.github/workflows/cloud-neutra-golden-image.yaml

@@ -20,13 +20,13 @@ on:
         default: "amd64"
 
   schedule:
-    - cron: "0 18 1 * *"
+    - cron: "0 18 1 * *"   # 每月 1 号 UTC18:00
 
 env:
   BASE_REGION: ap-northeast-1
   TARGET_REGIONS: "ap-northeast-1 ap-east-1 us-west-1"
   PROJECT_TAG: Cloud-Neutra
-  PACKER_TEMPLATE_ROOT: packer/Cloud-Neutra-VMs/templates
+  PACKER_TEMPLATE_ROOT: packer/Cloud-Neutra-VMs
 
 jobs:
   ##########################################################################
@@ -39,13 +39,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: actionlint
-        uses: raven-actions/actionlint@v2
-        with:
-          files: ".github/workflows/cloud-neutra-golden-image.yaml"
-          matcher: false
-          cache: false
-          fail-on-error: true
-          flags: "-ignore SC2086"
+        uses: reviewdog/actionlint@v1
 
       - name: Install tools
         run: |
@@ -53,10 +47,12 @@ jobs:
           sudo apt-get install -y shellcheck jq
 
       - name: Packer FMT
-        run: packer fmt -recursive .
+        run: |
+          packer fmt -recursive .
 
-      - name: Packer Validate
-        run: packer validate "${PACKER_TEMPLATE_ROOT}"
+      - name: Packer Validate (ensure no syntax issue)
+        run: |
+          packer validate .
 
       - name: gitleaks Scan
         uses: gitleaks/gitleaks-action@v2
@@ -71,9 +67,6 @@ jobs:
     runs-on: ubuntu-latest
     needs: lint
 
-    outputs:
-      ami_id: ${{ steps.packer_build.outputs.ami_id }}
-
     strategy:
       fail-fast: false
       matrix:
@@ -81,26 +74,28 @@ jobs:
           - edition: base
             ubuntu_version: "2204"
             cpu_arch: amd64
+
           - edition: base
             ubuntu_version: "2204"
             cpu_arch: arm64
 
+    if: ${{
+      github.event_name == 'schedule' ||
+      (
+        github.event_name == 'workflow_dispatch' &&
+        github.event.inputs.edition == matrix.edition &&
+        github.event.inputs.ubuntu_version == matrix.ubuntu_version &&
+        github.event.inputs.cpu_arch == matrix.cpu_arch
+      )
+    }}
+
     steps:
       - uses: actions/checkout@v4
 
-      # must be step-level to allow matrix.*
-      - name: Skip matrix items not requested
-        if: >
-          github.event_name == 'schedule' ||
-          (
-            github.event_name == 'workflow_dispatch' &&
-            github.event.inputs.edition == matrix.edition &&
-            github.event.inputs.ubuntu_version == matrix.ubuntu_version &&
-            github.event.inputs.cpu_arch == matrix.cpu_arch
-          )
-        run: echo "Matrix item selected."
-
-      - name: Configure AWS Credentials
+      ####################################################################
+      # Credential (OIDC first, AK/SK fallback)
+      ####################################################################
+      - name: Configure AWS Credentials (OIDC + AK/SK fallback)
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: ${{ env.BASE_REGION }}
@@ -120,23 +115,24 @@ jobs:
           CPU_ARCH: ${{ matrix.cpu_arch }}
         run: |
           TEMPLATE="${PACKER_TEMPLATE_ROOT}/${EDITION}/ubuntu-${UBUNTU_VERSION}-${EDITION}.pkr.hcl"
-          echo "Using template: ${TEMPLATE}"
+
+          echo "Using template: $TEMPLATE"
 
           packer build \
             -color=false \
             -var "cpu_arch=${CPU_ARCH}" \
             -var "edition=${EDITION}" \
             -var "ubuntu_version=${UBUNTU_VERSION}" \
-            "${TEMPLATE}" | tee packer.log
+            "$TEMPLATE" | tee packer.log
 
           AMI_ID=$(grep 'AMI:' packer.log | awk '{print $2}' | tail -n1 || true)
 
-          if [ -z "${AMI_ID}" ]; then
+          if [ -z "$AMI_ID" ]; then
             echo "ERROR: Cannot parse AMI ID"
             exit 1
           fi
 
-          echo "ami_id=${AMI_ID}" >> "${GITHUB_OUTPUT}"
+          echo "ami_id=${AMI_ID}" >> $GITHUB_OUTPUT
 
       - name: Upload Logs
         uses: actions/upload-artifact@v4
@@ -145,21 +141,17 @@ jobs:
           path: packer.log
 
   ##########################################################################
-  # Stage 3 — QA Test
+  # Stage 3 — AMI QA Test
   ##########################################################################
   test:
     name: Test Built AMI
     runs-on: ubuntu-latest
     needs: build
 
-    # must re-expose build's output for downstream needs.*
-    outputs:
-      ami_id: ${{ needs.build.outputs.ami_id }}
-
     steps:
       - name: Placeholder test
         run: |
-          echo "TODO: Future QA test"
+          echo "TODO: Future QA test (ssh boot, containerd, k3s, sealos etc.)"
 
   ##########################################################################
   # Stage 4 — AMI Replication + Retention
@@ -175,6 +167,7 @@ jobs:
           - edition: base
             ubuntu_version: "2204"
             cpu_arch: amd64
+
           - edition: base
             ubuntu_version: "2204"
             cpu_arch: arm64
@@ -198,11 +191,11 @@ jobs:
           EDITION: ${{ matrix.edition }}
           UBUNTU_VERSION: ${{ matrix.ubuntu_version }}
           CPU_ARCH: ${{ matrix.cpu_arch }}
-          AMI_ID: ${{ needs.test.outputs.ami_id }}
+          AMI_ID: ${{ needs.build.outputs.ami_id }}
         run: |
           bash packer/scripts/common/ami-replicate.sh \
-            "${AMI_ID}" "${EDITION}" "${UBUNTU_VERSION}" "${CPU_ARCH}" \
-            "${BASE_REGION}" "${TARGET_REGIONS}" "${PROJECT_TAG}"
+            "$AMI_ID" "$EDITION" "$UBUNTU_VERSION" "$CPU_ARCH" \
+            "$BASE_REGION" "$TARGET_REGIONS" "$PROJECT_TAG"
 
       - name: Retention
         env:
@@ -213,4 +206,4 @@ jobs:
           CPU_ARCH: ${{ matrix.cpu_arch }}
         run: |
           bash packer/scripts/common/ami-retention.sh \
-            "${EDITION}" "${UBUNTU_VERSION}" "${CPU_ARCH}" "${PROJECT_TAG}" "${TARGET_REGIONS}"
+            "$EDITION" "$UBUNTU_VERSION" "$CPU_ARCH" "$PROJECT_TAG" "$TARGET_REGIONS"

.github/workflows/release-oci-charts.yml

@@ -1,67 +0,0 @@
-name: release-oci-charts
-
-on:
-  push:
-    branches:
-      - main
-    paths:
-      - "oci/charts/apps/app-service/**"
-      - "oci/charts/postgresql/**"
-      - "oci/charts/observability/**"
-      - ".github/workflows/release-oci-charts.yml"
-  workflow_dispatch:
-
-permissions:
-  contents: read
-  packages: write
-
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
-
-      - name: Setup Helm
-        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4
-        with:
-          version: v3.15.4
-
-      - name: Log In To GHCR
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Lint charts
-        run: |
-          set -euo pipefail
-          charts=(
-            "oci/charts/apps/app-service"
-            "oci/charts/postgresql"
-            "oci/charts/observability"
-          )
-          for chart in "${charts[@]}"; do
-            helm lint "./${chart}"
-          done
-
-      - name: Package charts
-        run: |
-          set -euo pipefail
-          mkdir -p dist
-          charts=(
-            "oci/charts/apps/app-service"
-            "oci/charts/postgresql"
-            "oci/charts/observability"
-          )
-          for chart in "${charts[@]}"; do
-            helm package "./${chart}" --destination dist
-          done
-
-      - name: Push charts to GHCR
-        run: |
-          set -euo pipefail
-          for pkg in dist/*.tgz; do
-            helm push "${pkg}" oci://ghcr.io/x-evor
-          done

.gitignore

@@ -22,6 +22,3 @@
 .build-harness
 build-harness
 dist/bin/*
-
-# Packaged Helm charts generated in-place during release work
-oci/charts/apps/*/charts/*.tgz

oci/charts/README.md

@@ -1,15 +0,0 @@
-# OCI Charts
-
-This repository stores reusable Helm charts published to `ghcr.io/x-evor`.
-
-## Layout
-
-- `apps/app-service`: reusable runtime chart for application services
-- `postgresql`: PostgreSQL service chart with optional `stunnel` server/client
-- `observability`: observability composition chart for server and agent components
-
-## Release Model
-
-- Registry: `oci://ghcr.io/x-evor`
-- Each chart is versioned independently
-- Runtime image tags are managed by GitOps values rather than chart versions

oci/charts/apps/accounts/Chart.lock

@@ -1,6 +0,0 @@
-dependencies:
-- name: app-service
-  repository: file://../app-service
-  version: 0.1.0
-digest: sha256:29102607dbddc890cc60258ec869b75fd9e5f995fc8c5ee1f1a31b046b80e407
-generated: "2026-04-02T17:55:26.238504+08:00"

oci/charts/apps/accounts/Chart.yaml

@@ -1,11 +0,0 @@
-apiVersion: v2
-name: accounts-chart
-description: Accounts service chart backed by the shared app-service subchart
-type: application
-version: 0.1.0
-appVersion: "1.0.0"
-dependencies:
-  - name: app-service
-    version: 0.1.0
-    repository: file://../app-service
-    alias: service

oci/charts/apps/accounts/values.yaml

@@ -1,25 +0,0 @@
-service:
-  nameOverride: accounts
-  containerPort: 8080
-  service:
-    port: 80
-  global:
-    existingSecretName: accounts-env
-    repository: ghcr.io/x-evor/accounts
-    tag: latest
-    env:
-      PORT: "8080"
-      SERVICE_NAME: accounts
-      HEALTHCHECK_PATH: /healthz
-  readinessProbe:
-    httpGet:
-      path: /healthz
-      port: http
-    initialDelaySeconds: 10
-    periodSeconds: 10
-  livenessProbe:
-    httpGet:
-      path: /healthz
-      port: http
-    initialDelaySeconds: 30
-    periodSeconds: 20

oci/charts/apps/app-service/Chart.yaml

@@ -1,6 +0,0 @@
-apiVersion: v2
-name: app-service
-description: Reusable chart for core HTTP application services
-type: application
-version: 0.1.0
-appVersion: "1.0.0"

oci/charts/apps/app-service/templates/_helpers.tpl

@@ -1,26 +0,0 @@
-{{- define "app-service.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-{{- define "app-service.fullname" -}}
-{{- if .Values.fullnameOverride -}}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- include "app-service.name" . -}}
-{{- end -}}
-{{- end -}}
-
-{{- define "app-service.labels" -}}
-app.kubernetes.io/name: {{ include "app-service.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-{{- end -}}
-
-{{- define "app-service.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create -}}
-{{- default (include "app-service.fullname" .) .Values.serviceAccount.name -}}
-{{- else -}}
-{{- default "default" .Values.serviceAccount.name -}}
-{{- end -}}
-{{- end -}}

oci/charts/apps/app-service/templates/deployment.yaml

@@ -1,128 +0,0 @@
-{{- $global := .Values.global | default dict -}}
-{{- $globalRepository := $global.repository | default "" -}}
-{{- $globalTag := $global.tag | default "" -}}
-{{- $globalEnv := $global.env | default dict -}}
-{{- $localEnv := .Values.env | default dict -}}
-{{- $env := mergeOverwrite (deepCopy $globalEnv) $localEnv -}}
-{{- $existingSecretName := .Values.existingSecretName | default ($global.existingSecretName | default "") -}}
-{{- $imageRepository := default $globalRepository .Values.image.repository -}}
-{{- $imageTag := default $globalTag .Values.image.tag -}}
-{{- $globalEnvFromSecretRefs := $global.envFromSecretRefs | default list -}}
-{{- $localEnvFromSecretRefs := .Values.envFromSecretRefs | default list -}}
-{{- $envFromSecretRefs := concat $globalEnvFromSecretRefs $localEnvFromSecretRefs -}}
-{{- $globalExternalServices := index $global "external-service" | default list -}}
-{{- $localExternalServices := index .Values "external-service" | default list -}}
-{{- $externalServices := concat $globalExternalServices $localExternalServices -}}
-{{- if $externalServices -}}
-{{- $_ := set $env "EXTERNAL_SERVICES" (join "," $externalServices) -}}
-{{- end -}}
-
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "app-service.fullname" . }}
-  labels:
-    {{- include "app-service.labels" . | nindent 4 }}
-spec:
-  replicas: {{ .Values.replicaCount }}
-  revisionHistoryLimit: 3
-  strategy:
-    type: {{ .Values.strategy.type }}
-    rollingUpdate:
-      maxUnavailable: {{ .Values.strategy.rollingUpdate.maxUnavailable }}
-      maxSurge: {{ .Values.strategy.rollingUpdate.maxSurge }}
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: {{ include "app-service.name" . }}
-      app.kubernetes.io/instance: {{ .Release.Name }}
-  template:
-    metadata:
-      labels:
-        {{- include "app-service.labels" . | nindent 8 }}
-        {{- with .Values.podLabels }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-      annotations:
-        {{- if and .Values.reloader.enabled $existingSecretName }}
-        secret.reloader.stakater.com/reload: {{ default $existingSecretName .Values.reloader.secretMatch | quote }}
-        {{- end }}
-        {{- with .Values.podAnnotations }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-    spec:
-      serviceAccountName: {{ include "app-service.serviceAccountName" . }}
-      {{- with .Values.image.pullSecrets }}
-      imagePullSecrets:
-        {{- range . }}
-        - name: {{ . }}
-        {{- end }}
-      {{- end }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.initContainers }}
-      initContainers:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      containers:
-        - name: app
-          image: "{{ $imageRepository }}:{{ $imageTag }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          {{- with .Values.command }}
-          command:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-          {{- with .Values.args }}
-          args:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-          {{- if .Values.workingDir }}
-          workingDir: {{ .Values.workingDir | quote }}
-          {{- end }}
-          ports:
-            - name: http
-              containerPort: {{ .Values.containerPort }}
-          {{- if $env }}
-          env:
-            {{- range $key := keys $env | sortAlpha }}
-            - name: {{ $key }}
-              value: {{ index $env $key | quote }}
-            {{- end }}
-          {{- end }}
-          {{- if or $existingSecretName $envFromSecretRefs }}
-          envFrom:
-            {{- if $existingSecretName }}
-            - secretRef:
-                name: {{ $existingSecretName }}
-            {{- end }}
-            {{- range $envFromSecretRefs }}
-            - secretRef:
-                name: {{ . }}
-            {{- end }}
-          {{- end }}
-          {{- with .Values.volumeMounts }}
-          volumeMounts:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-          resources:
-            {{- toYaml .Values.resources | nindent 12 }}
-          readinessProbe:
-            {{- toYaml .Values.readinessProbe | nindent 12 }}
-          livenessProbe:
-            {{- toYaml .Values.livenessProbe | nindent 12 }}
-        {{- with .Values.extraContainers }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-      {{- with .Values.volumes }}
-      volumes:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}

oci/charts/apps/app-service/templates/ingress.yaml

@@ -1,35 +0,0 @@
-{{- if .Values.ingress.enabled }}
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: {{ include "app-service.fullname" . }}
-  labels:
-    {{- include "app-service.labels" . | nindent 4 }}
-  {{- with .Values.ingress.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  {{- if .Values.ingress.className }}
-  ingressClassName: {{ .Values.ingress.className }}
-  {{- end }}
-  {{- with .Values.ingress.tls }}
-  tls:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-  rules:
-    {{- range .Values.ingress.hosts }}
-    - host: {{ .host }}
-      http:
-        paths:
-          {{- range .paths }}
-          - path: {{ .path }}
-            pathType: {{ default "Prefix" .pathType }}
-            backend:
-              service:
-                name: {{ include "app-service.fullname" $ }}
-                port:
-                  number: {{ default $.Values.service.port .servicePort }}
-          {{- end }}
-    {{- end }}
-{{- end }}

oci/charts/apps/app-service/templates/pdb.yaml

@@ -1,14 +0,0 @@
-{{- if .Values.pdb.enabled }}
-apiVersion: policy/v1
-kind: PodDisruptionBudget
-metadata:
-  name: {{ include "app-service.fullname" . }}
-  labels:
-    {{- include "app-service.labels" . | nindent 4 }}
-spec:
-  minAvailable: {{ .Values.pdb.minAvailable }}
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: {{ include "app-service.name" . }}
-      app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}

oci/charts/apps/app-service/templates/service.yaml

@@ -1,19 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "app-service.fullname" . }}
-  labels:
-    {{- include "app-service.labels" . | nindent 4 }}
-  {{- with .Values.service.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  type: {{ .Values.service.type }}
-  selector:
-    app.kubernetes.io/name: {{ include "app-service.name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-  ports:
-    - name: http
-      port: {{ .Values.service.port }}
-      targetPort: http

oci/charts/apps/app-service/templates/serviceaccount.yaml

@@ -1,12 +0,0 @@
-{{- if .Values.serviceAccount.create }}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "app-service.serviceAccountName" . }}
-  labels:
-    {{- include "app-service.labels" . | nindent 4 }}
-  {{- with .Values.serviceAccount.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end }}

oci/charts/apps/app-service/values.yaml

@@ -1,94 +0,0 @@
-nameOverride: ""
-fullnameOverride: ""
-
-replicaCount: 1
-
-image:
-  repository: ""
-  tag: ""
-  pullPolicy: IfNotPresent
-  pullSecrets: []
-
-command: []
-args: []
-workingDir: ""
-
-containerPort: 8080
-
-service:
-  port: 80
-  type: ClusterIP
-  annotations: {}
-
-strategy:
-  type: RollingUpdate
-  rollingUpdate:
-    maxUnavailable: 0
-    maxSurge: 1
-
-podLabels: {}
-podAnnotations: {}
-
-serviceAccount:
-  create: false
-  name: ""
-  annotations: {}
-
-global:
-  repository: ""
-  tag: ""
-  env: {}
-  existingSecretName: ""
-  external-service: []
-  envFromSecretRefs: []
-
-# Local overrides remain available for backwards compatibility.
-env: {}
-existingSecretName: ""
-external-service: []
-envFromSecretRefs: []
-initContainers: []
-extraContainers: []
-volumeMounts: []
-volumes: []
-
-resources:
-  requests:
-    cpu: 100m
-    memory: 128Mi
-  limits:
-    cpu: 500m
-    memory: 512Mi
-
-readinessProbe:
-  httpGet:
-    path: /healthz
-    port: http
-  initialDelaySeconds: 10
-  periodSeconds: 10
-
-livenessProbe:
-  httpGet:
-    path: /healthz
-    port: http
-  initialDelaySeconds: 30
-  periodSeconds: 20
-
-pdb:
-  enabled: true
-  minAvailable: 1
-
-ingress:
-  enabled: false
-  className: ""
-  annotations: {}
-  tls: []
-  hosts: []
-
-nodeSelector: {}
-tolerations: []
-affinity: {}
-
-reloader:
-  enabled: true
-  secretMatch: ""

oci/charts/apps/console/Chart.lock

@@ -1,6 +0,0 @@
-dependencies:
-- name: app-service
-  repository: file://../app-service
-  version: 0.1.0
-digest: sha256:29102607dbddc890cc60258ec869b75fd9e5f995fc8c5ee1f1a31b046b80e407
-generated: "2026-04-02T17:55:26.213216+08:00"

oci/charts/apps/console/Chart.yaml

@@ -1,11 +0,0 @@
-apiVersion: v2
-name: console-chart
-description: Console service chart backed by the shared app-service subchart
-type: application
-version: 0.1.0
-appVersion: "1.0.0"
-dependencies:
-  - name: app-service
-    version: 0.1.0
-    repository: file://../app-service
-    alias: service

oci/charts/apps/console/values.yaml

@@ -1,31 +0,0 @@
-service:
-  nameOverride: console
-  containerPort: 3000
-  service:
-    port: 80
-  global:
-    existingSecretName: console-env
-    repository: ghcr.io/x-evor/console
-    tag: latest
-    env:
-      PORT: "3000"
-      SERVICE_NAME: console
-      HEALTHCHECK_PATH: /
-      DOCS_SERVICE_URL: https://docs.svc.plus
-      NEXT_PUBLIC_DOCS_BASE_URL: https://docs.svc.plus
-    external-service:
-      - docs.svc.plus
-      - xworkmate.svc.plus
-      - openclaw-gateway.svc.plus
-  readinessProbe:
-    httpGet:
-      path: /
-      port: http
-    initialDelaySeconds: 10
-    periodSeconds: 10
-  livenessProbe:
-    httpGet:
-      path: /
-      port: http
-    initialDelaySeconds: 30
-    periodSeconds: 20

oci/charts/apps/rag-server/Chart.lock

@@ -1,6 +0,0 @@
-dependencies:
-- name: app-service
-  repository: file://../app-service
-  version: 0.1.0
-digest: sha256:29102607dbddc890cc60258ec869b75fd9e5f995fc8c5ee1f1a31b046b80e407
-generated: "2026-04-02T17:55:26.26398+08:00"

oci/charts/apps/rag-server/Chart.yaml

@@ -1,11 +0,0 @@
-apiVersion: v2
-name: rag-server-chart
-description: RAG server chart backed by the shared app-service subchart
-type: application
-version: 0.1.0
-appVersion: "1.0.0"
-dependencies:
-  - name: app-service
-    version: 0.1.0
-    repository: file://../app-service
-    alias: service

oci/charts/apps/rag-server/values.yaml

@@ -1,25 +0,0 @@
-service:
-  nameOverride: rag-server
-  containerPort: 8080
-  service:
-    port: 80
-  global:
-    existingSecretName: rag-server-env
-    repository: ghcr.io/x-evor/rag-server
-    tag: latest
-    env:
-      PORT: "8080"
-      SERVICE_NAME: rag-server
-      HEALTHCHECK_PATH: /healthz
-  readinessProbe:
-    httpGet:
-      path: /healthz
-      port: http
-    initialDelaySeconds: 10
-    periodSeconds: 10
-  livenessProbe:
-    httpGet:
-      path: /healthz
-      port: http
-    initialDelaySeconds: 30
-    periodSeconds: 20

oci/charts/observability/Chart.yaml

@@ -1,18 +0,0 @@
-apiVersion: v2
-name: observability
-description: Observability composition chart for server and agent components
-type: application
-version: 0.1.0
-appVersion: "1.0.0"
-keywords:
-  - observability
-  - prometheus
-  - victoria
-  - grafana
-  - otel
-home: https://github.com/cloud-neutral-toolkit/observability.svc.plus
-sources:
-  - https://github.com/cloud-neutral-toolkit/observability.svc.plus
-maintainers:
-  - name: Cloud-Neutral Toolkit
-    email: admin@svc.plus

oci/charts/observability/templates/extra-objects.yaml

@@ -1,4 +0,0 @@
-{{- range .Values.extraObjects }}
----
-{{ toYaml . }}
-{{- end }}

oci/charts/observability/templates/grafana-helmrelease.yaml

@@ -1,26 +0,0 @@
-{{- if .Values.server.grafana.enabled }}
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: {{ .Values.server.grafana.releaseName }}
-  namespace: {{ .Values.namespaces.observability }}
-spec:
-  interval: 10m0s
-  releaseName: {{ .Values.server.grafana.releaseName }}
-  chart:
-    spec:
-      chart: {{ .Values.server.grafana.chart.name }}
-      version: {{ .Values.server.grafana.chart.version | quote }}
-      sourceRef:
-        kind: {{ .Values.server.grafana.sourceRef.kind }}
-        name: {{ .Values.server.grafana.sourceRef.name }}
-        namespace: {{ .Values.server.grafana.sourceRef.namespace }}
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    remediation:
-      retries: 3
-  values:
-    {{- toYaml .Values.server.grafana.values | nindent 4 }}
-{{- end }}

oci/charts/observability/templates/node-exporter-helmrelease.yaml

@@ -1,26 +0,0 @@
-{{- if .Values.agent.nodeExporter.enabled }}
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: {{ .Values.agent.nodeExporter.releaseName }}
-  namespace: {{ .Values.namespaces.observability }}
-spec:
-  interval: 10m0s
-  releaseName: {{ .Values.agent.nodeExporter.releaseName }}
-  chart:
-    spec:
-      chart: {{ .Values.agent.nodeExporter.chart.name }}
-      version: {{ .Values.agent.nodeExporter.chart.version | quote }}
-      sourceRef:
-        kind: {{ .Values.agent.nodeExporter.sourceRef.kind }}
-        name: {{ .Values.agent.nodeExporter.sourceRef.name }}
-        namespace: {{ .Values.agent.nodeExporter.sourceRef.namespace }}
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    remediation:
-      retries: 3
-  values:
-    {{- toYaml .Values.agent.nodeExporter.values | nindent 4 }}
-{{- end }}

oci/charts/observability/templates/otel-connector-helmrelease.yaml

@@ -1,26 +0,0 @@
-{{- if .Values.server.otelConnector.enabled }}
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: {{ .Values.server.otelConnector.releaseName }}
-  namespace: {{ .Values.namespaces.observability }}
-spec:
-  interval: 10m0s
-  releaseName: {{ .Values.server.otelConnector.releaseName }}
-  chart:
-    spec:
-      chart: {{ .Values.server.otelConnector.chart.name }}
-      version: {{ .Values.server.otelConnector.chart.version | quote }}
-      sourceRef:
-        kind: {{ .Values.server.otelConnector.sourceRef.kind }}
-        name: {{ .Values.server.otelConnector.sourceRef.name }}
-        namespace: {{ .Values.server.otelConnector.sourceRef.namespace }}
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    remediation:
-      retries: 3
-  values:
-    {{- toYaml .Values.server.otelConnector.values | nindent 4 }}
-{{- end }}

oci/charts/observability/templates/process-exporter.yaml

@@ -1,65 +0,0 @@
-{{- if .Values.agent.processExporter.enabled }}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ .Values.agent.processExporter.serviceAccountName }}
-  namespace: {{ .Values.namespaces.observability }}
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: process-exporter-config
-  namespace: {{ .Values.namespaces.observability }}
-data:
-  config.yaml: |
-    {{- .Values.agent.processExporter.config | nindent 4 }}
----
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  name: process-exporter
-  namespace: {{ .Values.namespaces.observability }}
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: process-exporter
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: process-exporter
-      annotations:
-        prometheus.io/scrape: "true"
-        prometheus.io/port: "{{ .Values.agent.processExporter.port }}"
-    spec:
-      serviceAccountName: {{ .Values.agent.processExporter.serviceAccountName }}
-      hostPID: true
-      containers:
-        - name: process-exporter
-          image: "{{ .Values.agent.processExporter.image.repository }}:{{ .Values.agent.processExporter.image.tag }}"
-          imagePullPolicy: {{ .Values.agent.processExporter.image.pullPolicy }}
-          args:
-            - --procfs
-            - /host/proc
-            - --config.path
-            - /etc/process-exporter/config.yaml
-            - --web.listen-address=:{{ .Values.agent.processExporter.port }}
-          ports:
-            - name: metrics
-              containerPort: {{ .Values.agent.processExporter.port }}
-              protocol: TCP
-          resources:
-            {{- toYaml .Values.agent.processExporter.resources | nindent 12 }}
-          volumeMounts:
-            - name: config
-              mountPath: /etc/process-exporter
-            - name: proc
-              mountPath: /host/proc
-              readOnly: true
-      volumes:
-        - name: config
-          configMap:
-            name: process-exporter-config
-        - name: proc
-          hostPath:
-            path: /proc
-{{- end }}

oci/charts/observability/templates/prometheus-helmrelease.yaml

@@ -1,26 +0,0 @@
-{{- if .Values.server.prometheus.enabled }}
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: {{ .Values.server.prometheus.releaseName }}
-  namespace: {{ .Values.namespaces.observability }}
-spec:
-  interval: 10m0s
-  releaseName: {{ .Values.server.prometheus.releaseName }}
-  chart:
-    spec:
-      chart: {{ .Values.server.prometheus.chart.name }}
-      version: {{ .Values.server.prometheus.chart.version | quote }}
-      sourceRef:
-        kind: {{ .Values.server.prometheus.sourceRef.kind }}
-        name: {{ .Values.server.prometheus.sourceRef.name }}
-        namespace: {{ .Values.server.prometheus.sourceRef.namespace }}
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    remediation:
-      retries: 3
-  values:
-    {{- toYaml .Values.server.prometheus.values | nindent 4 }}
-{{- end }}

oci/charts/observability/templates/vector-agent.yaml

@@ -1,69 +0,0 @@
-{{- if .Values.agent.vector.enabled }}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ .Values.agent.vector.serviceAccountName }}
-  namespace: {{ .Values.namespaces.observability }}
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: vector-agent-config
-  namespace: {{ .Values.namespaces.observability }}
-data:
-  vector.yaml: |
-    {{- .Values.agent.vector.config | nindent 4 }}
----
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  name: vector-agent
-  namespace: {{ .Values.namespaces.observability }}
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: vector-agent
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: vector-agent
-    spec:
-      serviceAccountName: {{ .Values.agent.vector.serviceAccountName }}
-      containers:
-        - name: vector
-          image: "{{ .Values.agent.vector.image.repository }}:{{ .Values.agent.vector.image.tag }}"
-          imagePullPolicy: {{ .Values.agent.vector.image.pullPolicy }}
-          resources:
-            {{- toYaml .Values.agent.vector.resources | nindent 12 }}
-          volumeMounts:
-            - name: config
-              mountPath: /etc/vector
-            {{- if .Values.agent.vector.volume.enabled }}
-            - name: {{ .Values.agent.vector.volume.name }}
-              mountPath: {{ .Values.agent.vector.volume.mountPath }}
-            {{- end }}
-            - name: var-log
-              mountPath: /var/log
-              readOnly: true
-            - name: machine-id
-              mountPath: /etc/machine-id
-              readOnly: true
-      volumes:
-        - name: config
-          configMap:
-            name: vector-agent-config
-        {{- if .Values.agent.vector.volume.enabled }}
-        - name: {{ .Values.agent.vector.volume.name }}
-          emptyDir:
-            {{- if .Values.agent.vector.volume.sizeLimit }}
-            sizeLimit: {{ .Values.agent.vector.volume.sizeLimit }}
-            {{- end }}
-        {{- end }}
-        - name: var-log
-          hostPath:
-            path: /var/log
-        - name: machine-id
-          hostPath:
-            path: /etc/machine-id
-            type: File
-{{- end }}

oci/charts/observability/templates/victoria-logs-helmrelease.yaml

@@ -1,26 +0,0 @@
-{{- if .Values.server.victoriaLogs.enabled }}
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: {{ .Values.server.victoriaLogs.releaseName }}
-  namespace: {{ .Values.namespaces.observability }}
-spec:
-  interval: 10m0s
-  releaseName: {{ .Values.server.victoriaLogs.releaseName }}
-  chart:
-    spec:
-      chart: {{ .Values.server.victoriaLogs.chart.name }}
-      version: {{ .Values.server.victoriaLogs.chart.version | quote }}
-      sourceRef:
-        kind: {{ .Values.server.victoriaLogs.sourceRef.kind }}
-        name: {{ .Values.server.victoriaLogs.sourceRef.name }}
-        namespace: {{ .Values.server.victoriaLogs.sourceRef.namespace }}
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    remediation:
-      retries: 3
-  values:
-    {{- toYaml .Values.server.victoriaLogs.values | nindent 4 }}
-{{- end }}

oci/charts/observability/templates/victoria-metrics-helmrelease.yaml

@@ -1,26 +0,0 @@
-{{- if .Values.server.victoriaMetrics.enabled }}
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: {{ .Values.server.victoriaMetrics.releaseName }}
-  namespace: {{ .Values.namespaces.observability }}
-spec:
-  interval: 10m0s
-  releaseName: {{ .Values.server.victoriaMetrics.releaseName }}
-  chart:
-    spec:
-      chart: {{ .Values.server.victoriaMetrics.chart.name }}
-      version: {{ .Values.server.victoriaMetrics.chart.version | quote }}
-      sourceRef:
-        kind: {{ .Values.server.victoriaMetrics.sourceRef.kind }}
-        name: {{ .Values.server.victoriaMetrics.sourceRef.name }}
-        namespace: {{ .Values.server.victoriaMetrics.sourceRef.namespace }}
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    remediation:
-      retries: 3
-  values:
-    {{- toYaml .Values.server.victoriaMetrics.values | nindent 4 }}
-{{- end }}

oci/charts/observability/templates/victoria-traces-helmrelease.yaml

@@ -1,26 +0,0 @@
-{{- if .Values.server.victoriaTraces.enabled }}
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: {{ .Values.server.victoriaTraces.releaseName }}
-  namespace: {{ .Values.namespaces.observability }}
-spec:
-  interval: 10m0s
-  releaseName: {{ .Values.server.victoriaTraces.releaseName }}
-  chart:
-    spec:
-      chart: {{ .Values.server.victoriaTraces.chart.name }}
-      version: {{ .Values.server.victoriaTraces.chart.version | quote }}
-      sourceRef:
-        kind: {{ .Values.server.victoriaTraces.sourceRef.kind }}
-        name: {{ .Values.server.victoriaTraces.sourceRef.name }}
-        namespace: {{ .Values.server.victoriaTraces.sourceRef.namespace }}
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    remediation:
-      retries: 3
-  values:
-    {{- toYaml .Values.server.victoriaTraces.values | nindent 4 }}
-{{- end }}

oci/charts/observability/values.yaml

@@ -1,199 +0,0 @@
-namespaces:
-  observability: observability
-
-server:
-  prometheus:
-    enabled: true
-    releaseName: prometheus
-    sourceRef:
-      kind: HelmRepository
-      name: prometheus-community
-      namespace: flux-system
-    chart:
-      name: prometheus
-      version: ">=25.0.0 <26.0.0"
-    values:
-      server:
-        persistentVolume:
-          enabled: true
-          size: 20Gi
-      prometheus-node-exporter:
-        enabled: false
-  victoriaMetrics:
-    enabled: true
-    releaseName: victoria-metrics
-    sourceRef:
-      kind: HelmRepository
-      name: victoria-metrics
-      namespace: flux-system
-    chart:
-      name: victoria-metrics-single
-      version: ">=0.13.0 <1.0.0"
-    values:
-      server:
-        persistentVolume:
-          enabled: true
-          size: 50Gi
-  victoriaLogs:
-    enabled: true
-    releaseName: victoria-logs
-    sourceRef:
-      kind: HelmRepository
-      name: victoria-metrics
-      namespace: flux-system
-    chart:
-      name: victoria-logs-single
-      version: ">=0.9.0 <1.0.0"
-    values:
-      server:
-        persistentVolume:
-          enabled: true
-          size: 50Gi
-  victoriaTraces:
-    enabled: true
-    releaseName: victoria-traces
-    sourceRef:
-      kind: HelmRepository
-      name: victoria-metrics
-      namespace: flux-system
-    chart:
-      name: victoria-traces-single
-      version: ">=0.0.1 <1.0.0"
-    values: {}
-  grafana:
-    enabled: false
-    releaseName: grafana
-    sourceRef:
-      kind: HelmRepository
-      name: grafana
-      namespace: flux-system
-    chart:
-      name: grafana
-      version: ">=8.0.0 <9.0.0"
-    values:
-      initChownData:
-        enabled: false
-      podSecurityContext:
-        fsGroup: 472
-      securityContext:
-        runAsUser: 472
-        runAsGroup: 472
-      persistence:
-        enabled: true
-        size: 10Gi
-  otelConnector:
-    enabled: false
-    releaseName: otel-connector
-    sourceRef:
-      kind: HelmRepository
-      name: open-telemetry
-      namespace: flux-system
-    chart:
-      name: opentelemetry-collector
-      version: ">=0.104.0 <1.0.0"
-    values:
-      image:
-        repository: otel/opentelemetry-collector-contrib
-      mode: deployment
-      config:
-        receivers:
-          otlp:
-            protocols:
-              grpc: {}
-              http: {}
-        processors:
-          batch: {}
-        exporters:
-          debug: {}
-        service:
-          pipelines:
-            traces:
-              receivers: [otlp]
-              processors: [batch]
-              exporters: [debug]
-            metrics:
-              receivers: [otlp]
-              processors: [batch]
-              exporters: [debug]
-            logs:
-              receivers: [otlp]
-              processors: [batch]
-              exporters: [debug]
-
-agent:
-  nodeExporter:
-    enabled: true
-    releaseName: node-exporter
-    sourceRef:
-      kind: HelmRepository
-      name: prometheus-community
-      namespace: flux-system
-    chart:
-      name: prometheus-node-exporter
-      version: ">=4.30.0 <5.0.0"
-    values: {}
-  vector:
-    enabled: true
-    image:
-      repository: timberio/vector
-      tag: "0.36.0-distroless-libc"
-      pullPolicy: IfNotPresent
-    serviceAccountName: vector-agent
-    vlogsEndpoint: http://victoria-logs-victoria-logs-single-server.observability.svc.cluster.local:9428
-    config: |
-      data_dir: /vector-data-dir
-
-      sources:
-        journald:
-          type: journald
-
-      transforms:
-        normalize:
-          type: remap
-          inputs: ["journald"]
-          source: |
-            .cluster = "k3s"
-            .origin = "vector-agent"
-
-      sinks:
-        vlogs:
-          type: elasticsearch
-          inputs: ["normalize"]
-          endpoints:
-            - http://victoria-logs-victoria-logs-single-server.observability.svc.cluster.local:9428/insert/elasticsearch/
-          mode: bulk
-          compression: gzip
-    resources:
-      limits:
-        cpu: 300m
-        memory: 512Mi
-      requests:
-        cpu: 100m
-        memory: 128Mi
-    volume:
-      enabled: true
-      name: vector-data-dir
-      mountPath: /vector-data-dir
-      sizeLimit: 1Gi
-  processExporter:
-    enabled: true
-    image:
-      repository: ncabatoff/process-exporter
-      tag: v0.8.3
-      pullPolicy: IfNotPresent
-    serviceAccountName: process-exporter
-    port: 9256
-    config: |
-      process_names:
-        - name: "{{.Comm}}"
-          cmdline:
-            - '.+'
-    resources:
-      limits:
-        cpu: 100m
-        memory: 128Mi
-      requests:
-        cpu: 25m
-        memory: 64Mi
-
-extraObjects: []

oci/charts/postgresql/Chart.yaml

@@ -1,19 +0,0 @@
-apiVersion: v2
-name: postgresql
-description: PostgreSQL service chart with optional stunnel server and client for cloud-neutral deployments
-type: application
-version: 1.1.0
-appVersion: "16.4"
-keywords:
-  - postgresql
-  - database
-  - vector
-  - search
-  - queue
-home: https://github.com/cloud-neutral-toolkit/postgresql.svc.plus
-sources:
-  - https://github.com/cloud-neutral-toolkit/postgresql.svc.plus
-maintainers:
-  - name: Cloud-Neutral Toolkit
-    email: admin@svc.plus
-icon: https://www.postgresql.org/media/img/about/press/elephant.png

oci/charts/postgresql/templates/_helpers.tpl

@@ -1,82 +0,0 @@
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "postgresql.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-*/}}
-{{- define "postgresql.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "postgresql.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "postgresql.labels" -}}
-helm.sh/chart: {{ include "postgresql.chart" . }}
-{{ include "postgresql.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "postgresql.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "postgresql.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "postgresql.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "postgresql.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}
-
-{{/*
-Get the password secret name
-*/}}
-{{- define "postgresql.secretName" -}}
-{{- if .Values.auth.existingSecret -}}
-{{- .Values.auth.existingSecret -}}
-{{- else -}}
-{{- include "postgresql.fullname" . -}}
-{{- end -}}
-{{- end -}}
-
-{{/*
-Get the password key
-*/}}
-{{- define "postgresql.secretKey" -}}
-{{- if .Values.auth.existingSecret -}}
-{{- .Values.auth.secretKey -}}
-{{- else -}}
-password
-{{- end -}}
-{{- end -}}

oci/charts/postgresql/templates/configmap-init-scripts.yaml

@@ -1,13 +0,0 @@
-{{- if and .Values.server.enabled .Values.initScripts.enabled }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ include "postgresql.fullname" . }}-init-scripts
-  labels:
-    {{- include "postgresql.labels" . | nindent 4 }}
-data:
-  {{- range $key, $value := .Values.initScripts.scripts }}
-  {{ $key }}: |
-    {{- $value | nindent 4 }}
-  {{- end }}
-{{- end }}

oci/charts/postgresql/templates/configmap-stunnel.yaml

@@ -1,11 +0,0 @@
-{{- if and .Values.server.enabled .Values.stunnel.enabled }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ include "postgresql.fullname" . }}-stunnel-config
-  labels:
-    {{- include "postgresql.labels" . | nindent 4 }}
-data:
-  stunnel.conf: |
-    {{- .Values.stunnel.config | nindent 4 }}
-{{- end }}

oci/charts/postgresql/templates/configmap.yaml

@@ -1,25 +0,0 @@
-{{- if .Values.server.enabled }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ include "postgresql.fullname" . }}-config
-  labels:
-    {{- include "postgresql.labels" . | nindent 4 }}
-data:
-  postgresql.conf: |
-    {{- .Values.postgresql.config | nindent 4 }}
-  
-  {{- if .Values.postgresql.pgHba }}
-  pg_hba.conf: |
-    # TYPE  DATABASE        USER            ADDRESS                 METHOD
-    # Default entries
-    local   all             all                                     trust
-    host    all             all             127.0.0.1/32            trust
-    host    all             all             ::1/128                 trust
-    host    all             all             0.0.0.0/0               md5
-    host    all             all             ::/0                    md5
-    
-    # Custom entries
-    {{- .Values.postgresql.pgHba | nindent 4 }}
-  {{- end }}
-{{- end }}

oci/charts/postgresql/templates/secret.yaml

@@ -1,11 +0,0 @@
-{{- if and .Values.server.enabled (not .Values.auth.existingSecret) }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "postgresql.fullname" . }}
-  labels:
-    {{- include "postgresql.labels" . | nindent 4 }}
-type: Opaque
-data:
-  password: {{ .Values.auth.password | b64enc | quote }}
-{{- end }}

oci/charts/postgresql/templates/service-metrics.yaml

@@ -1,21 +0,0 @@
-{{- if and .Values.server.enabled .Values.metrics.enabled }}
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "postgresql.fullname" . }}-metrics
-  labels:
-    {{- include "postgresql.labels" . | nindent 4 }}
-  {{- with .Values.metrics.service.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  type: {{ .Values.metrics.service.type }}
-  ports:
-    - port: {{ .Values.metrics.service.port }}
-      targetPort: metrics
-      protocol: TCP
-      name: metrics
-  selector:
-    {{- include "postgresql.selectorLabels" . | nindent 4 }}
-{{- end }}

oci/charts/postgresql/templates/service.yaml

@@ -1,27 +0,0 @@
-{{- if .Values.server.enabled }}
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "postgresql.fullname" . }}
-  labels:
-    {{- include "postgresql.labels" . | nindent 4 }}
-  {{- with .Values.service.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  type: {{ .Values.service.type }}
-  ports:
-    - port: {{ .Values.service.port }}
-      targetPort: postgres
-      protocol: TCP
-      name: postgres
-    {{- if .Values.stunnel.enabled }}
-    - port: {{ .Values.stunnel.port }}
-      targetPort: stunnel
-      protocol: TCP
-      name: stunnel
-    {{- end }}
-  selector:
-    {{- include "postgresql.selectorLabels" . | nindent 4 }}
-{{- end }}

oci/charts/postgresql/templates/serviceaccount.yaml

@@ -1,12 +0,0 @@
-{{- if and .Values.server.enabled .Values.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "postgresql.serviceAccountName" . }}
-  labels:
-    {{- include "postgresql.labels" . | nindent 4 }}
-  {{- with .Values.serviceAccount.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end }}

oci/charts/postgresql/templates/statefulset.yaml

@@ -1,203 +0,0 @@
-{{- if .Values.server.enabled }}
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: {{ include "postgresql.fullname" . }}
-  labels:
-    {{- include "postgresql.labels" . | nindent 4 }}
-spec:
-  serviceName: {{ include "postgresql.fullname" . }}
-  replicas: 1
-  selector:
-    matchLabels:
-      {{- include "postgresql.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      annotations:
-        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
-        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
-        {{- with .Values.podAnnotations }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-      labels:
-        {{- include "postgresql.selectorLabels" . | nindent 8 }}
-    spec:
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      serviceAccountName: {{ include "postgresql.serviceAccountName" . }}
-      securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      containers:
-        - name: postgresql
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          ports:
-            - name: postgres
-              containerPort: 5432
-              protocol: TCP
-          env:
-            - name: POSTGRES_USER
-              value: {{ .Values.auth.username | quote }}
-            - name: POSTGRES_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "postgresql.secretName" . }}
-                  key: {{ include "postgresql.secretKey" . }}
-            - name: POSTGRES_DB
-              value: {{ .Values.auth.database | quote }}
-            - name: PGDATA
-              value: /var/lib/postgresql/data/pgdata
-          {{- if .Values.livenessProbe.enabled }}
-          livenessProbe:
-            exec:
-              command:
-                - /bin/sh
-                - -c
-                - pg_isready -U {{ .Values.auth.username }}
-            initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
-            periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
-            timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
-            failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
-            successThreshold: {{ .Values.livenessProbe.successThreshold }}
-          {{- end }}
-          {{- if .Values.readinessProbe.enabled }}
-          readinessProbe:
-            exec:
-              command:
-                - /bin/sh
-                - -c
-                - pg_isready -U {{ .Values.auth.username }}
-            initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
-            periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
-            timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
-            failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
-            successThreshold: {{ .Values.readinessProbe.successThreshold }}
-          {{- end }}
-          resources:
-            {{- toYaml .Values.resources | nindent 12 }}
-          volumeMounts:
-            - name: data
-              mountPath: /var/lib/postgresql/data
-            - name: config
-              mountPath: /etc/postgresql
-            {{- if .Values.initScripts.enabled }}
-            - name: init-scripts
-              mountPath: /docker-entrypoint-initdb.d
-            {{- end }}
-            {{- if .Values.tls.enabled }}
-            - name: tls-certs
-              mountPath: /etc/postgresql/certs
-              readOnly: true
-            {{- end }}
-        
-        {{- if .Values.stunnel.enabled }}
-        - name: stunnel
-          image: "{{ .Values.stunnel.image.repository }}:{{ .Values.stunnel.image.tag }}"
-          imagePullPolicy: {{ .Values.stunnel.image.pullPolicy }}
-          ports:
-            - name: stunnel
-              containerPort: {{ .Values.stunnel.port }}
-              protocol: TCP
-          volumeMounts:
-            - name: stunnel-config
-              mountPath: /etc/stunnel/stunnel.conf
-              subPath: stunnel.conf
-            {{- if .Values.stunnel.certificatesSecret }}
-            - name: stunnel-certs
-              mountPath: /etc/stunnel/certs
-              readOnly: true
-            {{- end }}
-        {{- end }}
-        
-        {{- if .Values.metrics.enabled }}
-        - name: metrics
-          image: "{{ .Values.metrics.image.repository }}:{{ .Values.metrics.image.tag }}"
-          imagePullPolicy: {{ .Values.metrics.image.pullPolicy }}
-          ports:
-            - name: metrics
-              containerPort: 9187
-              protocol: TCP
-          env:
-            - name: DATA_SOURCE_NAME
-              value: "postgresql://{{ .Values.auth.username }}:$(POSTGRES_PASSWORD)@localhost:5432/{{ .Values.auth.database }}?sslmode=disable"
-            - name: POSTGRES_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "postgresql.secretName" . }}
-                  key: {{ include "postgresql.secretKey" . }}
-          resources:
-            {{- toYaml .Values.metrics.resources | nindent 12 }}
-        {{- end }}
-      
-      volumes:
-        - name: config
-          configMap:
-            name: {{ include "postgresql.fullname" . }}-config
-        {{- if .Values.initScripts.enabled }}
-        - name: init-scripts
-          configMap:
-            name: {{ include "postgresql.fullname" . }}-init-scripts
-        {{- end }}
-        {{- if .Values.tls.enabled }}
-        - name: tls-certs
-          secret:
-            secretName: {{ .Values.tls.certificatesSecret }}
-            defaultMode: 0600
-        {{- end }}
-        {{- if .Values.stunnel.enabled }}
-        - name: stunnel-config
-          configMap:
-            name: {{ include "postgresql.fullname" . }}-stunnel-config
-        {{- if .Values.stunnel.certificatesSecret }}
-        - name: stunnel-certs
-          secret:
-            secretName: {{ .Values.stunnel.certificatesSecret }}
-            defaultMode: 0600
-        {{- end }}
-        {{- end }}
-      
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-  
-  {{- if .Values.persistence.enabled }}
-  volumeClaimTemplates:
-    - metadata:
-        name: data
-        {{- with .Values.persistence.annotations }}
-        annotations:
-          {{- toYaml . | nindent 10 }}
-        {{- end }}
-      spec:
-        accessModes:
-          {{- range .Values.persistence.accessModes }}
-          - {{ . | quote }}
-          {{- end }}
-        {{- if .Values.persistence.storageClass }}
-        storageClassName: {{ .Values.persistence.storageClass | quote }}
-        {{- end }}
-        resources:
-          requests:
-            storage: {{ .Values.persistence.size | quote }}
-        {{- with .Values.persistence.selector }}
-        selector:
-          {{- toYaml . | nindent 10 }}
-        {{- end }}
-  {{- else }}
-        - name: data
-          emptyDir: {}
-  {{- end }}
-{{- end }}

oci/charts/postgresql/templates/stunnel-client-configmap.yaml

@@ -1,11 +0,0 @@
-{{- if .Values.stunnelClient.enabled }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ include "postgresql.fullname" . }}-stunnel-client
-  labels:
-    {{- include "postgresql.labels" . | nindent 4 }}
-data:
-  stunnel.conf: |
-    {{- .Values.stunnelClient.config | nindent 4 }}
-{{- end }}

oci/charts/postgresql/templates/stunnel-client-deployment.yaml

@@ -1,40 +0,0 @@
-{{- if .Values.stunnelClient.enabled }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "postgresql.fullname" . }}-stunnel-client
-  labels:
-    {{- include "postgresql.labels" . | nindent 4 }}
-spec:
-  replicas: {{ .Values.stunnelClient.replicaCount }}
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: {{ include "postgresql.name" . }}
-      app.kubernetes.io/instance: {{ .Release.Name }}
-      app.kubernetes.io/component: stunnel-client
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: {{ include "postgresql.name" . }}
-        app.kubernetes.io/instance: {{ .Release.Name }}
-        app.kubernetes.io/component: stunnel-client
-    spec:
-      containers:
-        - name: stunnel-client
-          image: "{{ .Values.stunnelClient.image.repository }}:{{ .Values.stunnelClient.image.tag }}"
-          imagePullPolicy: {{ .Values.stunnelClient.image.pullPolicy }}
-          ports:
-            - name: postgres
-              containerPort: {{ .Values.stunnelClient.service.port }}
-              protocol: TCP
-          resources:
-            {{- toYaml .Values.stunnelClient.resources | nindent 12 }}
-          volumeMounts:
-            - name: config
-              mountPath: /etc/stunnel/stunnel.conf
-              subPath: stunnel.conf
-      volumes:
-        - name: config
-          configMap:
-            name: {{ include "postgresql.fullname" . }}-stunnel-client
-{{- end }}

oci/charts/postgresql/templates/stunnel-client-service.yaml

@@ -1,23 +0,0 @@
-{{- if .Values.stunnelClient.enabled }}
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "postgresql.fullname" . }}-stunnel-client
-  labels:
-    {{- include "postgresql.labels" . | nindent 4 }}
-  {{- with .Values.stunnelClient.service.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  type: {{ .Values.stunnelClient.service.type }}
-  ports:
-    - name: postgres
-      port: {{ .Values.stunnelClient.service.port }}
-      targetPort: postgres
-      protocol: TCP
-  selector:
-    app.kubernetes.io/name: {{ include "postgresql.name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/component: stunnel-client
-{{- end }}

oci/charts/postgresql/values.yaml

@@ -1,245 +0,0 @@
-# Default values for postgresql chart
-
-server:
-  enabled: true
-
-# Image configuration
-image:
-  repository: postgres-extensions
-  tag: "16"
-  pullPolicy: IfNotPresent
-
-# Image pull secrets for private registries
-imagePullSecrets: []
-
-# Override name
-nameOverride: ""
-fullnameOverride: ""
-
-# Service account
-serviceAccount:
-  create: true
-  annotations: {}
-  name: ""
-
-# Pod annotations
-podAnnotations: {}
-
-# Pod security context
-podSecurityContext:
-  fsGroup: 999
-
-# Container security context
-securityContext:
-  runAsUser: 999
-  runAsNonRoot: true
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-
-# Service configuration
-service:
-  type: ClusterIP
-  port: 5432
-  annotations: {}
-
-# Ingress (not typically used for PostgreSQL, but available)
-ingress:
-  enabled: false
-  className: ""
-  annotations: {}
-  hosts: []
-  tls: []
-
-# PostgreSQL authentication
-auth:
-  username: postgres
-  password: ""  # Set this or use existingSecret
-  database: postgres
-  existingSecret: ""  # Name of existing secret with password
-  secretKey: "password"  # Key in the secret
-
-# PostgreSQL configuration
-postgresql:
-  # Custom postgresql.conf settings
-  config: |
-    shared_buffers = 256MB
-    effective_cache_size = 1GB
-    work_mem = 16MB
-    maintenance_work_mem = 64MB
-    max_connections = 100
-    wal_buffers = 16MB
-    checkpoint_completion_target = 0.9
-    random_page_cost = 1.1
-    effective_io_concurrency = 200
-    log_min_duration_statement = 1000
-  
-  # Custom pg_hba.conf entries (appended to defaults)
-  pgHba: |
-    # Custom entries
-    # host all all 0.0.0.0/0 md5
-
-# Initialization scripts
-initScripts:
-  enabled: true
-  # Scripts will be created from the scripts below
-  scripts:
-    01-init-extensions.sql: |
-      CREATE EXTENSION IF NOT EXISTS vector;
-      CREATE EXTENSION IF NOT EXISTS pg_jieba;
-      CREATE EXTENSION IF NOT EXISTS pgmq;
-      CREATE EXTENSION IF NOT EXISTS pg_trgm;
-      CREATE EXTENSION IF NOT EXISTS hstore;
-      CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
-
-# Persistence
-persistence:
-  enabled: true
-  storageClass: ""  # Use default storage class
-  accessModes:
-    - ReadWriteOnce
-  size: 10Gi
-  annotations: {}
-  selector: {}
-
-# Resource limits
-resources:
-  limits:
-    cpu: 2000m
-    memory: 2Gi
-  requests:
-    cpu: 500m
-    memory: 1Gi
-
-# Liveness probe
-livenessProbe:
-  enabled: true
-  initialDelaySeconds: 30
-  periodSeconds: 10
-  timeoutSeconds: 5
-  failureThreshold: 6
-  successThreshold: 1
-
-# Readiness probe
-readinessProbe:
-  enabled: true
-  initialDelaySeconds: 5
-  periodSeconds: 10
-  timeoutSeconds: 5
-  failureThreshold: 6
-  successThreshold: 1
-
-# Node selector
-nodeSelector: {}
-
-# Tolerations
-tolerations: []
-
-# Affinity
-affinity: {}
-
-# Metrics (for Prometheus)
-metrics:
-  enabled: false
-  image:
-    repository: prometheuscommunity/postgres-exporter
-    tag: v0.15.0
-    pullPolicy: IfNotPresent
-  service:
-    type: ClusterIP
-    port: 9187
-    annotations:
-      prometheus.io/scrape: "true"
-      prometheus.io/port: "9187"
-  resources:
-    limits:
-      cpu: 100m
-      memory: 128Mi
-    requests:
-      cpu: 50m
-      memory: 64Mi
-
-# Backup configuration (optional)
-backup:
-  enabled: false
-  schedule: "0 2 * * *"  # Daily at 2 AM
-  retention: 7  # Keep 7 days of backups
-  storageClass: ""
-  size: 20Gi
-
-# TLS/SSL configuration
-tls:
-  enabled: false
-  certificatesSecret: ""  # Name of secret containing tls.crt and tls.key
-  certFilename: "tls.crt"
-  certKeyFilename: "tls.key"
-  certCAFilename: "ca.crt"
-
-# Stunnel sidecar for TLS over TCP
-stunnel:
-  enabled: false
-  image:
-    repository: dweomer/stunnel
-    tag: latest
-    pullPolicy: IfNotPresent
-  port: 5433
-  certificatesSecret: ""  # Name of secret containing stunnel certificates
-  config: |
-    [postgres-tunnel]
-    client = no
-    accept = 0.0.0.0:5433
-    connect = 127.0.0.1:5432
-    cert = /etc/stunnel/certs/server-cert.pem
-    key = /etc/stunnel/certs/server-key.pem
-    sslVersion = TLSv1.2
-    options = NO_SSLv2
-    options = NO_SSLv3
-    ciphers = HIGH:!aNULL:!MD5
-
-# NetworkPolicy
-networkPolicy:
-  enabled: false
-  policyTypes:
-    - Ingress
-  ingress:
-    - from:
-      - podSelector: {}
-      ports:
-      - protocol: TCP
-        port: 5432
-
-# PodDisruptionBudget
-podDisruptionBudget:
-  enabled: false
-  minAvailable: 1
-  # maxUnavailable: 1
-
-stunnelClient:
-  enabled: false
-  replicaCount: 1
-  image:
-    repository: dweomer/stunnel
-    tag: latest
-    pullPolicy: IfNotPresent
-  service:
-    type: ClusterIP
-    port: 5432
-    annotations: {}
-  config: |
-    [postgres-client]
-    client = yes
-    accept = 0.0.0.0:5432
-    connect = postgresql.database.svc.cluster.local:5433
-    verifyChain = no
-    sslVersion = TLSv1.2
-    options = NO_SSLv2
-    options = NO_SSLv3
-    ciphers = HIGH:!aNULL:!MD5
-  resources:
-    limits:
-      cpu: 100m
-      memory: 128Mi
-    requests:
-      cpu: 25m
-      memory: 64Mi