.readiness.failureThreshold }}
+            periodSeconds: {{ .Values.deployment.probes.readiness.periodSeconds }}
+          resources:
+            {{- toYaml .Values.deployment.resources | nindent 12 }}
+          volumeMounts:
+            - name: config
+              mountPath: /data/config.yaml
+              subPath: config.yaml
+              readOnly: true
+            - name: registration
+              mountPath: /data/registration.yaml
+              subPath: registration.yaml
+              readOnly: true
+            - name: data
+              mountPath: /data
+      volumes:
+        - name: config
+          secret:
+            secretName: {{ template "mautrix-whatsapp.secretName" . }}
+        - name: registration
+          secret:
+            secretName: {{ template "mautrix-whatsapp.registrationSecretName" . }}
+        - name: data
+          {{- if .Values.persistence.enabled }}
+          persistentVolumeClaim:
+            claimName: {{ .Values.persistence.existingClaim | default "mautrix-whatsapp-data" }}
+          {{- else }}
+          emptyDir: {}
+          {{- end }}
+      {{- with .Values.deployment.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.deployment.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.deployment.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

charts/mautrix-whatsapp/templates/ingress.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: mautrix-whatsapp
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: mautrix-whatsapp
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    {{- toYaml .Values.ingress.annotations | nindent 4 }}
+spec:
+  ingressClassName: {{ .Values.ingress.className }}
+  tls:
+    - hosts:
+        - {{ .Values.ingress.host }}
+      secretName: {{ .Release.Name }}-secret-tls
+  rules:
+    - host: {{ .Values.ingress.host }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: mautrix-whatsapp
+                port:
+                  name: http
+{{- end }}

charts/mautrix-whatsapp/templates/persistent-volume-claim.yaml

@@ -0,0 +1,26 @@
+{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: mautrix-whatsapp-data
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: mautrix-whatsapp
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  accessModes:
+    - {{ .Values.persistence.accessMode | quote }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.size | quote }}
+  {{- if .Values.persistence.storageClass }}
+  {{- if not .Values.persistence.storageClass }}
+  storageClassName: ""
+  {{- else }}
+  storageClassName: {{ .Values.persistence.storageClass | quote }}
+  {{- end }}
+  {{- end }}
+{{- end }}

charts/mautrix-whatsapp/templates/secret.yaml

@@ -0,0 +1,33 @@
+{{- if not .Values.mautrixWhatsapp.existingSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mautrix-whatsapp-config-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: mautrix-whatsapp-config
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+data:
+  config.yaml: |
+{{ toYaml .Values.mautrixWhatsapp.config | indent 4 }}
+{{- end }}
+
+---
+{{- if not .Values.mautrixWhatsapp.existingRegistrationSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mautrix-whatsapp-registration-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: mautrix-whatsapp-registration
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+data:
+  registration.yaml: {{ include "mautrix-whatsapp.registration-yaml" . | b64enc | quote }}
+{{- end }}

charts/mautrix-whatsapp/templates/service-account.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: mautrix-whatsapp
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: mautrix-whatsapp
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}

charts/mautrix-whatsapp/templates/service.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: mautrix-whatsapp
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: mautrix-whatsapp
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  type: {{ .Values.service.type }}
+  clusterIP: {{ .Values.service.clusterIP | quote }}
+  externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }}
+  publishNotReadyAddresses: {{ .Values.service.publishNotReadyAddresses }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: mautrix-whatsapp
+    app.kubernetes.io/instance: {{ .Release.Name }}

charts/mautrix-whatsapp/values.yaml

@@ -0,0 +1,532 @@
+deployment:
+  replicas: 1
+  strategy: Recreate
+  image:
+    repository: dock.mau.dev/mautrix/whatsapp
+    tag: v0.10.7
+    imagePullPolicy: IfNotPresent
+  env: {}
+  envFrom: []
+  resources:
+    limits:
+      memory: 128Mi
+      cpu: 200m
+    requests:
+      memory: 64Mi
+      cpu: 50m
+  probes:
+    liveness:
+      failureThreshold: 5
+      periodSeconds: 10
+    readiness:
+      failureThreshold: 5
+      periodSeconds: 10
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+serviceAccount:
+  create: true
+  annotations: {}
+service:
+  type: ClusterIP
+  clusterIP: None
+  port: 29334
+  externalTrafficPolicy: ""
+  publishNotReadyAddresses: true
+ingress:
+  enabled: false
+  className: ""
+  annotations: {}
+  host: ""
+persistence:
+  enabled: false
+  existingClaim: ""
+  storageClass: ""
+  accessMode: ReadWriteOnce
+  size: 500Mi
+
+# Reference the following for examples
+# https://github.com/mautrix/whatsapp/blob/main/example-config.yaml
+mautrixWhatsapp:
+  # config.yml contents
+  existingSecret: ""
+  config:
+    # Homeserver details.
+    homeserver:
+      # The address that this appservice can use to connect to the homeserver.
+      address: https://matrix.example.com
+      # The domain of the homeserver (also known as server_name, used for MXIDs, etc).
+      domain: example.com
+
+      # What software is the homeserver running?
+      # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
+      software: standard
+      # The URL to push real-time bridge status to.
+      # If set, the bridge will make POST requests to this URL whenever a user's whatsapp connection state changes.
+      # The bridge will use the appservice as_token to authorize requests.
+      status_endpoint: null
+      # Endpoint for reporting per-message status.
+      message_send_checkpoint_endpoint: null
+      # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
+      async_media: false
+
+      # Should the bridge use a websocket for connecting to the homeserver?
+      # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,
+      # mautrix-asmux (deprecated), and hungryserv (proprietary).
+      websocket: false
+      # How often should the websocket be pinged? Pinging will be disabled if this is zero.
+      ping_interval_seconds: 0
+
+    # Application service host/registration related details.
+    # Changing these values requires regeneration of the registration.
+    appservice:
+      # The address that the homeserver can use to connect to this appservice.
+      address: http://localhost:29318
+
+      # The hostname and port where this appservice should listen.
+      hostname: 0.0.0.0
+      port: 29318
+
+      # Database config.
+      database:
+        # The database type. "sqlite3-fk-wal" and "postgres" are supported.
+        type: postgres
+        # The database URI.
+        #   SQLite: A raw file path is supported, but `file:<path>?_txlock=immediate` is recommended.
+        #           https://github.com/mattn/go-sqlite3#connection-string
+        #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
+        #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
+        uri: postgres://user:password@host/database?sslmode=disable
+        # Maximum number of connections. Mostly relevant for Postgres.
+        max_open_conns: 20
+        max_idle_conns: 2
+        # Maximum connection idle time and lifetime before they're closed. Disabled if null.
+        # Parsed with https://pkg.go.dev/time#ParseDuration
+        max_conn_idle_time: null
+        max_conn_lifetime: null
+
+      # The unique ID of this appservice.
+      id: whatsapp
+      # Appservice bot details.
+      bot:
+        # Username of the appservice bot.
+        username: whatsappbot
+        # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
+        # to leave display name/avatar as-is.
+        displayname: WhatsApp bridge bot
+        avatar: mxc://maunium.net/NeXNQarUbrlYBiPCpprYsRqr
+
+      # Whether or not to receive ephemeral events via appservice transactions.
+      # Requires MSC2409 support (i.e. Synapse 1.22+).
+      ephemeral_events: true
+
+      # Should incoming events be handled asynchronously?
+      # This may be necessary for large public instances with lots of messages going through.
+      # However, messages will not be guaranteed to be bridged in the same order they were sent in.
+      async_transactions: false
+
+      # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
+      as_token: "This value is generated when generating the registration"
+      hs_token: "This value is generated when generating the registration"
+
+    # Segment-compatible analytics endpoint for tracking some events, like provisioning API login and encryption errors.
+    analytics:
+      # Hostname of the tracking server. The path is hardcoded to /v1/track
+      host: api.segment.io
+      # API key to send with tracking requests. Tracking is disabled if this is null.
+      token: null
+      # Optional user ID for tracking events. If null, defaults to using Matrix user ID.
+      user_id: null
+
+    # Prometheus config.
+    metrics:
+      # Enable prometheus metrics?
+      enabled: false
+      # IP and port where the metrics listener should be. The path is always /metrics
+      listen: 127.0.0.1:8001
+
+    # Config for things that are directly sent to WhatsApp.
+    whatsapp:
+      # Device name that's shown in the "WhatsApp Web" section in the mobile app.
+      os_name: Mautrix-WhatsApp bridge
+      # Browser name that determines the logo shown in the mobile app.
+      # Must be "unknown" for a generic icon or a valid browser name if you want a specific icon.
+      # List of valid browser names: https://github.com/tulir/whatsmeow/blob/efc632c008604016ddde63bfcfca8de4e5304da9/binary/proto/def.proto#L43-L64
+      browser_name: unknown
+
+    # Bridge config
+    bridge:
+      # Localpart template of MXIDs for WhatsApp users.
+      # {{.}} is replaced with the phone number of the WhatsApp user.
+      username_template: whatsapp_{{.}}
+      # Displayname template for WhatsApp users.
+      # {{.PushName}}     - nickname set by the WhatsApp user
+      # {{.BusinessName}} - validated WhatsApp business name
+      # {{.Phone}}        - phone number (international format)
+      # The following variables are also available, but will cause problems on multi-user instances:
+      # {{.FullName}}  - full name from contact list
+      # {{.FirstName}} - first name from contact list
+      displayname_template: "{{or .BusinessName .PushName .JID}} (WA)"
+      # Should the bridge create a space for each logged-in user and add bridged rooms to it?
+      # Users who logged in before turning this on should run `!wa sync space` to create and fill the space for the first time.
+      personal_filtering_spaces: false
+      # Should the bridge send a read receipt from the bridge bot when a message has been sent to WhatsApp?
+      delivery_receipts: false
+      # Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
+      message_status_events: false
+      # Whether the bridge should send error notices via m.notice events when a message fails to bridge.
+      message_error_notices: true
+      # Should incoming calls send a message to the Matrix room?
+      call_start_notices: true
+      # Should another user's cryptographic identity changing send a message to Matrix?
+      identity_change_notices: false
+      portal_message_buffer: 128
+      # Settings for handling history sync payloads.
+      history_sync:
+        # Enable backfilling history sync payloads from WhatsApp?
+        backfill: true
+        # The maximum number of initial conversations that should be synced.
+        # Other conversations will be backfilled on demand when receiving a message or when initiating a direct chat.
+        max_initial_conversations: -1
+        # Maximum number of messages to backfill in each conversation.
+        # Set to -1 to disable limit.
+        message_count: 50
+        # Should the bridge request a full sync from the phone when logging in?
+        # This bumps the size of history syncs from 3 months to 1 year.
+        request_full_sync: false
+        # Configuration parameters that are sent to the phone along with the request full sync flag.
+        # By default (when the values are null or 0), the config isn't sent at all.
+        full_sync_config:
+          # Number of days of history to request.
+          # The limit seems to be around 3 years, but using higher values doesn't break.
+          days_limit: null
+          # This is presumably the maximum size of the transferred history sync blob, which may affect what the phone includes in the blob.
+          size_mb_limit: null
+          # This is presumably the local storage quota, which may affect what the phone includes in the history sync blob.
+          storage_quota_mb: null
+        # If this value is greater than 0, then if the conversation's last message was more than
+        # this number of hours ago, then the conversation will automatically be marked it as read.
+        # Conversations that have a last message that is less than this number of hours ago will
+        # have their unread status synced from WhatsApp.
+        unread_hours_threshold: 0
+
+        ###############################################################################
+        # The settings below are only applicable for backfilling using batch sending, #
+        # which is no longer supported in Synapse.                                    #
+        ###############################################################################
+
+        # Settings for media requests. If the media expired, then it will not be on the WA servers.
+        # Media can always be requested by reacting with the ♻️ (recycle) emoji.
+        # These settings determine if the media requests should be done automatically during or after backfill.
+        media_requests:
+          # Should expired media be automatically requested from the server as part of the backfill process?
+          auto_request_media: true
+          # Whether to request the media immediately after the media message is backfilled ("immediate")
+          # or at a specific time of the day ("local_time").
+          request_method: immediate
+          # If request_method is "local_time", what time should the requests be sent (in minutes after midnight)?
+          request_local_time: 120
+        # Settings for immediate backfills. These backfills should generally be small and their main purpose is
+        # to populate each of the initial chats (as configured by max_initial_conversations) with a few messages
+        # so that you can continue conversations without losing context.
+        immediate:
+          # The number of concurrent backfill workers to create for immediate backfills.
+          # Note that using more than one worker could cause the room list to jump around
+          # since there are no guarantees about the order in which the backfills will complete.
+          worker_count: 1
+          # The maximum number of events to backfill initially.
+          max_events: 10
+        # Settings for deferred backfills. The purpose of these backfills are to fill in the rest of
+        # the chat history that was not covered by the immediate backfills.
+        # These backfills generally should happen at a slower pace so as not to overload the homeserver.
+        # Each deferred backfill config should define a "stage" of backfill (i.e. the last week of messages).
+        # The fields are as follows:
+        # - start_days_ago: the number of days ago to start backfilling from.
+        #     To indicate the start of time, use -1. For example, for a week ago, use 7.
+        # - max_batch_events: the number of events to send per batch.
+        # - batch_delay: the number of seconds to wait before backfilling each batch.
+        deferred:
+          # Last Week
+          - start_days_ago: 7
+            max_batch_events: 20
+            batch_delay: 5
+          # Last Month
+          - start_days_ago: 30
+            max_batch_events: 50
+            batch_delay: 10
+          # Last 3 months
+          - start_days_ago: 90
+            max_batch_events: 100
+            batch_delay: 10
+          # The start of time
+          - start_days_ago: -1
+            max_batch_events: 500
+            batch_delay: 10
+
+      # Should puppet avatars be fetched from the server even if an avatar is already set?
+      user_avatar_sync: true
+      # Should Matrix users leaving groups be bridged to WhatsApp?
+      bridge_matrix_leave: true
+      # Should the bridge update the m.direct account data event when double puppeting is enabled.
+      # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
+      # and is therefore prone to race conditions.
+      sync_direct_chat_list: false
+      # Should the bridge use MSC2867 to bridge manual "mark as unread"s from
+      # WhatsApp and set the unread status on initial backfill?
+      # This will only work on clients that support the m.marked_unread or
+      # com.famedly.marked_unread room account data.
+      sync_manual_marked_unread: true
+      # When double puppeting is enabled, users can use `!wa toggle` to change whether
+      # presence is bridged. This setting sets the default value.
+      # Existing users won't be affected when these are changed.
+      default_bridge_presence: true
+      # Send the presence as "available" to whatsapp when users start typing on a portal.
+      # This works as a workaround for homeservers that do not support presence, and allows
+      # users to see when the whatsapp user on the other side is typing during a conversation.
+      send_presence_on_typing: false
+      # Should the bridge always send "active" delivery receipts (two gray ticks on WhatsApp)
+      # even if the user isn't marked as online (e.g. when presence bridging isn't enabled)?
+      #
+      # By default, the bridge acts like WhatsApp web, which only sends active delivery
+      # receipts when it's in the foreground.
+      force_active_delivery_receipts: false
+      # Servers to always allow double puppeting from
+      double_puppet_server_map:
+        example.com: https://example.com
+      # Allow using double puppeting from any server with a valid client .well-known file.
+      double_puppet_allow_discovery: false
+      # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
+      #
+      # If set, double puppeting will be enabled automatically for local users
+      # instead of users having to find an access token and run `login-matrix`
+      # manually.
+      login_shared_secret_map:
+        example.com: foobar
+      # Whether to explicitly set the avatar and room name for private chat portal rooms.
+      # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms.
+      # If set to `always`, all DM rooms will have explicit names and avatars set.
+      # If set to `never`, DM rooms will never have names and avatars set.
+      private_chat_portal_meta: default
+      # Should group members be synced in parallel? This makes member sync faster
+      parallel_member_sync: false
+      # Should Matrix m.notice-type messages be bridged?
+      bridge_notices: true
+      # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
+      # This field will automatically be changed back to false after it, except if the config file is not writable.
+      resend_bridge_info: false
+      # When using double puppeting, should muted chats be muted in Matrix?
+      mute_bridging: false
+      # When using double puppeting, should archived chats be moved to a specific tag in Matrix?
+      # Note that WhatsApp unarchives chats when a message is received, which will also be mirrored to Matrix.
+      # This can be set to a tag (e.g. m.lowpriority), or null to disable.
+      archive_tag: null
+      # Same as above, but for pinned chats. The favorite tag is called m.favourite
+      pinned_tag: null
+      # Should mute status and tags only be bridged when the portal room is created?
+      tag_only_on_create: true
+      # Should WhatsApp status messages be bridged into a Matrix room?
+      # Disabling this won't affect already created status broadcast rooms.
+      enable_status_broadcast: true
+      # Should sending WhatsApp status messages be allowed?
+      # This can cause issues if the user has lots of contacts, so it's disabled by default.
+      disable_status_broadcast_send: true
+      # Should the status broadcast room be muted and moved into low priority by default?
+      # This is only applied when creating the room, the user can unmute it later.
+      mute_status_broadcast: true
+      # Tag to apply to the status broadcast room.
+      status_broadcast_tag: m.lowpriority
+      # Should the bridge use thumbnails from WhatsApp?
+      # They're disabled by default due to very low resolution.
+      whatsapp_thumbnail: false
+      # Allow invite permission for user. User can invite any bots to room with whatsapp
+      # users (private chat and groups)
+      allow_user_invite: false
+      # Whether or not created rooms should have federation enabled.
+      # If false, created portal rooms will never be federated.
+      federate_rooms: true
+      # Should the bridge never send alerts to the bridge management room?
+      # These are mostly things like the user being logged out.
+      disable_bridge_alerts: false
+      # Should the bridge stop if the WhatsApp server says another user connected with the same session?
+      # This is only safe on single-user bridges.
+      crash_on_stream_replaced: false
+      # Should the bridge detect URLs in outgoing messages, ask the homeserver to generate a preview,
+      # and send it to WhatsApp? URL previews can always be sent using the `com.beeper.linkpreviews`
+      # key in the event content even if this is disabled.
+      url_previews: false
+      # Send captions in the same message as images. This will send data compatible with both MSC2530 and MSC3552.
+      # This is currently not supported in most clients.
+      caption_in_message: false
+      # Send galleries as a single event? This is not an MSC (yet).
+      beeper_galleries: false
+      # Should polls be sent using MSC3381 event types?
+      extev_polls: false
+      # Should cross-chat replies from WhatsApp be bridged? Most servers and clients don't support this.
+      cross_room_replies: false
+      # Disable generating reply fallbacks? Some extremely bad clients still rely on them,
+      # but they're being phased out and will be completely removed in the future.
+      disable_reply_fallbacks: false
+      # Maximum time for handling Matrix events. Duration strings formatted for https://pkg.go.dev/time#ParseDuration
+      # Null means there's no enforced timeout.
+      message_handling_timeout:
+        # Send an error message after this timeout, but keep waiting for the response until the deadline.
+        # This is counted from the origin_server_ts, so the warning time is consistent regardless of the source of delay.
+        # If the message is older than this when it reaches the bridge, the message won't be handled at all.
+        error_after: null
+        # Drop messages after this timeout. They may still go through if the message got sent to the servers.
+        # This is counted from the time the bridge starts handling the message.
+        deadline: 120s
+
+      # The prefix for commands. Only required in non-management rooms.
+      command_prefix: "!wa"
+
+      # Messages sent upon joining a management room.
+      # Markdown is supported. The defaults are listed below.
+      management_room_text:
+        # Sent when joining a room.
+        welcome: "Hello, I'm a WhatsApp bridge bot."
+        # Sent when joining a management room and the user is already logged in.
+        welcome_connected: "Use `help` for help."
+        # Sent when joining a management room and the user is not logged in.
+        welcome_unconnected: "Use `help` for help or `login` to log in."
+        # Optional extra text sent when joining a management room.
+        additional_help: ""
+
+      # End-to-bridge encryption support options.
+      #
+      # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
+      encryption:
+        # Allow encryption, work in group chat rooms with e2ee enabled
+        allow: false
+        # Default to encryption, force-enable encryption in all portals the bridge creates
+        # This will cause the bridge bot to be in private chats for the encryption to work properly.
+        default: false
+        # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
+        appservice: false
+        # Require encryption, drop any unencrypted messages.
+        require: false
+        # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
+        # You must use a client that supports requesting keys from other users to use this feature.
+        allow_key_sharing: false
+        # Should users mentions be in the event wire content to enable the server to send push notifications?
+        plaintext_mentions: false
+        # Options for deleting megolm sessions from the bridge.
+        delete_keys:
+          # Beeper-specific: delete outbound sessions when hungryserv confirms
+          # that the user has uploaded the key to key backup.
+          delete_outbound_on_ack: false
+          # Don't store outbound sessions in the inbound table.
+          dont_store_outbound: false
+          # Ratchet megolm sessions forward after decrypting messages.
+          ratchet_on_decrypt: false
+          # Delete fully used keys (index >= max_messages) after decrypting messages.
+          delete_fully_used_on_decrypt: false
+          # Delete previous megolm sessions from same device when receiving a new one.
+          delete_prev_on_new_session: false
+          # Delete megolm sessions received from a device when the device is deleted.
+          delete_on_device_delete: false
+          # Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
+          periodically_delete_expired: false
+          # Delete inbound megolm sessions that don't have the received_at field used for
+          # automatic ratcheting and expired session deletion. This is meant as a migration
+          # to delete old keys prior to the bridge update.
+          delete_outdated_inbound: false
+        # What level of device verification should be required from users?
+        #
+        # Valid levels:
+        #   unverified - Send keys to all device in the room.
+        #   cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
+        #   cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
+        #   cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
+        #                           Note that creating user signatures from the bridge bot is not currently possible.
+        #   verified - Require manual per-device verification
+        #              (currently only possible by modifying the `trust` column in the `crypto_device` database table).
+        verification_levels:
+          # Minimum level for which the bridge should send keys to when bridging messages from WhatsApp to Matrix.
+          receive: unverified
+          # Minimum level that the bridge should accept for incoming Matrix messages.
+          send: unverified
+          # Minimum level that the bridge should require for accepting key requests.
+          share: cross-signed-tofu
+        # Options for Megolm room key rotation. These options allow you to
+        # configure the m.room.encryption event content. See:
+        # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
+        # more information about that event.
+        rotation:
+          # Enable custom Megolm room key rotation settings. Note that these
+          # settings will only apply to rooms created after this option is
+          # set.
+          enable_custom: false
+          # The maximum number of milliseconds a session should be used
+          # before changing it. The Matrix spec recommends 604800000 (a week)
+          # as the default.
+          milliseconds: 604800000
+          # The maximum number of messages that should be sent with a given a
+          # session before changing it. The Matrix spec recommends 100 as the
+          # default.
+          messages: 100
+
+          # Disable rotating keys when a user's devices change?
+          # You should not enable this option unless you understand all the implications.
+          disable_device_change_key_rotation: false
+
+      # Settings for provisioning API
+      provisioning:
+        # Prefix for the provisioning API paths.
+        prefix: /_matrix/provision
+        # Shared secret for authentication. If set to "generate", a random secret will be generated,
+        # or if set to "disable", the provisioning API will be disabled.
+        shared_secret: generate
+        # Enable debug API at /debug with provisioning authentication.
+        debug_endpoints: false
+
+      # Permissions for using the bridge.
+      # Permitted values:
+      #    relay - Talk through the relaybot (if enabled), no access otherwise
+      #     user - Access to use the bridge to chat with a WhatsApp account.
+      #    admin - User level and some additional administration tools
+      # Permitted keys:
+      #        * - All Matrix users
+      #   domain - All users on that homeserver
+      #     mxid - Specific user
+      permissions:
+        "*": relay
+        "example.com": user
+        "@admin:example.com": admin
+
+      # Settings for relay mode
+      relay:
+        # Whether relay mode should be allowed. If allowed, `!wa set-relay` can be used to turn any
+        # authenticated user into a relaybot for that chat.
+        enabled: false
+        # Should only admins be allowed to set themselves as relay users?
+        admin_only: true
+        # The formats to use when sending messages to WhatsApp via the relaybot.
+        message_formats:
+          m.text: "<b>{{ .Sender.Displayname }}</b>: {{ .Message }}"
+          m.notice: "<b>{{ .Sender.Displayname }}</b>: {{ .Message }}"
+          m.emote: "* <b>{{ .Sender.Displayname }}</b> {{ .Message }}"
+          m.file: "<b>{{ .Sender.Displayname }}</b> sent a file"
+          m.image: "<b>{{ .Sender.Displayname }}</b> sent an image"
+          m.audio: "<b>{{ .Sender.Displayname }}</b> sent an audio file"
+          m.video: "<b>{{ .Sender.Displayname }}</b> sent a video"
+          m.location: "<b>{{ .Sender.Displayname }}</b> sent a location"
+
+    # Logging config. See https://github.com/tulir/zeroconfig for details.
+    logging:
+      min_level: debug
+      writers:
+        - type: stdout
+          format: pretty-colored
+        - type: file
+          format: json
+          filename: ./logs/mautrix-whatsapp.log
+          max_size: 100
+          max_backups: 10
+          compress: true
+
+  # registration.yml contents
+  existingRegistrationSecret: ""
+  registration:
+    rate_limited: false
+    sender_localpart: whatsappbridgebot

charts/outline/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: outline
-version: 0.0.5
+version: 0.5.1
 description: Chart for Outline wiki
 keywords:
   - wiki
@@ -14,5 +14,5 @@ icon: https://avatars.githubusercontent.com/u/1765001?s=48&v=4
 dependencies:
   - name: redis
     repository: https://charts.bitnami.com/bitnami
-    version: 18.x.x
+    version: 19.1.1
 appVersion: v0.75.2

charts/outline/templates/deployment.yaml

@@ -51,16 +51,16 @@ spec:
                 secretKeyRef:
                   name: "{{ .Values.outline.utilsSecret.existingSecretName }}"
                   key: "{{ .Values.outline.secretKey.existingSecretKey }}"
-            - name: POSTGRES_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: "{{ .Values.outline.database.passwordSecret.existingSecretName }}"
-                  key: "{{ .Values.outline.database.passwordSecret.existingSecretKey }}"
             - name: POSTGRES_USERNAME
               valueFrom:
                 secretKeyRef:
                   name: "{{ .Values.outline.database.usernameSecret.existingSecretName }}"
                   key: "{{ .Values.outline.database.usernameSecret.existingSecretKey }}"
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.outline.database.passwordSecret.existingSecretName }}"
+                  key: "{{ .Values.outline.database.passwordSecret.existingSecretKey }}"
             - name: POSTGRES_DATABASE_NAME
               valueFrom:
                 secretKeyRef:
@@ -71,10 +71,15 @@ spec:
                 secretKeyRef:
                   name: "{{ .Values.outline.database.databaseHost.existingSecretName }}"
                   key: "{{ .Values.outline.database.databaseHost.existingSecretKey }}"
+            - name: POSTGRES_DATABASE_PORT
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.outline.database.databasePort.existingSecretName }}"
+                  key: "{{ .Values.outline.database.databasePort.existingSecretKey }}"
             - name: DATABASE_URL
-              value: "postgres://$(POSTGRES_USERNAME):$(POSTGRES_PASSWORD)@postgresql-{{ .Release.Name }}-cluster-rw:5432/$(POSTGRES_DATABASE_NAME)"
+              value: "postgres://$(POSTGRES_USERNAME):$(POSTGRES_PASSWORD)@$(POSTGRES_DATABASE_HOST):$(POSTGRES_DATABASE_PORT)/$(POSTGRES_DATABASE_NAME)"
             - name: DATABASE_URL_TEST
-              value: "postgres://$(POSTGRES_USERNAME):$(POSTGRES_PASSWORD)@postgresql-{{ .Release.Name }}-cluster-rw:5432/$(POSTGRES_DATABASE_NAME)-test"
+              value: "postgres://$(POSTGRES_USERNAME):$(POSTGRES_PASSWORD)@$(POSTGRES_DATABASE_HOST):$(POSTGRES_DATABASE_PORT)/$(POSTGRES_DATABASE_NAME)-test"
             - name: DATABASE_CONNECTION_POOL_MIN
               value: "{{ .Values.outline.database.connectionPoolMin }}"
             - name: DATABASE_CONNECTION_POOL_MAX
@@ -97,37 +102,14 @@ spec:
                 secretKeyRef:
                   name: "{{ .Values.persistence.s3.credentialsSecret }}"
                   key: AWS_SECRET_ACCESS_KEY
-          {{- if .Values.persistence.s3.endpointConfigMap.enabled }}
-            - name: AWS_REGION
-              valueFrom:
-                configMapKeyRef:
-                  name: "{{ .Values.persistence.s3.endpointConfigMap.name }}"
-                  key: BUCKET_REGION
-            - name: AWS_S3_UPLOAD_BUCKET_NAME
-              valueFrom:
-                configMapKeyRef:
-                  name: "{{ .Values.persistence.s3.endpointConfigMap.name }}"
-                  key: BUCKET_NAME
-            - name: AWS_S3_UPLOAD_BUCKET_HOST
-              valueFrom:
-                configMapKeyRef:
-                  name: "{{ .Values.persistence.s3.endpointConfigMap.name }}"
-                  key: BUCKET_HOST
-            - name: AWS_S3_UPLOAD_BUCKET_PORT
-              valueFrom:
-                configMapKeyRef:
-                  name: "{{ .Values.persistence.s3.endpointConfigMap.name }}"
-                  key: BUCKET_PORT
-            - name: AWS_S3_UPLOAD_BUCKET_URL
-              value: "$(AWS_S3_UPLOAD_BUCKET_HOST):$(AWS_S3_UPLOAD_BUCKET_PORT)|"
-          {{- else }}
             - name: AWS_REGION
               value: "{{ .Values.persistence.s3.region }}"
             - name: AWS_S3_UPLOAD_BUCKET_NAME
               value: "{{ .Values.persistence.s3.bucketName }}"
             - name: AWS_S3_UPLOAD_BUCKET_URL
-              value: "{{ .Values.persistence.s3.endpoint }}"
-          {{- end }}
+              value: "{{ .Values.persistence.s3.bucketUrl }}"
+            - name: AWS_S3_ACCELERATE_URL
+              value: "{{ .Values.persistence.s3.bucketUrl }}"
             - name: AWS_S3_FORCE_PATH_STYLE
               value: "{{ .Values.persistence.s3.forcePathStyle }}"
             - name: AWS_S3_ACL

charts/outline/templates/ingress.yaml

@@ -17,7 +17,7 @@ spec:
   tls:
     - hosts:
       - {{ .Values.ingress.host }}
-      secretName: {{ .Release.Name }}-tls-secret
+      secretName: {{ .Release.Name }}-secret-tls
   rules:
     - host: {{ .Values.ingress.host }}
       http:

charts/outline/values.yaml

@@ -17,19 +17,16 @@ service:
     port: 3000
 ingress:
   enabled: true
-  className: traefik
+  className:
   annotations:
   host:
 persistence:
   type: s3
   s3:
     credentialsSecret:
-    endpointConfigMap:
-      enabled: false
-      name:
     region:
     bucketName:
-    endpoint:
+    bucketUrl:
     uploadMaxSize: "26214400"
     forcePathStyle: false
     acl: private
@@ -38,10 +35,6 @@ persistence:
     storageSize: 50Gi
     localRootDir: /var/lib/outline/data
     uploadMaxSize: 26214400
-redis:
-  architecture: standalone
-  auth:
-    enabled: false
 outline:
   nodeEnv: production
   url:
@@ -54,16 +47,19 @@ outline:
   database:
     passwordSecret:
       existingSecretName:
-      existingSecretKey: password
+      existingSecretKey:
     usernameSecret:
       existingSecretName:
-      existingSecretKey: username
+      existingSecretKey:
     databaseName:
       existingSecretName:
-      existingSecretKey: dbname
+      existingSecretKey:
     databaseHost:
       existingSecretName:
-      existingSecretKey: host
+      existingSecretKey:
+    databasePort:
+      existingSecretName:
+      existingSecretKey:
     connectionPoolMin: ""
     connectionPoolMax: "20"
     sslMode: disable
@@ -94,3 +90,7 @@ outline:
       usernameClaim:
       displayName:
       scopes: openid profile email
+redis:
+  architecture: standalone
+  auth:
+    enabled: false

charts/postgres-cluster/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: postgres-cluster
-version: 0.2.3
+version: 2.3.5
 description: Chart for cloudnative-pg cluster
 keywords:
   - database
@@ -10,4 +10,4 @@ sources:
 maintainers:
   - name: alexlebens
 icon: https://avatars.githubusercontent.com/u/100373852?s=48&v=4
-appVersion: v1.22.1
+appVersion: v1.22.2

charts/postgres-cluster/templates/_backup.tpl

@@ -0,0 +1,30 @@
+{{- define "cluster.backup" -}}
+{{- if .Values.backup.enabled }}
+backup:
+  retentionPolicy: {{ .Values.backup.retentionPolicy }}
+  barmanObjectStore:
+    destinationPath: "s3://{{ .Values.backup.endpointBucket }}/{{ .Values.kubernetesClusterName }}/postgresql/{{ include "cluster.backupName" . }}"
+    endpointURL: {{ .Values.backup.endpointURL }}
+    {{- if .Values.backup.endpointCA }}
+    endpointCA:
+      name: {{ .Values.backup.endpointCA }}
+      key: ca-bundle.crt
+    {{- end }}
+    serverName: "{{ include "cluster.name" . }}-backup-{{ .Values.backup.backupIndex }}"
+    s3Credentials:
+      accessKeyId:
+        name: {{ include "cluster.backupCredentials" . }}
+        key: ACCESS_KEY_ID
+      secretAccessKey:
+        name: {{ include "cluster.backupCredentials" . }}
+        key: ACCESS_SECRET_KEY
+    wal:
+      compression: {{ .Values.backup.wal.compression }}
+      encryption: {{ .Values.backup.wal.encryption }}
+      maxParallel: {{ .Values.backup.wal.maxParallel }}
+    data:
+      compression: {{ .Values.backup.data.compression }}
+      encryption: {{ .Values.backup.data.encryption }}
+      jobs: {{ .Values.backup.data.jobs }}
+{{- end }}
+{{- end }}

charts/postgres-cluster/templates/_bootstrap.tpl

@@ -0,0 +1,92 @@
+{{- define "cluster.bootstrap" -}}
+bootstrap:
+{{- if eq .Values.mode "standalone" }}
+  initdb:
+    {{- with .Values.cluster.initdb }}
+    {{- with (omit . "postInitApplicationSQL") }}
+    {{- . | toYaml | nindent 4 }}
+    {{- end }}
+    {{- end }}
+    postInitApplicationSQL:
+      {{- if eq .Values.type "postgis" }}
+      - CREATE EXTENSION IF NOT EXISTS postgis;
+      - CREATE EXTENSION IF NOT EXISTS postgis_topology;
+      - CREATE EXTENSION IF NOT EXISTS fuzzystrmatch;
+      - CREATE EXTENSION IF NOT EXISTS postgis_tiger_geocoder;
+      {{- else if eq .Values.type "timescaledb" }}
+      - CREATE EXTENSION IF NOT EXISTS timescaledb;
+      {{- end }}
+      {{- with .Values.cluster.initdb }}
+      {{- range .postInitApplicationSQL }}
+      {{- printf "- %s" . | nindent 6 }}
+      {{- end }}
+      {{- end }}
+{{- else if eq .Values.mode "replica" }}
+  initdb:
+    import:
+      type: {{ .Values.replica.importType }}
+      databases:
+        {{- if and (gt (len .Values.replica.importDatabases) 1) (eq (default .Values.replica.importType "microservice") "microservice") }}
+          {{ fail "Too many databases in import type of microservice!" }}
+        {{- else}}
+        {{- with .Values.replica.importDatabases }}
+        {{- . | toYaml | nindent 8 }}
+        {{- end }}
+        {{- end }}        
+      {{- if .Values.replica.importType eq "monolith" }}
+      roles:
+        {{- with .Values.replica.importRoles }}
+        {{- . | toYaml | nindent 8 }}
+        {{- end }}
+      {{- end }}
+      {{- if and (.Values.replica.postImportApplicationSQL) (.Values.replica.importType eq "microservice") }}
+      postImportApplicationSQL:
+        {{- with .Values.replica.postImportApplicationSQL }}
+        {{- . | toYaml | nindent 8 }}
+        {{- end }}      
+      {{- end }}
+      source:
+        externalCluster: "{{ include "cluster.name" . }}-cluster"
+externalClusters:
+  - name: "{{ include "cluster.name" . }}-cluster"
+    {{- with .Values.replica.externalCluster }}
+    {{- . | toYaml | nindent 4 }}
+    {{- end }}    
+{{- else if eq .Values.mode "recovery" }}
+  recovery:
+    {{- with .Values.recovery.pitrTarget.time }}
+    recoveryTarget:
+      targetTime: {{ . }}
+    {{- end }}
+    source: "{{ include "cluster.name" . }}-backup-{{ .Values.recovery.recoveryIndex }}"
+externalClusters:
+  - name: "{{ include "cluster.name" . }}-backup-{{ .Values.recovery.recoveryIndex }}"
+    barmanObjectStore:
+      serverName: "{{ include "cluster.name" . }}-backup-{{ .Values.recovery.recoveryIndex }}"
+      destinationPath: "s3://{{ .Values.recovery.endpointBucket }}/{{ .Values.kubernetesClusterName }}/postgresql/{{ include "cluster.recoveryName" . }}"
+      endpointURL: {{ .Values.recovery.endpointURL }}
+      {{- with .Values.recovery.endpointCA }}
+      endpointCA:
+        name: {{ . }}
+        key: ca-bundle.crt
+      {{- end }}
+      serverName: "{{ include "cluster.name" . }}-backup-{{ .Values.recovery.recoveryIndex }}"
+      s3Credentials:
+        accessKeyId:
+          name: {{ include "cluster.recoveryCredentials" . }}
+          key: ACCESS_KEY_ID
+        secretAccessKey:
+          name: {{ include "cluster.recoveryCredentials" . }}
+          key: ACCESS_SECRET_KEY
+      wal:
+        compression: {{ .Values.recovery.wal.compression }}
+        encryption: {{ .Values.recovery.wal.encryption }}
+        maxParallel: {{ .Values.recovery.wal.maxParallel }}
+      data:
+        compression: {{ .Values.recovery.data.compression }}
+        encryption: {{ .Values.recovery.data.encryption }}
+        jobs: {{ .Values.recovery.data.jobs }}
+{{- else }}
+  {{ fail "Invalid cluster mode!" }}
+{{- end }}
+{{- end }}

charts/postgres-cluster/templates/_helpers.tpl

@@ -0,0 +1,80 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "cluster.name" -}}
+  {{- if .Values.nameOverride }}
+    {{- .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+  {{- else }}
+    {{- printf "%s-postgresql-%s" .Release.Name ((semver .Values.cluster.image.tag).Major | toString) | trunc 63 | trimSuffix "-" -}}
+  {{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "cluster.chart" -}}
+  {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "cluster.labels" -}}
+helm.sh/chart: {{ include "cluster.chart" . }}
+{{ include "cluster.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "cluster.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "cluster.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: cloudnative-pg
+{{- end }}
+
+{{/*
+Generate name for object store credentials
+*/}}
+{{- define "cluster.recoveryCredentials" -}}
+  {{- if .Values.recovery.endpointCredentials -}}
+    {{- .Values.recovery.endpointCredentials -}}
+  {{- else -}}
+    {{- printf "%s-backup-secret" (include "cluster.name" .) | trunc 63 | trimSuffix "-" -}}
+  {{- end }}
+{{- end }}
+
+{{- define "cluster.backupCredentials" -}}
+  {{- if .Values.backup.endpointCredentials -}}
+    {{- .Values.backup.endpointCredentials -}}
+  {{- else -}}
+    {{- printf "%s-backup-secret" (include "cluster.name" .) | trunc 63 | trimSuffix "-" -}}
+  {{- end }}
+{{- end }}
+
+{{/*
+Generate backup server name
+*/}}
+{{- define "cluster.backupName" -}}
+  {{- if .Values.backup.backupName -}}
+    {{- .Values.backup.backupName -}}
+  {{- else -}}
+    {{ include "cluster.name" . }}
+  {{- end }}
+{{- end }}
+
+
+{{/*
+Generate recovery server name
+*/}}
+{{- define "cluster.recoveryName" -}}
+  {{- if .Values.recovery.recoveryName -}}
+    {{- .Values.recovery.recoveryName -}}
+  {{- else -}}
+    {{ include "cluster.name" . }}
+  {{- end }}
+{{- end }}

charts/postgres-cluster/templates/cluster.yaml

@@ -0,0 +1,52 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: {{ include "cluster.name" . }}-cluster
+  namespace: {{ .Release.Namespace }}
+  {{- with .Values.cluster.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    {{- include "cluster.labels" . | nindent 4 }}
+  {{- with .Values.cluster.additionalLabels }}
+    {{ toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  instances: {{ .Values.cluster.instances }}
+  imageName: "{{ .Values.cluster.image.repository }}:{{ .Values.cluster.image.tag }}"
+  imagePullPolicy: {{ .Values.cluster.image.pullPolicy }}
+  postgresUID: {{ .Values.cluster.postgresUID }}
+  postgresGID: {{ .Values.cluster.postgresGID }}
+  walStorage:
+    size: {{ .Values.cluster.walStorage.size }}
+    storageClass: {{ .Values.cluster.walStorage.storageClass }}
+  storage:
+    size: {{ .Values.cluster.storage.size }}
+    storageClass: {{ .Values.cluster.storage.storageClass }}
+  {{- with .Values.cluster.resources }}
+  resources:
+    {{- toYaml . | nindent 4 }}
+  {{ end }}
+  {{- with .Values.cluster.affinity }}
+  affinity:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  priorityClassName: {{ .Values.cluster.priorityClassName }}
+  primaryUpdateMethod: {{ .Values.cluster.primaryUpdateMethod }}
+  primaryUpdateStrategy: {{ .Values.cluster.primaryUpdateStrategy }}
+  logLevel: {{ .Values.cluster.logLevel }}
+  postgresql:
+    shared_preload_libraries:
+      {{- if eq .Values.type "timescaledb" }}
+      - timescaledb
+      {{- end }}
+    {{- with .Values.cluster.postgresql.parameters }}
+    parameters:
+      {{- toYaml . | nindent 6 }}
+    {{ end }}
+  monitoring:
+    enablePodMonitor: {{ and .Values.cluster.monitoring.enabled .Values.cluster.monitoring.podMonitor.enabled }}
+
+  {{ include "cluster.bootstrap" . | nindent 2 }}
+  {{ include "cluster.backup" . | nindent 2 }}

charts/postgres-cluster/templates/postgresql-cluster.yaml

@@ -1,81 +0,0 @@
-apiVersion: postgresql.cnpg.io/v1
-kind: Cluster
-metadata:
-  name: "postgresql-{{ .Release.Name }}-cluster"
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion }}
-    app.kubernetes.io/component: database
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  imageName: "{{ .Values.cluster.image.repository }}:{{ .Values.cluster.image.tag }}"
-  instances: {{ .Values.cluster.instances }}
-  replicationSlots:
-    highAvailability:
-      enabled: true
-  affinity:
-    enablePodAntiAffinity: true
-    topologyKey: kubernetes.io/hostname
-  postgresql:
-    parameters:
-      {{- toYaml .Values.cluster.parameters | nindent 6 }}
-  resources:
-    {{- toYaml .Values.cluster.resources | nindent 4 }}
-  storage:
-    storageClass: {{ .Values.cluster.storage.data.storageClass }}
-    size: {{ .Values.cluster.storage.data.size }}
-  walStorage:
-    storageClass: {{ .Values.cluster.storage.wal.storageClass }}
-    size: {{ .Values.cluster.storage.wal.size }}
-  monitoring:
-    enablePodMonitor: true
-
-  {{- if .Values.bootstrap.initdbEnabled }}
-  bootstrap:
-    initdb:
-      {{- toYaml .Values.bootstrap.initdb | nindent 6 }}
-  {{- end }}
-
-  {{- if .Values.bootstrap.recoveryEnabled }}
-  bootstrap:
-    recovery:
-      source: "postgresql-{{ .Release.Name }}-cluster-backup-index-{{ .Values.bootstrap.recoveryIndex }}"
-  externalClusters:
-    - name: "postgresql-{{ .Release.Name }}-cluster-backup-index-{{ .Values.bootstrap.recoveryIndex }}"
-      barmanObjectStore:
-        endpointURL: {{ .Values.bootstrap.endpointURL }}
-        destinationPath: "s3://{{ .Values.bootstrap.bucket }}/{{ .Values.cluster.name }}/postgresql/{{ .Release.Name }}-cluster"
-        s3Credentials:
-          accessKeyId:
-            name: "postgresql-{{ .Release.Name }}-cluster-backup-secret"
-            key: ACCESS_KEY_ID
-          secretAccessKey:
-            name: "postgresql-{{ .Release.Name }}-cluster-backup-secret"
-            key: ACCESS_SECRET_KEY
-        data:
-          compression: {{ .Values.cluster.compression }}
-        wal:
-          compression: {{ .Values.cluster.compression }}
-  {{- end }}
-
-  {{- if .Values.backup.backupEnabled }}
-  backup:
-    retentionPolicy: "{{ .Values.backup.retentionPolicy }}"
-    barmanObjectStore:
-      destinationPath: "s3://{{ .Values.backup.bucket }}/{{ .Values.cluster.name }}/postgresql/{{ .Release.Name }}-cluster"
-      endpointURL: {{ .Values.backup.endpointURL }}
-      serverName: "postgresql-{{ .Release.Name }}-cluster-backup-index-{{ .Values.backup.backupIndex }}"
-      s3Credentials:
-        accessKeyId:
-          name: "postgresql-{{ .Release.Name }}-cluster-backup-secret"
-          key: ACCESS_KEY_ID
-        secretAccessKey:
-          name: "postgresql-{{ .Release.Name }}-cluster-backup-secret"
-          key: ACCESS_SECRET_KEY
-      data:
-        compression: {{ .Values.cluster.compression }}
-      wal:
-        compression: {{ .Values.cluster.compression }}
-  {{- end }}

charts/postgres-cluster/templates/prometheus-rule.yaml

@@ -0,0 +1,30 @@
+{{- if and .Values.cluster.monitoring.enabled .Values.cluster.monitoring.prometheusRule.enabled -}}
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: {{ include "cluster.name" . }}-alert-rules
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cluster.labels" . | nindent 4 }}
+  {{- with .Values.cluster.additionalLabels }}
+    {{ toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  groups:
+    - name: cloudnative-pg/{{ include "cluster.name" . }}
+      rules:
+        {{- $dict := dict "excludeRules" .Values.cluster.monitoring.prometheusRule.excludeRules -}}
+        {{- $_ := set $dict "value"       "{{ $value }}" -}}
+        {{- $_ := set $dict "namespace"   .Release.Namespace -}}
+        {{- $_ := set $dict "cluster"     (printf "%s-cluster" (include "cluster.name" .) ) -}}
+        {{- $_ := set $dict "labels"      (dict "job" "{{ $labels.job }}" "node" "{{ $labels.node }}" "pod" "{{ $labels.pod }}") -}}
+        {{- $_ := set $dict "podSelector" (printf "%s-cluster-([1-9][0-9]*)$" (include "cluster.name" .) ) -}}
+        {{- $_ := set $dict "Values"      .Values -}}
+        {{- $_ := set $dict "Template"    .Template -}}
+        {{- range $path, $_ := .Files.Glob  "prometheus_rules/**.yaml" }}
+        {{- $tpl := tpl ($.Files.Get $path) $dict | nindent 10 | trim -}}
+        {{- with $tpl }}
+        - {{ $tpl }}
+        {{- end -}}
+        {{- end -}}
+{{ end }}

charts/postgres-cluster/templates/scheduled-backup.yaml

@@ -1,16 +1,18 @@
+{{ if .Values.backup.enabled }}
 apiVersion: postgresql.cnpg.io/v1
 kind: ScheduledBackup
 metadata:
-  name: "postgresql-{{ .Release.Name }}-cluster-backup"
+  name: {{ include "cluster.name" . }}-scheduled-backup
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion }}
-    app.kubernetes.io/component: database
-    app.kubernetes.io/part-of: {{ .Release.Name }}
+    {{- include "cluster.labels" . | nindent 4 }}
+  {{- with .Values.cluster.additionalLabels }}
+    {{ toYaml . | nindent 4 }}
+  {{- end }}
 spec:
+  immediate: true
   schedule: {{ .Values.backup.schedule }}
   backupOwnerReference: self
   cluster:
-    name: "postgresql-{{ .Release.Name }}-cluster"
+    name: {{ include "cluster.name" . }}-cluster
+{{ end }}

charts/postgres-cluster/values.yaml

@@ -1,42 +1,195 @@
+# -- Override the name of the cluster
+nameOverride: ""
+
+###
+# -- Type of the CNPG database. Available types:
+# * `postgresql`
+# * `postgis`
+# * `timescaledb`
+type: postgresql
+
+###
+# Cluster mode of operation. Available modes:
+# * `standalone` - Default mode. Creates new or updates an existing CNPG cluster.
+# * `recovery` - Same as standalone but creates a cluster from a backup, object store or via pg_basebackup
+# * `replica` - Create database as a replica from another CNPG cluster
+mode: standalone
+
+# Generates bucket name and path for recovery and backup, creates: <endpointBucket>/<clusterName>/postgresql/{{ .Release.Name }}
+kubernetesClusterName: ""
+
 cluster:
-  name: cl01tl
+  instances: 3
+
   image:
     repository: ghcr.io/cloudnative-pg/postgresql
-    tag: 16.0
-  instances: 2
+    tag: "16.2"
+    pullPolicy: IfNotPresent
+
+  # The UID and GID of the postgres user inside the image
+  postgresUID: 26
+  postgresGID: 26
+
+  walStorage:
+    size: 2Gi
+    storageClass: ""
+  storage:
+    size: 10Gi
+    storageClass: ""
+
+  resources:
+    requests:
+      memory: 256Mi
+      cpu: 10m
+    limits:
+      memory: 1Gi
+      cpu: 100m
+      hugepages-2Mi: 256Mi
+
+  # See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-AffinityConfiguration
+  affinity:
+    enablePodAntiAffinity: true
+    topologyKey: kubernetes.io/hostname
+
+  additionalLabels: {}
+  annotations: {}
+
+  priorityClassName: ""
+
+  # Method to follow to upgrade the primary server during a rolling update procedure, after all replicas have been
+  # successfully updated. It can be switchover (default) or in-place (restart).
+  primaryUpdateMethod: switchover
+
+  # Strategy to follow to upgrade the primary server during a rolling update procedure, after all replicas have been
+  # successfully updated: it can be automated (unsupervised - default) or manual (supervised)
+  primaryUpdateStrategy: unsupervised
+
+  logLevel: "info"
+
+  monitoring:
+    enabled: false
+    podMonitor:
+      enabled: true
+    prometheusRule:
+      enabled: true
+      excludeRules: []
+
+  # See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-PostgresConfiguration
+  postgresql:
     parameters:
       shared_buffers: 128MB
       max_slot_wal_keep_size: 2000MB
       hot_standby_feedback: "on"
-  compression: snappy
-  resources:
-    requests:
-      memory: 512Mi
-      cpu: 100m
-    limits:
-      memory: 2Gi
-      cpu: 1500m
-      hugepages-2Mi: 512Mi
-  storage:
-    data:
-      storageClass: default
-      size: 10Gi
-    wal:
-      storageClass: default
-      size: 2Gi
-bootstrap:
-  recoveryEnabled: false
+
+  # BootstrapInitDB is the configuration of the bootstrap process when initdb is used.
+  # See: https://cloudnative-pg.io/documentation/current/bootstrap/
+  # See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-bootstrapinitdb
+  initdb: {}
+    # database: app
+    # owner: app
+    # secret: "" # Name of the secret containing the initial credentials for the owner of the user database. If empty a new secret will be created from scratch
+    # postInitApplicationSQL:
+    #   - CREATE TABLE IF NOT EXISTS example;
+
+recovery:
+  # Point in time recovery target in RFC3339 format
+  pitrTarget:
+    time: ""
+
+  # Overrides the provider specific default endpoint. Defaults to:
+  # S3: https://s3.<region>.amazonaws.com"
+  endpointURL: ""
+  endpointBucket: ""
+
+  # Specifies secret that contains a CA bundle to validate a privately signed certificate, should contain the key ca-bundle.crt
+  endpointCA: ""
+
+  # Specifies secret that contains S3 credentials, should contain the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY
+  endpointCredentials: ""
+
+  # Generate external cluster name, uses: postgresql-{{ .Release.Name }}-cluster-backup-index-{{ .Values.recovery.recoveryIndex }}"
   recoveryIndex: 1
-  endpointURL:
-  bucket:
-  initdbEnabled: false
-  initdb:
-    database: app
-    owner: app
+
+  # Name of the recovery cluster in the object store, defaults to "cluster.name"
+  recoveryName: ""
+
+  wal:
+    # WAL compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`.
+    compression: snappy
+    # Whether to instruct the storage provider to encrypt WAL files. One of `` (use the storage container default), `AES256` or `aws:kms`.
+    encryption: ""
+    # Number of WAL files to be archived or restored in parallel.
+    maxParallel: 2
+  data:
+    # Data compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`.
+    compression: snappy
+    # Whether to instruct the storage provider to encrypt data files. One of `` (use the storage container default), `AES256` or `aws:kms`.
+    encryption: ""
+    # Number of data files to be archived or restored in parallel.
+    jobs: 2
+
+replica:
+  # See https://cloudnative-pg.io/documentation/current/database_import/
+  # * `microservice` - Single database import as expected from cnpg clusters
+  # * `monolith` - Import multiple databases and roles
+  importType: microservice
+
+  # If type microservice only one database is allowed, default is app as standard in cnpg clusters
+  importDatabases:
+    - app
+  
+  # If type microservice no roles are imported and ignored
+  importRoles: []
+
+  # If import type is monolith postImportApplicationSQL is not supported and ignored
+  postImportApplicationSQL: []
+
+  # External cluster connection, password specifies a secret name and the key containing the password value
+  externalCluster:
+    connectionParameters:
+      host: postgresql
+      user: app
+      dbname: app
+    password:
+      name: postgresql
+      key: password
+
 backup:
-  backupEnabled: true
-  schedule: "0 0 0 * * *"
-  retentionPolicy: 14d
+  enabled: false
+
+  # Overrides the provider specific default endpoint
+  endpointURL: ""
+  endpointBucket: ""
+
+  # Specifies secret that contains a CA bundle to validate a privately signed certificate, should contain the key ca-bundle.crt
+  endpointCA: ""
+
+  # Specifies secret that contains S3 credentials, should contain the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY
+  endpointCredentials: ""
+
+  # Generate external cluster name, creates: postgresql-{{ .Release.Name }}-cluster-backup-index-{{ .Values.backups.backupIndex }}"
   backupIndex: 1
-  endpointURL:
-  bucket:
+
+  # Name of the backup cluster in the object store, defaults to "cluster.name"
+  backupName: ""
+
+  wal:
+    # WAL compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`.
+    compression: snappy
+    # Whether to instruct the storage provider to encrypt WAL files. One of `` (use the storage container default), `AES256` or `aws:kms`.
+    encryption: ""
+    # Number of WAL files to be archived or restored in parallel.
+    maxParallel: 2
+  data:
+    # Data compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`.
+    compression: snappy
+    # Whether to instruct the storage provider to encrypt data files. One of `` (use the storage container default), `AES256` or `aws:kms`.
+    encryption: ""
+    # Number of data files to be archived or restored in parallel.
+    jobs: 2
+
+  # Retention policy for backups
+  retentionPolicy: "30d"
+
+  # Scheduled backup in cron format
+  schedule: "0 0 0 * * *"

charts/qbittorrent/Chart.yaml

@@ -0,0 +1,13 @@
+apiVersion: v2
+name: qbittorrent
+version: 0.0.8
+description: Chart for qBittorrent
+keywords:
+  - downloads
+  - torrent
+sources:
+  - https://github.com/qbittorrent/qBittorrent
+maintainers:
+  - name: alexlebens
+icon: https://avatars.githubusercontent.com/u/2131270?s=48&v=4
+appVersion: version-4.6.3-r0

charts/qbittorrent/README.md

@@ -0,0 +1,17 @@
+## Introduction
+
+[qBittorrent](https://github.com/qbittorrent/qBittorrent)
+
+qBittorrent is a bittorrent client programmed in C++ / Qt that uses libtorrent
+
+This chart bootstraps a [qBittorrent](https://github.com/qbittorrent/qBittorrent) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+
+## Prerequisites
+
+- Kubernetes
+- Helm
+
+## Parameters
+
+See the [values files](values.yaml).

charts/qbittorrent/templates/deployment.yaml

@@ -0,0 +1,111 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: qbittorrent
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: qbittorrent
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: qbittorrent
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.server.replicas }}
+  strategy:
+    type: {{ .Values.server.strategy }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: qbittorrent
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: qbittorrent
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+      serviceAccountName: qbittorrent
+      automountServiceAccountToken: true
+      containers:
+        - name: qbittorrent
+          image: "{{ .Values.server.image.repository }}:{{ .Values.server.image.tag }}"
+          imagePullPolicy: {{ .Values.server.image.pullPolicy }}
+          env:
+          {{- with (concat .Values.global.env .Values.server.env) }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+            - name: WEBUI_PORT
+              value: "{{ .Values.server.service.http.port }}"
+          resources:
+            {{- toYaml .Values.server.resources | nindent 12 }}
+          volumeMounts:
+            - name: qbittorrent-config
+              mountPath: /config
+            - name: media-storage
+              mountPath: {{ .Values.global.persistence.media.mountPath }}
+
+        {{- if .Values.gluetun.enabled }}
+        - name: gluetun
+          image: "{{.Values.gluetun.image.repository}}:{{.Values.gluetun.image.tag}}"
+          imagePullPolicy: {{ .Values.gluetun.image.pullPolicy }}
+          env:
+          {{- with (concat .Values.global.env .Values.gluetun.env) }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          ports:
+            - name: health
+              containerPort: {{ .Values.gluetun.service.health.port }}
+              protocol: TCP
+            - name: http
+              containerPort: {{ .Values.server.service.http.port }}
+              protocol: TCP
+            - name: metrics
+              containerPort: 9022
+              protocol: TCP
+          securityContext:
+            {{- toYaml .Values.gluetun.securityContext | nindent 12 }}
+          resources:
+            {{- toYaml .Values.gluetun.resources | nindent 12 }}
+          volumeMounts:
+            - name: tunnel-device
+              mountPath: /dev/net/tun
+            - name: wg0-wireguard-config
+              mountPath: /gluetun/wireguard/
+        {{- end }}
+
+        {{- if .Values.metrics.enabled }}
+        - name: exporter
+          image: "{{ .Values.metrics.exporter.image.repository }}:{{.Values.metrics.exporter.image.tag }}"
+          imagePullPolicy: {{ .Values.metrics.exporter.image.pullPolicy }}
+          env:
+          {{- with (concat .Values.global.env .Values.metrics.exporter.env) }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+            - name: QBITTORRENT_HOST
+              value: "http://localhost"
+            - name: QBITTORRENT_PORT
+              value: "{{ .Values.server.service.http.port }}"
+            - name: EXPORTER_PORT
+              value: "9022"
+        {{- end }}
+
+      volumes:
+
+        {{- if .Values.gluetun.enabled }}
+        - name: tunnel-device
+          hostPath:
+            path: /dev/net/tun
+        - name: wg0-wireguard-config
+          secret:
+            secretName: {{ .Values.gluetun.existingSecretName }}
+            items:
+              - key: wg0.conf
+                path: wg0.conf
+        {{- end }}
+
+        - name: qbittorrent-config
+          persistentVolumeClaim:
+            claimName: qbittorrent-config
+        - name: media-storage
+          persistentVolumeClaim:
+            claimName: {{ .Values.global.persistence.media.claimName }}

charts/qbittorrent/templates/ingress.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.server.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: qbittorrent
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: qbittorrent
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: qbittorrent
+  annotations:
+    {{- toYaml .Values.server.ingress.annotations | nindent 4 }}
+spec:
+  ingressClassName: {{ .Values.server.ingress.className }}
+  tls:
+    - hosts:
+      - {{ .Values.server.ingress.host }}
+      secretName: qbittorrent-secret-tls
+  rules:
+    - host: {{ .Values.server.ingress.host }}
+      http:
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: qbittorrent-webui
+                port:
+                  name: http
+{{- end }}

charts/qbittorrent/templates/persistent-volume-claim.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: qbittorrent-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: qbittorrent
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: qbittorrent
+spec:
+  storageClassName: {{ .Values.server.persistence.config.storageClassName }}
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: {{ .Values.server.persistence.config.storageSize }}

charts/qbittorrent/templates/service-account.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.global.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: qbittorrent
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: qbittorrent
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: qbittorrent
+{{- end }}

charts/qbittorrent/templates/service-monitor.yaml

@@ -0,0 +1,23 @@
+{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: qbittorrent
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: qbittorrent
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: qbittorrent
+spec:
+  endpoints:
+    - port: metrics
+      interval: {{ .Values.metrics.serviceMonitor.interval }}
+      scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
+      path: /metrics
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: qbittorrent
+      app.kubernetes.io/instance: {{ .Release.Name }}      
+{{- end }}

charts/qbittorrent/templates/service.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: qbittorrent-webui
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: qbittorrent
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: qbittorrent
+spec:
+  type: ClusterIP
+  ports:
+    - port: {{ .Values.server.service.http.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: qbittorrent
+    app.kubernetes.io/instance: {{ .Release.Name }}

charts/qbittorrent/values.yaml

@@ -0,0 +1,84 @@
+global:
+  serviceAccount:
+    create: true
+  env: []
+  persistence:
+    media:
+      claimName:
+      mountPath:
+server:
+  replicas: 1
+  strategy: Recreate
+  image:
+    repository: linuxserver/qbittorrent
+    tag: "version-4.6.3-r0"
+    pullPolicy: IfNotPresent
+  env:
+    - name: TZ
+      value: UTC
+    - name: PUID
+      value: "1000"
+    - name: PGID
+      value: "1000"
+    - name: UMASK_SET
+      value: "002"
+  resources:
+    requests:
+      cpu: 100m
+      memory: 2Gi
+    limits:
+      cpu: 2000m
+      memory: 2Gi
+  service:
+    http:
+      port: 8080
+  ingress:
+    enabled: false
+    className:
+    annotations:
+    host:
+  persistence:
+    config:
+      storageClassName:
+      storageSize:
+gluetun:
+  enabled: false
+  image:
+    repository: ghcr.io/qdm12/gluetun
+    tag: v3.38.0
+    pullPolicy: IfNotPresent
+  securityContext:
+    privileged: True
+    capabilities:
+      add:
+        - NET_ADMIN
+  env: []
+  existingSecretName:
+  resources:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+    limits:
+      cpu: 500m
+      memory: 256Mi
+  service:
+    health:
+      port: 9999
+metrics:
+  enabled: false
+  serviceMonitor:
+    enabled: false
+    interval: 15s
+    scrapeTimeout: 5s
+  exporter:
+    image:
+      repository: esanchezm/prometheus-qbittorrent-exporter
+      tag: v1.5.1
+      imagePullPolicy: IfNotPresent
+    env:
+      - name: QBITTORRENT_USER
+        value: admin
+      - name: QBITTORRENT_PASS
+        value: ""
+      - name: EXPORTER_LOG_LEVEL
+        value: INFO

charts/taiga/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: taiga
+version: 0.2.0
+description: Chart for Taiga
+keywords:
+  - kanban
+  - project management
+sources:
+  - https://github.com/taigaio
+  - https://github.com/rabbitmq/rabbitmq-server
+  - https://github.com/bitnami/charts/tree/main/bitnami/rabbitmq
+maintainers:
+  - name: alexlebens
+icon: https://avatars.githubusercontent.com/u/6905422?s=200&v=4
+dependencies:
+  - name: rabbitmq
+    version: 14.0.1
+    repository: https://charts.bitnami.com/bitnami
+    alias: async-rabbitmq
+  - name: rabbitmq
+    version: 14.0.1
+    repository: https://charts.bitnami.com/bitnami
+    alias: events-rabbitmq
+appVersion: 6.7.7

charts/taiga/README.md

@@ -0,0 +1,17 @@
+## Introduction
+
+[Taiga 6](https://github.com/taigaio)
+
+Intuitive and simple, yet feature complete Kanban board
+
+This chart bootstraps a [Taiga](https://github.com/taigaio) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+
+## Prerequisites
+
+- Kubernetes
+- Helm
+
+## Parameters
+
+See the [values files](values.yaml).

charts/taiga/templates/_helpers.tpl

@@ -0,0 +1,135 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "taiga.name" -}}
+  {{- default .Chart.Name .Values.global.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "taiga.fullname" -}}
+  {{- if .Values.global.fullnameOverride -}}
+    {{- .Values.global.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+  {{- else -}}
+    {{- $name := default .Chart.Name .Values.global.nameOverride -}}
+    {{- if contains $name .Release.Name -}}
+      {{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+    {{- else -}}
+      {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label
+*/}}
+{{- define "taiga.chart" -}}
+  {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "taiga.labels" -}}
+app.kubernetes.io/name: {{ template "taiga.name" . }}
+helm.sh/chart: {{ template "taiga.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Common labels for specific components
+*/}}
+{{- define "taiga.back.labels" -}}
+app.kubernetes.io/name: {{ template "taiga.name" . }}-back
+helm.sh/chart: {{ template "taiga.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+{{- define "taiga.async.labels" -}}
+app.kubernetes.io/name: {{ template "taiga.name" . }}-async
+helm.sh/chart: {{ template "taiga.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+{{- define "taiga.front.labels" -}}
+app.kubernetes.io/name: {{ template "taiga.name" . }}-front
+helm.sh/chart: {{ template "taiga.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+{{- define "taiga.events.labels" -}}
+app.kubernetes.io/name: {{ template "taiga.name" . }}-events
+helm.sh/chart: {{ template "taiga.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+{{- define "taiga.protected.labels" -}}
+app.kubernetes.io/name: {{ template "taiga.name" . }}-protected
+helm.sh/chart: {{ template "taiga.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector
+*/}}
+{{- define "taiga.matchLabels" -}}
+app.kubernetes.io/name: {{ template "taiga.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+{{- define "taiga.back.matchLabels" -}}
+app.kubernetes.io/name: {{ template "taiga.name" . }}-back
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+{{- define "taiga.async.matchLabels" -}}
+app.kubernetes.io/name: {{ template "taiga.name" . }}-async
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+{{- define "taiga.front.matchLabels" -}}
+app.kubernetes.io/name: {{ template "taiga.name" . }}-front
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+{{- define "taiga.events.matchLabels" -}}
+app.kubernetes.io/name: {{ template "taiga.name" . }}-events
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+{{- define "taiga.protected.matchLabels" -}}
+app.kubernetes.io/name: {{ template "taiga.name" . }}-protected
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "taiga.serviceAccountName" -}}
+  {{- if .Values.serviceAccount.create -}}
+    {{ default (include "taiga.fullname" .) .Values.serviceAccount.name }}
+  {{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Create the name of the static persistent volume
+*/}}
+{{- define "taiga.staticVolumeName" -}}
+  {{- if .Values.persistence.static.existingClaim -}}
+    {{ .Values.persistence.static.existingClaim }}
+  {{- else -}}
+    {{ printf "%s-static" (include "taiga.fullname" .) | trunc 63 | trimSuffix "-" }}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Create the name of the media persistent volume
+*/}}
+{{- define "taiga.mediaVolumeName" -}}
+  {{- if .Values.persistence.media.existingClaim -}}
+    {{ .Values.persistence.media.existingClaim }}
+  {{- else -}}
+    {{ printf "%s-media" (include "taiga.fullname" .) | trunc 63 | trimSuffix "-" }}
+  {{- end -}}
+{{- end -}}

charts/taiga/templates/config-map.yaml

@@ -0,0 +1,36 @@
+{{- if .Values.createInitialUser }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "taiga.fullname" . }}-create-initial-user
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "taiga.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+data:
+  createinitialuser.sh: |
+    #!/bin/sh
+    echo """
+    import time
+    import requests
+    import subprocess
+
+    print('Waiting for backend ...')
+    while requests.get('http://{{ template "taiga.fullname" . }}-back/api/v1/').status_code != 200:
+        print('...')
+        time.sleep(2)
+
+    if str(subprocess.check_output(['python', 'manage.py', 'dumpdata', 'users.user'], cwd='/taiga-back')).find('\"is_superuser\": true') == -1:
+        print(subprocess.check_output(['python', 'manage.py', 'loaddata', 'initial_user'], cwd='/taiga-back'))
+    else:
+        print('Admin user yet created.')
+        """ > /tmp/create_superuser.py
+        python /tmp/create_superuser.py
+{{- end }}

charts/taiga/templates/deployment-back.yaml

@@ -0,0 +1,515 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "taiga.fullname" . }}-back
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "taiga.back.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.back.replicas }}
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      {{- include "taiga.back.matchLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "taiga.back.labels" . | nindent 8 }}
+        app.kubernetes.io/component: {{ template "taiga.name" . }}-back
+      annotations:
+        {{- with .Values.back.podAnnotations }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      affinity:
+        {{- with .Values.back.affinity }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      nodeSelector:
+        {{- with .Values.back.nodeSelector }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      tolerations:
+        {{- with .Values.back.tolerations }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      serviceAccountName: {{ template "taiga.serviceAccountName" . }}
+      securityContext:
+        {{- with .Values.back.securityContext }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      containers:
+        - name: {{ template "taiga.fullname" . }}-back
+          image: "{{ .Values.back.image.repository }}:{{ .Values.back.image.tag }}"
+          imagePullPolicy: {{ .Values.back.image.pullPolicy }}
+          resources:
+            {{ toYaml .Values.back.resources | nindent 12 }}
+          ports:
+            - name: taiga-back
+              containerPort: {{ .Values.back.service.port }}
+              protocol: TCP
+          volumeMounts:
+            - name: taiga-static
+              mountPath: /taiga-back/static
+            - name: taiga-media
+              mountPath: /taiga-back/media
+          env:
+            - name: TAIGA_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.secretKey.existingSecretName }}"
+                  key: "{{ .Values.secretKey.existingSecretKey }}"
+            - name: ENABLE_TELEMETRY
+              value: "{{ .Values.enableTelemetry }}"
+            - name: PUBLIC_REGISTER_ENABLED
+              value: "{{ .Values.publicRegisterEnabled }}"
+            - name: POSTGRES_USER
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.postgresql.existingSecretName }}"
+                  key: "{{ .Values.postgresql.usernameKey }}"
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.postgresql.existingSecretName }}"
+                  key: "{{ .Values.postgresql.passwordKey }}"
+            - name: POSTGRES_DB
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.postgresql.existingSecretName }}"
+                  key: "{{ .Values.postgresql.databaseNameKey }}"
+            - name: POSTGRES_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.postgresql.existingSecretName }}"
+                  key: "{{ .Values.postgresql.hostKey }}"
+
+          {{ if .Values.oidc.enabled }}
+            - name: OIDC_ENABLED
+              value: "True"
+            - name: OIDC_SCOPES
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.scopesKey }}"
+            - name: OIDC_SIGN_ALGO
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.signatureAlgorithmKey }}"
+            - name: OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.clientIdKey }}"
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.clientSecretKey }}"
+            - name: OIDC_BASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.baseUrlKey }}"
+            - name: OIDC_JWKS_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.jwksEndpointKey }}"
+            - name: OIDC_AUTHORIZATION_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.authorizationEndpointKey }}"
+            - name: OIDC_TOKEN_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.tokenEndpointKey }}"
+            - name: OIDC_USER_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.userEndpointKey }}"
+          {{ end }}
+
+          {{ if .Values.email.enabled }}
+            - name: EMAIL_BACKEND
+              value: "django.core.mail.backends.smtp.EmailBackend"
+            - name: DEFAULT_FROM_EMAIL
+              value: "{{ .Values.email.from }}"
+            - name: EMAIL_HOST
+              value: "{{ .Values.email.host }}"
+            - name: EMAIL_PORT
+              value: "{{ .Values.email.port }}"
+            - name: EMAIL_USE_TLS
+              value: "{{ .Values.email.tls }}"
+            - name: EMAIL_USE_SSL
+              value: "{{ .Values.email.ssl }}"
+            - name: EMAIL_HOST_USER
+              value: "{{ .Values.email.user }}"
+            - name: EMAIL_HOST_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.email.existingPasswordSecret }}"
+                  key: "{{ .Values.email.existingSecretPasswordKey }}"
+          {{ end }}
+
+            - name: ENABLE_GITHUB_AUTH
+              value: "false"
+            - name: ENABLE_GITLAB_AUTH
+              value: "false"
+            - name: ENABLE_SLACK
+              value: "{{ .Values.enableSlack }}"
+
+          {{ if .Values.githubImporter.enabled }}
+            - name: ENABLE_GITHUB_IMPORTER
+              value: "True"
+            - name: GITHUB_API_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.githubImporter.existingSecretName }}"
+                  key: "{{ .Values.githubImporter.existingSecretClientIdKey }}"
+            - name: GITHUB_API_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.githubImporter.existingSecretName }}"
+                  key: "{{ .Values.githubImporter.existingSecretClientSecretKey }}"
+          {{ else }}
+            - name: ENABLE_GITHUB_IMPORTER
+              value: "False"
+          {{ end }}
+
+          {{ if .Values.jiraImporter.enabled }}
+            - name: ENABLE_JIRA_IMPORTER
+              value: "True"
+            - name: JIRA_IMPORTER_CONSUMER_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.jiraImporter.existingSecretName }}"
+                  key: "{{ .Values.jiraImporter.existingSecretConsumerKeyKey }}"
+            - name: JIRA_IMPORTER_CERT
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.jiraImporter.existingSecretName }}"
+                  key: "{{ .Values.jiraImporter.existingSecretCertKey }}"
+            - name: JIRA_IMPORTER_PUB_CERT
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.jiraImporter.existingSecretName }}"
+                  key: "{{ .Values.jiraImporter.existingSecretPubCertKey }}"
+          {{ else }}
+            - name: ENABLE_JIRA_IMPORTER
+              value: "False"
+          {{ end }}
+
+          {{ if .Values.trelloImporter.enabled }}
+            - name: ENABLE_TRELLO_IMPORTER
+              value: "True"
+            - name: TRELLO_IMPORTER_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.trelloImporter.existingSecretName }}"
+                  key: "{{ .Values.trelloImporter.existingSecretApiKeyKey }}"
+            - name: TRELLO_IMPORTER_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.trelloImporter.existingSecretName }}"
+                  key: "{{ .Values.trelloImporter.existingSecretSecretKeyKey }}"
+          {{ else }}
+            - name: ENABLE_JIRA_IMPORTER
+              value: "False"
+          {{ end }}
+
+            - name: RABBITMQ_USER
+              value: "{{ index .Values "async-rabbitmq" "auth" "username" }}"
+            - name: RABBITMQ_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: {{ index .Values "async-rabbitmq" "auth" "existingPasswordSecret" }}
+                  key: {{ index .Values "async-rabbitmq" "auth" "existingSecretPasswordKey" }}
+
+          {{ if .Values.ingress.enabled }}
+            - name: TAIGA_SITES_DOMAIN
+              value: "{{ .Values.ingress.host }}"
+            - name: TAIGA_SITES_SCHEME
+              value: "https"
+            - name: SESSION_COOKIE_SECURE
+              value: "True"
+            - name: CSRF_COOKIE_SECURE
+              value: "True"
+          {{- end }}
+
+          {{- if .Values.back.livenessProbe.enabled }}
+          livenessProbe:
+            httpGet:
+              path: /admin/login/
+              port: {{ .Values.back.service.port }}
+            initialDelaySeconds: {{ .Values.back.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.back.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.back.livenessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.back.livenessProbe.successThreshold }}
+            failureThreshold: {{ .Values.back.livenessProbe.failureThreshold }}
+          {{- end }}
+
+          {{- if .Values.back.readinessProbe.enabled }}
+          readinessProbe:
+            httpGet:
+              path: /admin/login/
+              port: {{ .Values.back.service.port }}
+            initialDelaySeconds: {{ .Values.back.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.back.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.back.readinessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.back.readinessProbe.successThreshold }}
+            failureThreshold: {{ .Values.back.readinessProbe.failureThreshold }}
+          {{- end }}
+
+        - name: {{ template "taiga.fullname" . }}-async
+          image: "{{ .Values.async.image.repository }}:{{ .Values.async.image.tag }}"
+          imagePullPolicy: {{ .Values.async.image.pullPolicy }}
+          resources:
+            {{ toYaml .Values.async.resources | nindent 12 }}
+          command:
+            - /taiga-back/docker/async_entrypoint.sh
+          volumeMounts:
+            - name: taiga-static
+              mountPath: /taiga-back/static
+            - name: taiga-media
+              mountPath: /taiga-back/media
+          env:
+            - name: TAIGA_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.secretKey.existingSecretName }}"
+                  key: "{{ .Values.secretKey.existingSecretKey }}"
+            - name: ENABLE_TELEMETRY
+              value: "{{ .Values.enableTelemetry }}"
+            - name: PUBLIC_REGISTER_ENABLED
+              value: "{{ .Values.publicRegisterEnabled }}"
+            - name: POSTGRES_USER
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.postgresql.existingSecretName }}"
+                  key: "{{ .Values.postgresql.usernameKey }}"
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.postgresql.existingSecretName }}"
+                  key: "{{ .Values.postgresql.passwordKey }}"
+            - name: POSTGRES_DB
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.postgresql.existingSecretName }}"
+                  key: "{{ .Values.postgresql.databaseNameKey }}"
+            - name: POSTGRES_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.postgresql.existingSecretName }}"
+                  key: "{{ .Values.postgresql.hostKey }}"
+
+          {{ if .Values.oidc.enabled }}
+            - name: OIDC_ENABLED
+              value: "True"
+            - name: OIDC_SCOPES
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.scopesKey }}"
+            - name: OIDC_SIGN_ALGO
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.signatureAlgorithmKey }}"
+            - name: OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.clientIdKey }}"
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.clientSecretKey }}"
+            - name: OIDC_BASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.baseUrlKey }}"
+            - name: OIDC_JWKS_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.jwksEndpointKey }}"
+            - name: OIDC_AUTHORIZATION_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.authorizationEndpointKey }}"
+            - name: OIDC_TOKEN_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.tokenEndpointKey }}"
+            - name: OIDC_USER_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.userEndpointKey }}"
+          {{ end }}
+
+          {{ if .Values.email.enabled }}
+            - name: EMAIL_BACKEND
+              value: "django.core.mail.backends.smtp.EmailBackend"
+            - name: DEFAULT_FROM_EMAIL
+              value: "{{ .Values.email.from }}"
+            - name: EMAIL_HOST
+              value: "{{ .Values.email.host }}"
+            - name: EMAIL_PORT
+              value: "{{ .Values.email.port }}"
+            - name: EMAIL_USE_TLS
+              value: "{{ .Values.email.tls }}"
+            - name: EMAIL_USE_SSL
+              value: "{{ .Values.email.ssl }}"
+            - name: EMAIL_HOST_USER
+              value: "{{ .Values.email.user }}"
+            - name: EMAIL_HOST_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.email.existingPasswordSecret }}"
+                  key: "{{ .Values.email.existingSecretPasswordKey }}"
+          {{ end }}
+
+            - name: ENABLE_GITHUB_AUTH
+              value: "false"
+            - name: ENABLE_GITLAB_AUTH
+              value: "false"
+            - name: ENABLE_SLACK
+              value: "{{ .Values.enableSlack }}"
+
+          {{ if .Values.githubImporter.enabled }}
+            - name: ENABLE_GITHUB_IMPORTER
+              value: "True"
+            - name: GITHUB_API_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.githubImporter.existingSecretName }}"
+                  key: "{{ .Values.githubImporter.existingSecretClientIdKey }}"
+            - name: GITHUB_API_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.githubImporter.existingSecretName }}"
+                  key: "{{ .Values.githubImporter.existingSecretClientSecretKey }}"
+          {{ else }}
+            - name: ENABLE_GITHUB_IMPORTER
+              value: "False"
+          {{ end }}
+
+          {{ if .Values.jiraImporter.enabled }}
+            - name: ENABLE_JIRA_IMPORTER
+              value: "True"
+            - name: JIRA_IMPORTER_CONSUMER_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.jiraImporter.existingSecretName }}"
+                  key: "{{ .Values.jiraImporter.existingSecretConsumerKeyKey }}"
+            - name: JIRA_IMPORTER_CERT
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.jiraImporter.existingSecretName }}"
+                  key: "{{ .Values.jiraImporter.existingSecretCertKey }}"
+            - name: JIRA_IMPORTER_PUB_CERT
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.jiraImporter.existingSecretName }}"
+                  key: "{{ .Values.jiraImporter.existingSecretPubCertKey }}"
+          {{ else }}
+            - name: ENABLE_JIRA_IMPORTER
+              value: "False"
+          {{ end }}
+
+          {{ if .Values.trelloImporter.enabled }}
+            - name: ENABLE_TRELLO_IMPORTER
+              value: "True"
+            - name: TRELLO_IMPORTER_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.trelloImporter.existingSecretName }}"
+                  key: "{{ .Values.trelloImporter.existingSecretApiKeyKey }}"
+            - name: TRELLO_IMPORTER_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.trelloImporter.existingSecretName }}"
+                  key: "{{ .Values.trelloImporter.existingSecretSecretKeyKey }}"
+          {{ else }}
+            - name: ENABLE_JIRA_IMPORTER
+              value: "False"
+          {{ end }}
+
+            - name: RABBITMQ_USER
+              value: "{{ index .Values "async-rabbitmq" "auth" "username" }}"
+            - name: RABBITMQ_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: {{ index .Values "async-rabbitmq" "auth" "existingPasswordSecret" }}
+                  key: {{ index .Values "async-rabbitmq" "auth" "existingSecretPasswordKey" }}
+
+          {{ if .Values.ingress.enabled }}
+            - name: TAIGA_SITES_DOMAIN
+              value: "{{ .Values.ingress.host }}"
+            - name: TAIGA_SITES_SCHEME
+              value: "https"
+            - name: SESSION_COOKIE_SECURE
+              value: "True"
+            - name: CSRF_COOKIE_SECURE
+              value: "True"
+          {{- end }}
+
+          {{- if .Values.back.livenessProbe.enabled }}
+          livenessProbe:
+            httpGet:
+              path: /admin/login/
+              port: {{ .Values.back.service.port }}
+            initialDelaySeconds: {{ .Values.back.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.back.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.back.livenessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.back.livenessProbe.successThreshold }}
+            failureThreshold: {{ .Values.back.livenessProbe.failureThreshold }}
+          {{- end }}
+
+          {{- if .Values.back.readinessProbe.enabled }}
+          readinessProbe:
+            httpGet:
+              path: /admin/login/
+              port: {{ .Values.back.service.port }}
+            initialDelaySeconds: {{ .Values.back.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.back.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.back.readinessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.back.readinessProbe.successThreshold }}
+            failureThreshold: {{ .Values.back.readinessProbe.failureThreshold }}
+          {{- end }}
+
+      volumes:
+        - name: taiga-static
+      {{- if .Values.persistence.static.enabled }}
+          persistentVolumeClaim:
+            claimName: {{ include "taiga.staticVolumeName" . }}
+      {{- else }}
+          emptyDir: {}
+      {{- end }}
+        - name: taiga-media
+      {{- if .Values.persistence.media.enabled }}
+          persistentVolumeClaim:
+            claimName: {{ include "taiga.mediaVolumeName" . }}
+      {{- else }}
+          emptyDir: {}
+      {{- end }}

charts/taiga/templates/deployment-events.yaml

@@ -0,0 +1,101 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "taiga.fullname" . }}-events
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "taiga.events.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.events.replicas }}
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      {{- include "taiga.events.matchLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "taiga.events.labels" . | nindent 8 }}
+        app.kubernetes.io/component: {{ template "taiga.name" . }}-events
+      annotations:
+        {{- with .Values.events.podAnnotations }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      affinity:
+        {{- with .Values.events.affinity }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      nodeSelector:
+        {{- with .Values.events.nodeSelector }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      tolerations:
+        {{- with .Values.events.tolerations }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      serviceAccountName: {{ template "taiga.serviceAccountName" . }}
+      securityContext:
+        {{- with .Values.events.securityContext }}
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: {{ template "taiga.fullname" . }}-events
+          image: "{{ .Values.events.image.repository }}:{{ .Values.events.image.tag }}"
+          imagePullPolicy: {{ .Values.events.image.pullPolicy }}
+          resources:
+            {{ toYaml .Values.events.resources | nindent 12 }}
+          ports:
+            - name: taiga-events
+              containerPort: {{ .Values.events.service.http.port }}
+              protocol: TCP
+            - name: taiga-app
+              containerPort: {{ .Values.events.service.app.port }}
+              protocol: TCP
+          env:
+            - name: TAIGA_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.secretKey.existingSecretName }}"
+                  key: "{{ .Values.secretKey.existingSecretKey }}"
+            - name: RABBITMQ_USER
+              value: "{{ index .Values "events-rabbitmq" "auth" "username" }}"
+            - name: RABBITMQ_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: {{ index .Values "events-rabbitmq" "auth" "existingPasswordSecret" }}
+                  key: {{ index .Values "events-rabbitmq" "auth" "existingSecretPasswordKey" }}
+            - name: APP_PORT
+              value: "{{ .Values.events.service.app.port }}"
+
+          {{- if .Values.events.livenessProbe.enabled }}
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: {{ .Values.events.service.app.port }}
+            initialDelaySeconds: {{ .Values.events.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.events.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.events.livenessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.events.livenessProbe.successThreshold }}
+            failureThreshold: {{ .Values.events.livenessProbe.failureThreshold }}
+          {{- end }}
+
+          {{- if .Values.events.readinessProbe.enabled }}
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: {{ .Values.events.service.app.port }}
+            initialDelaySeconds: {{ .Values.events.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.events.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.events.readinessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.events.readinessProbe.successThreshold }}
+            failureThreshold: {{ .Values.events.readinessProbe.failureThreshold }}
+          {{- end }}

charts/taiga/templates/deployment-front.yaml

@@ -0,0 +1,108 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "taiga.fullname" . }}-front
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "taiga.front.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.front.replicas }}
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      {{- include "taiga.front.matchLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "taiga.front.labels" . | nindent 8 }}
+        app.kubernetes.io/component: {{ template "taiga.name" . }}-front
+      annotations:
+        {{- with .Values.front.podAnnotations }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      affinity:
+        {{- with .Values.front.affinity }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      nodeSelector:
+        {{- with .Values.front.nodeSelector }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      tolerations:
+        {{- with .Values.front.tolerations }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      serviceAccountName: {{ template "taiga.serviceAccountName" . }}
+      securityContext:
+        {{- with .Values.front.securityContext }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      containers:
+        - name: {{ template "taiga.fullname" . }}-front
+          image: "{{ .Values.front.image.repository }}:{{ .Values.front.image.tag }}"
+          imagePullPolicy: {{ .Values.front.image.pullPolicy }}
+          resources:
+            {{ toYaml .Values.front.resources | nindent 12 }}
+          ports:
+            - name: taiga-front
+              containerPort: {{ .Values.front.service.port }}
+              protocol: TCP
+          env:
+          {{ if .Values.ingress.enabled }}
+            - name: TAIGA_URL
+              value: "https://{{ .Values.ingress.host }}"
+          {{ else }}
+            - name: TAIGA_URL
+              value: "http://localhost:{{ .Values.front.service.port }}"
+          {{ end }}
+
+            - name: PUBLIC_REGISTER_ENABLED
+              value: "{{ .Values.publicRegisterEnabled }}"
+            - name: ENABLE_GITHUB_AUTH
+              value: "false"
+            - name: ENABLE_GITLAB_AUTH
+              value: "false"
+            - name: ENABLE_OIDC
+              value: "{{ .Values.oidc.enabled }}"              
+            - name: ENABLE_SLACK
+              value: "{{ .Values.enableSlack }}"
+            - name: ENABLE_GITHUB_IMPORTER
+              value: "{{ .Values.githubImporter.enabled }}"
+            - name: ENABLE_JIRA_IMPORTER
+              value: "{{ .Values.jiraImporter.enabled }}"
+            - name: ENABLE_TRELLO_IMPORTER
+              value: "{{ .Values.trelloImporter.enabled }}"
+
+          {{- if .Values.front.livenessProbe.enabled }}
+          livenessProbe:
+            httpGet:
+              path: /admin/login/
+              port: {{ .Values.front.service.port }}
+            initialDelaySeconds: {{ .Values.front.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.front.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.front.livenessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.front.livenessProbe.successThreshold }}
+            failureThreshold: {{ .Values.front.livenessProbe.failureThreshold }}
+          {{- end }}
+
+          {{- if .Values.front.readinessProbe.enabled }}
+          readinessProbe:
+            httpGet:
+              path: /admin/login/
+              port: {{ .Values.front.service.port }}
+            initialDelaySeconds: {{ .Values.front.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.front.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.front.readinessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.front.readinessProbe.successThreshold }}
+            failureThreshold: {{ .Values.front.readinessProbe.failureThreshold }}
+          {{- end }}

charts/taiga/templates/deployment-protected.yaml

@@ -0,0 +1,91 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "taiga.fullname" . }}-protected
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "taiga.protected.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.protected.replicas }}
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      {{- include "taiga.protected.matchLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "taiga.protected.labels" . | nindent 8 }}
+        app.kubernetes.io/component: {{ template "taiga.name" . }}-protected
+      annotations:
+        {{- with .Values.protected.podAnnotations }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      affinity:
+        {{- with .Values.protected.affinity }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      nodeSelector:
+        {{- with .Values.protected.nodeSelector }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      tolerations:
+        {{- with .Values.protected.tolerations }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      serviceAccountName: {{ template "taiga.serviceAccountName" . }}
+      securityContext:
+        {{- with .Values.protected.securityContext }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      containers:
+        - name: {{ template "taiga.fullname" . }}-protected
+          image: "{{ .Values.protected.image.repository }}:{{ .Values.protected.image.tag }}"
+          imagePullPolicy: {{ .Values.protected.image.pullPolicy }}
+          resources:
+            {{ toYaml .Values.protected.resources | nindent 12 }}
+          ports:
+            - name: taiga-protected
+              containerPort: {{ .Values.protected.service.port }}
+              protocol: TCP
+          env:
+            - name: SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.secretKey.existingSecretName }}"
+                  key: "{{ .Values.secretKey.existingSecretKey }}"
+            - name: MAX_AGE
+              value: "{{ .Values.maxAge }}"
+
+          {{- if .Values.protected.livenessProbe.enabled }}
+          livenessProbe:
+            httpGet:
+              path: /admin/login/
+              port: {{ .Values.protected.service.port }}
+            initialDelaySeconds: {{ .Values.protected.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.protected.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.protected.livenessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.protected.livenessProbe.successThreshold }}
+            failureThreshold: {{ .Values.protected.livenessProbe.failureThreshold }}
+          {{- end }}
+
+          {{- if .Values.protected.readinessProbe.enabled }}
+          readinessProbe:
+            httpGet:
+              path: /admin/login/
+              port: {{ .Values.protected.service.port }}
+            initialDelaySeconds: {{ .Values.protected.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.protected.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.protected.readinessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.protected.readinessProbe.successThreshold }}
+            failureThreshold: {{ .Values.protected.readinessProbe.failureThreshold }}
+          {{- end }}

charts/taiga/templates/ingress.yaml

@@ -0,0 +1,74 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ template "taiga.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- toYaml .Values.ingress.annotations | nindent 4 }}
+  labels:
+    {{- include "taiga.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.ingress.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  ingressClassName: {{ .Values.ingress.className }}
+  tls:
+    - hosts:
+      - {{ .Values.ingress.host }}
+      secretName: {{ template "taiga.fullname" . }}-secret-tls
+  rules:
+    - host: {{ .Values.ingress.host }}
+      http:
+        paths:
+          - path: /
+            backend:
+              service:
+                name: "{{ template "taiga.fullname" . }}-front"
+                port:
+                  name: taiga-front
+            pathType: ImplementationSpecific
+          - path: /api
+            backend:
+              service:
+                name: "{{ template "taiga.fullname" . }}-back"
+                port:
+                  name: taiga-back
+            pathType: ImplementationSpecific     
+          - path: /admin
+            backend:
+              service:
+                name: "{{ template "taiga.fullname" . }}-back"
+                port:
+                  name: taiga-back
+            pathType: ImplementationSpecific
+        {{ if .Values.oidc.enabled }}
+          - path: /oidc
+            backend:
+              service:
+                name: "{{ template "taiga.fullname" . }}-back"
+                port:
+                  name: taiga-back
+            pathType: ImplementationSpecific
+        {{- end }}                  
+          - path: /events
+            backend:
+              service:
+                name: "{{ template "taiga.fullname" . }}-events"
+                port:
+                  name: taiga-events
+            pathType: ImplementationSpecific
+          - path: /media
+            backend:
+              service:
+                name: "{{ template "taiga.fullname" . }}-protected"
+                port:
+                  name: taiga-protected
+            pathType: ImplementationSpecific
+{{- end }}

charts/taiga/templates/job.yaml

@@ -0,0 +1,66 @@
+{{- if .Values.createInitialUser }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "taiga.fullname" . }}-create-initial-user
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "taiga.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  backoffLimit: 4
+  template:
+    spec:
+      {{- if .Values.back.nodeSelector }}
+      nodeSelector:
+        {{ toYaml .Values.back.nodeSelector | nindent 8 }}
+      {{- end }}
+      restartPolicy: Never
+      containers:
+      - name: {{ template "taiga.fullname" . }}-create-initial-user
+        image: "{{ .Values.back.image.repository }}:{{ .Values.back.image.tag }}"
+        imagePullPolicy: {{ .Values.back.image.pullPolicy }}
+        command:
+          - sh
+          - /scripts/createinitialuser.sh
+        volumeMounts:
+          - name: create-initial-user
+            mountPath: /scripts
+        env:
+          - name: TAIGA_SECRET_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.secretKey.existingSecretName }}"
+                key: "{{ .Values.secretKey.existingSecretKey }}"
+          - name: POSTGRES_USERNAME
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.postgresql.existingSecretName }}"
+                key: "{{ .Values.postgresql.usernameKey }}"
+          - name: POSTGRES_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.postgresql.existingSecretName }}"
+                key: "{{ .Values.postgresql.passwordKey }}"
+          - name: POSTGRES_DATABASE_NAME
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.postgresql.existingSecretName }}"
+                key: "{{ .Values.postgresql.databaseNameKey }}"
+          - name: POSTGRES_DATABASE_HOST
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.postgresql.existingSecretName }}"
+                key: "{{ .Values.postgresql.hostKey }}"
+      volumes:
+        - name: create-initial-user
+          configMap:
+            name: {{ template "taiga.fullname" . }}-create-initial-user
+            defaultMode: 0744
+{{- end }}

charts/taiga/templates/persistent-volume-claim.yaml

@@ -0,0 +1,54 @@
+{{- if and .Values.persistence.static.enabled (not .Values.persistence.static.existingClaim) }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ template "taiga.staticVolumeName" . }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if .Values.persistence.static.retain }}
+    helm.sh/resource-policy: keep
+    {{- end }}
+  labels:
+    {{- include "taiga.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  storageClassName: {{ .Values.persistence.static.storageClass }}
+  accessModes:
+    - {{ .Values.persistence.static.accessMode }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.static.size }}
+{{- end }}
+
+---
+{{- if and .Values.persistence.media.enabled (not .Values.persistence.media.existingClaim) }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ template "taiga.mediaVolumeName" . }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if .Values.persistence.media.retain }}
+    "helm.sh/resource-policy": keep
+    {{- end }}
+  labels:
+    {{- include "taiga.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  storageClassName: {{ .Values.persistence.media.storageClass }}
+  accessModes:
+    - {{ .Values.persistence.media.accessMode }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.media.size }}
+{{- end }}

charts/taiga/templates/service-account.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "taiga.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.serviceAccount.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "taiga.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.serviceAccount.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}

charts/taiga/templates/service.yaml

@@ -0,0 +1,138 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "taiga.fullname" . }}-back
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.back.service.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "taiga.back.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.back.service.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  type: {{ .Values.back.service.type }}
+  ports:
+    - port: {{ .Values.back.service.port }}
+      targetPort: taiga-back
+      protocol: TCP
+      name: taiga-back
+  selector:
+    {{- include "taiga.back.matchLabels" . | nindent 4 }}
+    {{- with .Values.back.service.extraSelectorLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "taiga.fullname" . }}-events
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.events.service.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "taiga.events.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.events.service.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  type: {{ .Values.events.service.type }}
+  ports:
+    - port: {{ .Values.events.service.http.port }}
+      targetPort: taiga-events
+      protocol: TCP
+      name: taiga-events
+    - port: {{ .Values.events.service.app.port }}
+      targetPort: taiga-app
+      protocol: TCP
+      name: taiga-app
+  selector:
+    {{- include "taiga.events.matchLabels" . | nindent 4 }}
+    {{- with .Values.events.service.extraSelectorLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "taiga.fullname" . }}-front
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.front.service.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "taiga.front.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.front.service.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  type: {{ .Values.front.service.type }}
+  ports:
+    - port: {{ .Values.front.service.port }}
+      targetPort: taiga-front
+      protocol: TCP
+      name: taiga-front
+  selector:
+    {{- include "taiga.front.matchLabels" . | nindent 4 }}
+    {{- with .Values.front.service.extraSelectorLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "taiga.fullname" . }}-protected
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.protected.service.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "taiga.protected.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.protected.service.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  type: {{ .Values.protected.service.type }}
+  ports:
+    - port: {{ .Values.protected.service.port }}
+      targetPort: taiga-protected
+      protocol: TCP
+      name: taiga-protected
+  selector:
+    {{- include "taiga.protected.matchLabels" . | nindent 4 }}
+    {{- with .Values.protected.service.extraSelectorLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}

charts/taiga/values.yaml

@@ -0,0 +1,817 @@
+## Global
+##
+global:
+  # -- Set an override for the prefix of the fullname
+  nameOverride:
+
+  # -- Set the entire name definition
+  fullnameOverride:
+
+  # -- Set additional global labels. Helm templates can be used.
+  labels: {}
+
+  # -- Set additional global annotations. Helm templates can be used.
+  annotations: {}
+
+## Service Account
+##
+serviceAccount:
+  # -- Specifies whether a service account should be created
+  create: false
+
+  # -- Annotations to add to the service account
+  annotations: {}
+
+  # -- Labels to add to the service account
+  labels: {}
+
+  # -- The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+## Secret key
+## Specificy the secret name and the key containg a strong secret key
+##
+secretKey:
+  existingSecretName: ""
+  existingSecretKey: ""
+
+## Create initial user with credentials admin/123123
+## ref: https://taigaio.github.io/taiga-doc/dist/setup-production.html
+##
+# TODO: set to false by default or create with a random password which is stored in a secret
+# or allow to pass in the data for username and secret
+createInitialUser: true
+
+## Max age
+##
+maxAge: 360
+
+## Create initial templates
+## ref: https://taigaio.github.io/taiga-doc/dist/setup-production.html
+##
+# TODO: This values seems to be unused
+createInitialTemplates: false
+
+## Telemetry settings
+##
+enableTelemetry: true
+
+## Public registration
+##
+publicRegisterEnabled: true
+
+## Enable debug
+## ref: https://taigaio.github.io/taiga-doc/dist/setup-production.html
+debug: false
+
+## Postgresql
+## Configuration is expected to be stored in a secret, reference the secret name and each key for the value
+##
+postgresql:
+  existingSecretName: ""
+  usernameKey: ""
+  passwordKey: ""
+  databaseNameKey: ""
+  hostKey: ""
+  portKey: ""
+
+## OIDC authentication
+## Configuration is expected to be stored in a secret, reference the secret name and each key for the value
+##
+oidc:
+  enabled: false
+  existingSecretName: ""
+  scopesKey: ""                  # "openid profile email"
+  signatureAlgorithmKey: ""      # "RS256"
+  clientIdKey: ""                # <generate from auth provider>
+  clientSecretKey: ""            # <generate from auth provider>
+  baseUrlKey: ""                 # "https://id.fedoraproject.org/openidc"
+  jwksEndpointKey: ""            # "https://id.fedoraproject.org/openidc/Jwks"
+  authorizationEndpointKey: ""   # "https://id.fedoraproject.org/openidc/Authorization"
+  tokenEndpointKey: ""           # "https://id.fedoraproject.org/openidc/Token"
+  userEndpointKey: ""            # "https://id.fedoraproject.org/openidc/UserInfo"
+
+## SMTP mail delivery configuration
+## ref: https://taigaio.github.io/taiga-doc/dist/setup-production.html
+##
+email:
+  enabled: false
+  from: no-reply@example.com
+  host: localhost
+  port: 587
+  tls: false
+  ssl: false
+  user: ""
+
+  ## Specificy an existing secret containg the password for the smtp user
+  ##
+  existingPasswordSecret: ""
+  existingSecretPasswordKey: ""
+
+## Slack
+##
+enableSlack: false
+
+## Importers
+##
+# Github importer
+githubImporter:
+  enabled: false
+  existingSecretName: ""
+  existingSecretClientIdKey: ""
+  existingSecretClientSecretKey: ""
+
+# Jira importer
+jiraImporter:
+  enabled: false
+  existingSecretName: ""
+  existingSecretConsumerKeyKey: ""
+  existingSecretCertKey: ""
+  existingSecretPubCertKey: ""
+
+# Trello importer
+trelloImporter:
+  enabled: false
+  existingSecretName: ""
+  existingSecretApiKeyKey: ""
+  existingSecretSecretKeyKey: ""
+
+## taiga-back
+##
+back:
+  ## Taiga image version
+  ## ref: https://hub.docker.com/r/taigaio/taiga5/tags
+  ##
+  image:
+    repository: taigaio/taiga-back
+    tag: "6.7.3"
+    ## Specify a imagePullPolicy
+    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+    ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+    ##
+    pullPolicy: IfNotPresent
+
+  ## Define the number of pods the deployment will create
+  ## Do not change unless your persistent volume allows more than one writer, ie NFS
+  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
+  ##
+  replicas: 1
+
+  ## Pod annotations
+  ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+  ##
+  podAnnotations: {}
+
+  ## Affinity for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+  ##
+  affinity: {}
+
+  ## Node labels for pod assignment. Evaluated as a template.
+  ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ##
+  nodeSelector: {}
+
+  ## Tolerations for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  ##
+  tolerations: []
+
+  ## Pod Security Context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  ##
+  securityContext: {}
+
+  ## taiga containers' resource requests and limits
+  ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+  ##
+  resources:
+    # We usually recommend not to specify default resources and to leave this as a conscious
+    # choice for the user. This also increases chances charts run on environments with little
+    # resources, such as Minikube. If you do want to specify resources, uncomment the following
+    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+    limits: {}
+    #  cpu: 2
+    #  memory: 1Gi
+    requests: {}
+    #  cpu: 1
+    #  memory: 1Gi
+
+  ## Configure extra options for liveness and readiness probes
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
+  ##
+  livenessProbe:
+    enabled: false
+    initialDelaySeconds: 20
+    periodSeconds: 10
+    timeoutSeconds: 5
+    successThreshold: 1
+    failureThreshold: 3
+
+  readinessProbe:
+    enabled: false
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    timeoutSeconds: 1
+    successThreshold: 1
+    failureThreshold: 3
+
+  ## Environment variables, to pass to the entry point
+  ##
+  # extraVars:
+  #   - name: NAMI_DEBUG
+  #     value: --log-level trace
+
+  ## Service
+  ##
+  service:
+    # -- Set the service type
+    type: ClusterIP
+
+    # -- Provide additional annotations which may be required.
+    annotations: {}
+
+    # -- Provide additional labels which may be required.
+    labels: {}
+
+    # -- Allow adding additional match labels
+    extraSelectorLabels: {}
+
+    # -- HTTP port number
+    port: 8000
+
+## Async
+##
+async:
+  ## Taiga image version
+  ## ref: https://hub.docker.com/r/taigaio/taiga5/tags
+  ##
+  image:
+    repository: taigaio/taiga-back
+    tag: "6.7.3"
+    ## Specify a imagePullPolicy
+    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+    ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+    ##
+    pullPolicy: IfNotPresent
+
+  ## Define the number of pods the deployment will create
+  ## Do not change unless your persistent volume allows more than one writer, ie NFS
+  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
+  ##
+  replicas: 1
+
+  ## Pod Security Context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  ##
+  securityContext: {}
+
+  ## Pod annotations
+  ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+  ##
+  podAnnotations: {}
+
+  ## Affinity for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+  ##
+  affinity: {}
+
+  ## Node labels for pod assignment. Evaluated as a template.
+  ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ##
+  nodeSelector: {}
+
+  ## Tolerations for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  ##
+  tolerations: []
+
+  ## taiga containers' resource requests and limits
+  ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+  ##
+  resources:
+    # We usually recommend not to specify default resources and to leave this as a conscious
+    # choice for the user. This also increases chances charts run on environments with little
+    # resources, such as Minikube. If you do want to specify resources, uncomment the following
+    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+    limits: {}
+    #  cpu: 2
+    #  memory: 1Gi
+    requests: {}
+    #  cpu: 1
+    #  memory: 1Gi
+
+  ## Configure extra options for liveness and readiness probes
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
+  ##
+  livenessProbe:
+    enabled: false
+    initialDelaySeconds: 20
+    periodSeconds: 10
+    timeoutSeconds: 5
+    successThreshold: 1
+    failureThreshold: 3
+  readinessProbe:
+    enabled: false
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    timeoutSeconds: 1
+    successThreshold: 1
+    failureThreshold: 3
+
+  ## Environment variables, to pass to the entry point
+  ##
+  # extraVars:
+  #   - name: NAMI_DEBUG
+  #     value: --log-level trace
+
+  ## Service
+  ##
+  service:
+    # -- Set the service type
+    type: ClusterIP
+
+    # -- Provide additional annotations which may be required.
+    annotations: {}
+
+    # -- Provide additional labels which may be required.
+    labels: {}
+
+    # -- Allow adding additional match labels
+    extraSelectorLabels: {}
+
+    # -- HTTP port number
+    port: 8000
+
+## Async Rabbitmq
+## https://artifacthub.io/packages/helm/bitnami/rabbitmq?modal=values-schema
+##
+async-rabbitmq:
+  auth:
+    ## @param auth.username RabbitMQ application username
+    ## ref: https://github.com/bitnami/containers/tree/main/bitnami/rabbitmq#environment-variables
+    ##
+    username: taiga
+
+    ## @param auth.existingPasswordSecret Existing secret with RabbitMQ credentials (existing secret must contain a value for `rabbitmq-password` key or override with setting auth.existingSecretPasswordKey)
+    ## e.g:
+    ## existingPasswordSecret: name-of-existing-secret
+    ##
+    existingPasswordSecret: ""
+    existingSecretPasswordKey: ""
+
+    ## @param auth.existingErlangSecret Existing secret with RabbitMQ Erlang cookie (must contain a value for `rabbitmq-erlang-cookie` key or override with auth.existingSecretErlangKey)
+    ## e.g:
+    ## existingErlangSecret: name-of-existing-secret
+    ##
+    existingErlangSecret: ""
+    ## @param auth.existingSecretErlangKey [default: rabbitmq-erlang-cookie] Erlang cookie key to be retrieved from existing secret
+    ## NOTE: ignored unless `auth.existingErlangSecret` parameter is set
+    ##
+    existingSecretErlangKey: ""
+
+  ## @param configurationExistingSecret Existing secret with the configuration to use as rabbitmq.conf.
+  ## Must contain the key "rabbitmq.conf"
+  ## Takes precedence over `configuration`, so do not use both simultaneously
+  ## With providing an existingSecret, extraConfiguration and extraConfigurationExistingSecret do not take any effect
+  ##
+  configurationExistingSecret: ""
+  ## @param extraConfiguration [string] Configuration file content: extra configuration to be appended to RabbitMQ configuration
+  ## Use this instead of `configuration` to add more configuration
+  ## Do not use simultaneously with `extraConfigurationExistingSecret`
+  ##
+  extraConfiguration: |-
+    default_vhost = taiga
+    default_permissions.configure = .*
+    default_permissions.read = .*
+    default_permissions.write = .*
+
+## Events
+##
+events:
+  ## Taiga image version
+  ## ref: https://hub.docker.com/r/taigaio/taiga5/tags
+  ##
+  image:
+    repository: taigaio/taiga-events
+    tag: "6.7.0"
+    ## Specify a imagePullPolicy
+    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+    ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+    ##
+    pullPolicy: IfNotPresent
+
+  ## Pod Security Context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  ##
+  securityContext: {}
+
+  ## Define the number of pods the deployment will create
+  ## Do not change unless your persistent volume allows more than one writer, ie NFS
+  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
+  ##
+  replicas: 1
+
+  ## Pod annotations
+  ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+  ##
+  podAnnotations: {}
+
+  ## Affinity for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+  ##
+  affinity: {}
+
+  ## Node labels for pod assignment. Evaluated as a template.
+  ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ##
+  nodeSelector: {}
+
+  ## Tolerations for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  ##
+  tolerations: []
+
+  ## taiga containers' resource requests and limits
+  ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+  ##
+  resources:
+    # We usually recommend not to specify default resources and to leave this as a conscious
+    # choice for the user. This also increases chances charts run on environments with little
+    # resources, such as Minikube. If you do want to specify resources, uncomment the following
+    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+    limits: {}
+    #  cpu: 2
+    #  memory: 1Gi
+    requests: {}
+    #  cpu: 1
+    #  memory: 1Gi
+
+  ## Configure extra options for liveness and readiness probes
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
+  ##
+  livenessProbe:
+    enabled: false
+    initialDelaySeconds: 20
+    periodSeconds: 10
+    timeoutSeconds: 5
+    successThreshold: 1
+    failureThreshold: 3
+  readinessProbe:
+    enabled: false
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    timeoutSeconds: 1
+    successThreshold: 1
+    failureThreshold: 3
+
+  ## Environment variables, to pass to the entry point
+  ##
+  # extraVars:
+  #   - name: NAMI_DEBUG
+  #     value: --log-level trace
+
+  ## Service
+  ##
+  service:
+    # -- Set the service type
+    type: ClusterIP
+
+    # -- Provide additional annotations which may be required.
+    annotations: {}
+
+    # -- Provide additional labels which may be required.
+    labels: {}
+
+    # -- Allow adding additional match labels
+    extraSelectorLabels: {}
+
+    http:
+      # -- HTTP port number
+      port: 8888
+
+    app:
+      # -- HTTP port number
+      port: 3023
+
+## Events Rabbitmq
+## https://artifacthub.io/packages/helm/bitnami/rabbitmq?modal=values-schema
+##
+events-rabbitmq:
+  auth:
+    ## @param auth.username RabbitMQ application username
+    ## ref: https://github.com/bitnami/containers/tree/main/bitnami/rabbitmq#environment-variables
+    ##
+    username: taiga
+
+    ## @param auth.existingPasswordSecret Existing secret with RabbitMQ credentials (existing secret must contain a value for `rabbitmq-password` key or override with setting auth.existingSecretPasswordKey)
+    ## e.g:
+    ## existingPasswordSecret: name-of-existing-secret
+    ##
+    existingPasswordSecret: ""
+    existingSecretPasswordKey: ""
+
+    ## @param auth.existingErlangSecret Existing secret with RabbitMQ Erlang cookie (must contain a value for `rabbitmq-erlang-cookie` key or override with auth.existingSecretErlangKey)
+    ## e.g:
+    ## existingErlangSecret: name-of-existing-secret
+    ##
+    existingErlangSecret: ""
+    ## @param auth.existingSecretErlangKey [default: rabbitmq-erlang-cookie] Erlang cookie key to be retrieved from existing secret
+    ## NOTE: ignored unless `auth.existingErlangSecret` parameter is set
+    ##
+    existingSecretErlangKey: ""
+
+  ## @param configurationExistingSecret Existing secret with the configuration to use as rabbitmq.conf.
+  ## Must contain the key "rabbitmq.conf"
+  ## Takes precedence over `configuration`, so do not use both simultaneously
+  ## With providing an existingSecret, extraConfiguration and extraConfigurationExistingSecret do not take any effect
+  ##
+  configurationExistingSecret: ""
+  ## @param extraConfiguration [string] Configuration file content: extra configuration to be appended to RabbitMQ configuration
+  ## Use this instead of `configuration` to add more configuration
+  ## Do not use simultaneously with `extraConfigurationExistingSecret`
+  ##
+  extraConfiguration: |-
+    default_vhost = taiga
+    default_permissions.configure = .*
+    default_permissions.read = .*
+    default_permissions.write = .*
+
+## Protected
+##
+protected:
+  ## Taiga image version
+  ## ref: https://hub.docker.com/r/taigaio/taiga5/tags
+  ##
+  image:
+    repository: taigaio/taiga-protected
+    tag: "6.7.0"
+    ## Specify a imagePullPolicy
+    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+    ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+    ##
+    pullPolicy: IfNotPresent
+
+  ## Pod Security Context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  ##
+  securityContext: {}
+
+  ## Define the number of pods the deployment will create
+  ## Do not change unless your persistent volume allows more than one writer, ie NFS
+  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
+  ##
+  replicas: 1
+
+  ## Pod annotations
+  ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+  ##
+  podAnnotations: {}
+
+  ## Affinity for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+  ##
+  affinity: {}
+
+  ## Node labels for pod assignment. Evaluated as a template.
+  ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ##
+  nodeSelector: {}
+
+  ## Tolerations for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  ##
+  tolerations: []
+
+  ## taiga containers' resource requests and limits
+  ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+  ##
+  resources:
+    # We usually recommend not to specify default resources and to leave this as a conscious
+    # choice for the user. This also increases chances charts run on environments with little
+    # resources, such as Minikube. If you do want to specify resources, uncomment the following
+    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+    limits: {}
+    #  cpu: 2
+    #  memory: 1Gi
+    requests: {}
+    #  cpu: 1
+    #  memory: 1Gi
+
+  ## Configure extra options for liveness and readiness probes
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
+  ##
+  livenessProbe:
+    enabled: false
+    initialDelaySeconds: 20
+    periodSeconds: 10
+    timeoutSeconds: 5
+    successThreshold: 1
+    failureThreshold: 3
+  readinessProbe:
+    enabled: false
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    timeoutSeconds: 1
+    successThreshold: 1
+    failureThreshold: 3
+
+  ## Environment variables, to pass to the entry point
+  ##
+  # extraVars:
+  #   - name: NAMI_DEBUG
+  #     value: --log-level trace
+
+  ## Service
+  ##
+  service:
+    # -- Set the service type
+    type: ClusterIP
+
+    # -- Provide additional annotations which may be required.
+    annotations: {}
+
+    # -- Provide additional labels which may be required.
+    labels: {}
+
+    # -- Allow adding additional match labels
+    extraSelectorLabels: {}
+
+    # -- HTTP port number
+    port: 8003
+
+## Front
+##
+front:
+  ## Taiga image version
+  ## ref: https://hub.docker.com/r/taigaio/taiga5/tags
+  ##
+  image:
+    repository: taigaio/taiga-front
+    tag: "6.7.7"
+    ## Specify a imagePullPolicy
+    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+    ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+    ##
+    pullPolicy: IfNotPresent
+
+  ## Define the number of pods the deployment will create
+  ## Do not change unless your persistent volume allows more than one writer, ie NFS
+  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
+  ##
+  replicas: 1
+
+  ## Pod Security Context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  ##
+  securityContext: {}
+
+  ## Pod annotations
+  ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+  ##
+  podAnnotations: {}
+
+  ## Affinity for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+  ##
+  affinity: {}
+
+  ## Node labels for pod assignment. Evaluated as a template.
+  ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ##
+  nodeSelector: {}
+
+  ## Tolerations for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  ##
+  tolerations: []
+
+  ## taiga containers' resource requests and limits
+  ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+  ##
+  resources:
+    # We usually recommend not to specify default resources and to leave this as a conscious
+    # choice for the user. This also increases chances charts run on environments with little
+    # resources, such as Minikube. If you do want to specify resources, uncomment the following
+    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+    limits: {}
+    #  cpu: 2
+    #  memory: 1Gi
+    requests: {}
+    #  cpu: 1
+    #  memory: 1Gi
+
+  ## Configure extra options for liveness and readiness probes
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
+  ##
+  livenessProbe:
+    enabled: false
+    initialDelaySeconds: 20
+    periodSeconds: 10
+    timeoutSeconds: 5
+    successThreshold: 1
+    failureThreshold: 3
+  readinessProbe:
+    enabled: false
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    timeoutSeconds: 1
+    successThreshold: 1
+    failureThreshold: 3
+
+  ## Environment variables, to pass to the entry point
+  ##
+  # extraVars:
+  #   - name: NAMI_DEBUG
+  #     value: --log-level trace
+
+  ## Service
+  ##
+  service:
+    # -- Set the service type
+    type: ClusterIP
+
+    # -- Provide additional annotations which may be required.
+    annotations: {}
+
+    # -- Provide additional labels which may be required.
+    labels: {}
+
+    # -- Allow adding additional match labels
+    extraSelectorLabels: {}
+
+    # -- HTTP port number
+    port: 80
+
+## Configure the ingress resource that allows you to access the
+## taiga installation. Set up the URL
+## ref: http://kubernetes.io/docs/user-guide/ingress/
+##
+ingress:
+  # -- Enables or disables the ingress
+  enabled: false
+
+  # -- Provide additional annotations which may be required.
+  annotations: {}
+
+  # -- Provide additional labels which may be required.
+  labels: {}
+
+  # -- Set the ingressClass that is used for this ingress.
+  className: ""
+
+  ## Configure the hosts for the ingress
+  host: chart-example.local
+
+## Enable persistence using Persistent Volume Claims
+## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
+##
+persistence:
+  static:
+    # -- Enables or disables the persistence item. Defaults to true
+    enabled: true
+
+    # -- Storage Class for the config volume.
+    # If set to `-`, dynamic provisioning is disabled.
+    # If set to something else, the given storageClass is used.
+    # If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner.
+    storageClass: ""
+
+    # -- If you want to reuse an existing claim, the name of the existing PVC can be passed here.
+    existingClaim: ""
+
+    # -- AccessMode for the persistent volume.
+    # Make sure to select an access mode that is supported by your storage provider!
+    # [[ref]](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes)
+    accessMode: ReadWriteOnce
+
+    # -- The amount of storage that is requested for the persistent volume.
+    size: 5Gi
+
+    # -- Set to true to retain the PVC upon `helm uninstall`
+    retain: false
+
+  media:
+    # -- Enables or disables the persistence item. Defaults to true
+    enabled: true
+
+    # -- Storage Class for the config volume.
+    # If set to `-`, dynamic provisioning is disabled.
+    # If set to something else, the given storageClass is used.
+    # If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner.
+    storageClass: ""
+
+    # -- If you want to reuse an existing claim, the name of the existing PVC can be passed here.
+    existingClaim: ""
+
+    # -- AccessMode for the persistent volume.
+    # Make sure to select an access mode that is supported by your storage provider!
+    # [[ref]](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes)
+    accessMode: ReadWriteOnce
+
+    # -- The amount of storage that is requested for the persistent volume.
+    size: 5Gi
+
+    # -- Set to true to retain the PVC upon `helm uninstall`
+    retain: false

charts/tdarr/Chart.yaml

@@ -0,0 +1,18 @@
+apiVersion: v2
+name: tdarr
+version: 0.0.5
+description: Chart for Tdarr V2
+keywords:
+  - video
+  - transcode
+sources:
+  - https://github.com/HaveAGitGat/Tdarr
+  - https://github.com/homeylab/helm-charts/tree/main/charts/tdarr-exporter
+maintainers:
+  - name: alexlebens
+icon: https://avatars.githubusercontent.com/u/43864057?s=48&v=4
+dependencies:
+  - name: tdarr-exporter
+    version: 1.1.1
+    repository: https://homeylab.github.io/helm-charts/
+appVersion: "2.17.01"

charts/tdarr/README.md

@@ -0,0 +1,16 @@
+## Introduction
+
+[Tdarr V2](https://github.com/HaveAGitGat/Tdarr)
+
+Distributed transcode automation using FFmpeg/HandBrake + Audio/Video library analytics + video health checking.
+
+This chart bootstraps an [Tdarr V2](https://github.com/HaveAGitGat/Tdarr) server deployment with separate node deployments on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+## Prerequisites
+
+- Kubernetes
+- Helm
+
+## Parameters
+
+See the [values files](values.yaml).