From 74bf71ea4f26e787515ce8acdeed6f22f1c8e67c Mon Sep 17 00:00:00 2001 From: George Taylor Date: Wed, 8 Jan 2025 17:33:24 +0000 Subject: [PATCH] chore: Update helm chart to 7.0.3 (#113) * chore: update readme v1 * new helm chart version updates * Update Taskfile.yml * values changes * patching * patching for filestore url * Update readme (#117) * fix: matrix env typo (#110) * chore: add awscli to utils container (#111) * correct values for preprod * move to config map as source of truth * create config map with correct values in it and update size limit --------- Co-authored-by: Andrew Moore <20435317+andrewmooreio@users.noreply.github.com> * Update migrate-s3.yaml * Update migrate-s3.yaml * Update migrate-s3.yaml * Update migrate-s3.yaml * Update migrate-s3.yaml * add labels * chore: tidy the task file * chore: add dev * update all envs for new chart * attempt poc --------- Co-authored-by: Andrew Moore <20435317+andrewmooreio@users.noreply.github.com> --- .github/workflows/migrate-s3.yaml | 15 +- .gitignore | 5 +- README.md | 125 +- Taskfile.yml | 266 +- jobs/migrate-db/templates/job.yaml | 2 + jobs/migrate-s3/templates/job.yaml | 2 + jobs/refresh-db/templates/job.yaml | 2 + .../templates/reindexing-config.yaml | 4 +- jobs/reindex/templates/reindexing-config.yaml | 4 +- .../templates/reindexing-config.yaml | 4 +- kustomize/base/kustomization.yaml | 14 +- kustomize/base/patch-ingress-repository.yaml | 2 +- kustomize/base/patch-ingress-share.yaml | 2 +- ....yaml => patch-live-indexing-content.yaml} | 7 +- ...aml => patch-live-indexing-mediation.yaml} | 16 +- ...yaml => patch-live-indexing-metadata.yaml} | 7 +- kustomize/base/patch-live-indexing-path.yaml | 17 + kustomize/base/patch-live-path-indexing.yaml | 22 - kustomize/base/patch-router.yaml | 9 +- kustomize/base/patch-shared-filestore.yaml | 17 - kustomize/base/patch-tika.yaml | 15 + .../base/patch-transform-imagemagick.yaml | 16 + .../base/patch-transform-libreoffice.yaml | 15 + kustomize/base/patch-transform-misc.yaml | 15 + kustomize/base/values-versions.yaml | 66 + kustomize/base/values.yaml | 1172 +++------ kustomize/base/values.yaml.old | 1063 ++++++++ kustomize/dev/alf-prop-config-map.yaml | 80 + kustomize/dev/kustomization.yaml | 2 + kustomize/dev/output.yaml | 2152 +++++++++++++++++ kustomize/dev/patch-infra-config-map.yaml | 7 + kustomize/dev/patch-ingress-repository.yaml | 8 +- kustomize/dev/patch-ingress-share.yaml | 8 +- kustomize/dev/values.yaml | 20 +- kustomize/kustomizer.sh | 3 +- kustomize/poc/alf-prop-config-map.yaml | 80 + kustomize/poc/kustomization.yaml | 1 + kustomize/poc/output.yaml | 2110 ++++++++++++++++ kustomize/poc/patch-ingress-repository.yaml | 8 +- kustomize/poc/patch-ingress-share.yaml | 8 +- kustomize/poc/values.yaml | 37 +- kustomize/preprod/alf-prop-config-map.yaml | 80 + kustomize/preprod/kustomization.yaml | 4 +- kustomize/preprod/patch-filestore-pvc.yaml | 8 - kustomize/preprod/patch-infra-config-map.yaml | 7 + .../preprod/patch-ingress-repository.yaml | 8 +- kustomize/preprod/patch-ingress-share.yaml | 8 +- kustomize/preprod/values.yaml | 57 +- kustomize/stage/alf-prop-config-map.yaml | 80 + kustomize/stage/kustomization.yaml | 3 +- kustomize/stage/output.yaml | 1920 +++++++++++++++ kustomize/stage/patch-infra-config-map.yaml | 7 + kustomize/stage/patch-ingress-repository.yaml | 8 +- kustomize/stage/patch-ingress-share.yaml | 8 +- kustomize/stage/values.yaml | 70 +- kustomize/test/alf-prop-config-map.yaml | 80 + kustomize/test/kustomization.yaml | 2 + kustomize/test/patch-infra-config-map.yaml | 7 + kustomize/test/patch-ingress-repository.yaml | 8 +- kustomize/test/patch-ingress-share.yaml | 8 +- kustomize/test/values.yaml | 52 +- rules.yaml | 219 ++ tools/scripts/amq-connect-single.sh | 65 + 63 files changed, 8751 insertions(+), 1386 deletions(-) rename kustomize/base/{patch-live-content-indexing.yaml => patch-live-indexing-content.yaml} (77%) rename kustomize/base/{patch-live-mediation-indexing.yaml => patch-live-indexing-mediation.yaml} (59%) rename kustomize/base/{patch-live-metadata-indexing.yaml => patch-live-indexing-metadata.yaml} (77%) create mode 100644 kustomize/base/patch-live-indexing-path.yaml delete mode 100644 kustomize/base/patch-live-path-indexing.yaml delete mode 100644 kustomize/base/patch-shared-filestore.yaml create mode 100644 kustomize/base/patch-tika.yaml create mode 100644 kustomize/base/patch-transform-imagemagick.yaml create mode 100644 kustomize/base/patch-transform-libreoffice.yaml create mode 100644 kustomize/base/patch-transform-misc.yaml create mode 100644 kustomize/base/values-versions.yaml create mode 100644 kustomize/base/values.yaml.old create mode 100644 kustomize/dev/alf-prop-config-map.yaml create mode 100644 kustomize/dev/output.yaml create mode 100644 kustomize/dev/patch-infra-config-map.yaml create mode 100644 kustomize/poc/alf-prop-config-map.yaml create mode 100644 kustomize/poc/output.yaml create mode 100644 kustomize/preprod/alf-prop-config-map.yaml delete mode 100644 kustomize/preprod/patch-filestore-pvc.yaml create mode 100644 kustomize/preprod/patch-infra-config-map.yaml create mode 100644 kustomize/stage/alf-prop-config-map.yaml create mode 100644 kustomize/stage/output.yaml create mode 100644 kustomize/stage/patch-infra-config-map.yaml create mode 100644 kustomize/test/alf-prop-config-map.yaml create mode 100644 kustomize/test/patch-infra-config-map.yaml create mode 100644 rules.yaml create mode 100755 tools/scripts/amq-connect-single.sh diff --git a/.github/workflows/migrate-s3.yaml b/.github/workflows/migrate-s3.yaml index 58be3b4..ef1f7be 100644 --- a/.github/workflows/migrate-s3.yaml +++ b/.github/workflows/migrate-s3.yaml @@ -69,10 +69,12 @@ jobs: # remove all spaces and put one comma between prefixes cleaned_prefixes=$(echo $prefixes | tr -s '[:space:]' ',' | sed 's/[,/]*$//') - # remove `contentstore.deleted/` from cleaned_prefixes with comma if in list - cleaned_prefixes=$(echo $cleaned_prefixes | sed 's/contentstore.deleted,//') - # remove `contentstore.deleted` from cleaned_prefixes if at the end of the list - cleaned_prefixes=$(echo $cleaned_prefixes | sed 's/contentstore.deleted//') + # None occurs when a file is at the root of the bucket or level 1 directory + # remove None from cleaned_prefixes with comma if in list + cleaned_prefixes=$(echo $cleaned_prefixes | sed 's/None,//') + # remove None from cleaned_prefixes if at the end of the list + cleaned_prefixes=$(echo $cleaned_prefixes | sed 's/None//') + DIRS="" IFS=',' @@ -93,7 +95,4 @@ jobs: --set srcBucket=$SRC_BUCKET \ --set "directories={${DIRS}}" - kubectl wait jobs -l name-prefix=migrate-s3 --for=condition=complete --timeout 10h - - - name: Uninstall S3 Refresh chart - run: helm uninstall migrate-s3 --ignore-not-found + kubectl wait jobs -l name-prefix=migrate-s3 --for=condition=ready --timeout 10m diff --git a/.gitignore b/.gitignore index 052a22a..7d28e25 100644 --- a/.gitignore +++ b/.gitignore @@ -4,8 +4,11 @@ templated/ kustomize/base/charts/ kustomize/**/charts/ -kustomize/**/output.yaml +kustomize/**/helm_rendered_spec.yaml +kustomize/**/kustomized_helm_rendered_spec.yaml kustomize/base/resources.yaml jobs/reindex/values-reindex-*.yaml completed.txt ids.json +alfresco-content-services/ +s3-config/ diff --git a/README.md b/README.md index ea0b455..2b99a53 100644 --- a/README.md +++ b/README.md @@ -1,102 +1,49 @@ -### Purpose +# hmpps-delius-alfresco -These example instsructions explain how you would customise one particular dependant Helm chart and publish a newer version to GitHub pages. Instructions assume GitHub pages are already configured for your repo; see the reference section below +## Helm + Kustomize -### Start services -In order to start the alfresco-repository service, we need to make a valid license available in the namespace. A secret containing the license needs to be created: -```bash -ACS_NAMESPACE=hmpps-delius-alfrsco-poc -kubectl create secret generic alfresco-license \ - --namespace $ACS_NAMESPACE \ - --from-file /example/path/to/license/file.lic -``` +This repository contains the Helm and Kustomize configuration for the Delius Alfresco deployment. -Next We will need to ensure all services are up and running. -Start k8s services by executing helm command _(Helm will complain if a random secret is not created)_ +Rather than using/modifying the Helm chart directly, we use Kustomize to overlay the Helm chart with our custom configuration. +This allows us to keep the Helm chart as a dependency and only modify the configuration that we need to. -```bash -cd hmpps-delius-alfresco-poc/alfresco-content-services -export SECRET=$(openssl rand -base64 20) -export BUCKET_NAME=$(awk '{print substr($0, 0)}' <<< $(kubectl get secrets s3-bucket-output -o jsonpath='{.data.BUCKET_NAME}' | base64 -d)) -helm install alfresco-content-services . --values=./values.yaml \ ---set s3connector.config.bucketName=$BUCKET_NAME \ ---set global.tracking.sharedsecret=$SECRET -``` +### Usage + +Note: we use taskfile to simplify the commands. You can install taskfile by running `brew install go-task/tap/go-task`. + + +To deploy the Delius Alfresco stack, you can use the following command: -### Check the chart file for dependent charts and pull the required version -For the purpose of this demo, we will select the following service from the `Chart.yaml` file -```yaml -- condition: alfresco-sync-service.enabled - name: alfresco-sync-service - repository: https://alfresco.github.io/alfresco-helm-charts/ - version: 4.1.0 ``` +task helm_upgrade ENV= DEBUG= ``` -1. Delete existing tar file for the sync service. There will be an error pulling the chart otherwise -rm -rf charts/alfresco-sync-service-4.1.0.tgz -2. Pull a particular version of `alfresco-sync-service` chart -helm pull alfresco-sync-service --repo https://alfresco.github.io/alfresco-helm-charts --version 4.1.0 -d charts --untar +This will deploy the Delius Alfresco stack to the specified environment. +The `DEBUG` flag can be used to enable debug mode, which will enable helm verbose logging + output the templated, +rendered and kustomized manifests to the environment directory. -3. The above command will pull a tar file called `charts/alfresco-sync-service-4.1.0.tgz` and then untar it into a directory called `alfresco-sync-service`. Delete the tar file -rm -rf charts/alfresco-sync-service-4.1.0.tgz -``` -### Modify charts - -1. Change the chart version in the newly pulled chart. For example change is from `4.1.0` to `4.1.1` -2. Make your changes and then test them by upgrading Helm release - ``` - - export SECRET=$(awk '{print substr($0, 19)}' <<< $(kubectl get secrets alfresco-content-services-alfresco-repository-properties-secret -o jsonpath='{.data.alfresco-global\.properties}' | base64 -d)) - - export BUCKET_NAME=$(awk '{print substr($0, 0)}' <<< $(kubectl get secrets s3-bucket-output -o jsonpath='{.data.BUCKET_NAME}' | base64 -d)) - - helm upgrade alfresco-content-services . --values=./values.yaml --set s3connector.config.bucketName=$BUCKET_NAME --set global.tracking.sharedsecret=$SECRET - - NOTE: For the release upgrade, use the existing secret. You will otherwise have to restart pods consuming those secrets - ``` -4. Once satisfied with your changes, create a package and add it to the docs directory - - "helm package charts/alfresco-sync-service -d ../docs" -5. Create / update an index file in docs directory - - "helm repo index ../docs --url https://ministryofjustice.github.io/hmpps-delius-alfresco-poc" - - -### Update the lock file and commit changes -Locate the `Chart.yaml` file and modify the repository URL and version. It should now look like the code snippet below after the change: -```yaml -- condition: alfresco-sync-service.enabled - name: alfresco-sync-service - repository: https://ministryofjustice.github.io/hmpps-delius-alfresco-poc/ - version: 4.1.1 -``` +### Configuration -1. Delete `charts/alfresco-sync-service` directory as it is no longer needed -2. Push your changes / docs directory to the feature branch -3. Update your GitHub pages settings so that the `source branch` is pointing to your feature branch -4. Update helm dependencies which will pull the updated charts and will update the lock file - - `helm dependency update .` -5. Push the lock file and charts dirctory to the feature branch and get merge approval -6. Merge into main branch -7. Update your GitHub pages settings so that the `source branch` is pointing to your main branch -8. Upgrade the helm release for the changes to be updated in kubernetes cluster - ``` - - export SECRET=$(awk '{print substr($0, 19)}' <<< $(kubectl get secrets alfresco-content-services-alfresco-repository-properties-secret -o jsonpath='{.data.alfresco-global\.properties}' | base64 -d)) - - helm upgrade alfresco-content-services . --values=./values.yaml --set global.tracking.sharedsecret=$SECRET - - NOTE: For the release upgrade, use the existing secret. You will otherwise have to restart pods consuming those secrets - ``` - -### Alternatively, pull a particular chart either directly from repository URL or by adding it in the local repo - -1. Pull a chart with a particular version direcly from the GitHub pages -- `helm pull alfresco-sync-service --repo https://ministryofjustice.github.io/hmpps-delius-alfresco-poc/ --version 4.1.1 -d charts --untar` - -2. Or add the updated chart in a local helm repo -``` -helm repo add alfresco-sync-service https://ministryofjustice.github.io/hmpps-delius-alfresco-poc/ +1. Helm values +The base helm values are stored in the `kustomize/base/values.yaml` file. +Each environment has its own values file, which is stored in the `kustomize/environments//values.yaml` file. +These values are combined when deploying the stack, with the environment values taking precedence. -helm search repo alfresco-sync-service -NAME CHART VERSION APP VERSION DESCRIPTION -alfresco-sync-service/alfresco-sync-service 4.1.1 3.9.0 Alfresco Sync Service -``` +2. Kustomize +The kustomize overlays are stored in the `kustomize/environments/` directory. +These overlays are applied to the Helm chart's resources to modify the configuration as needed for the environment. + + +### Secrets + +A number of secrets are required to deploy the Delius Alfresco stack. Some of these are set by the cloud-platform-environments repository, while others are set manually. -### References to various docs that explain how to set up GitHub pages and how to publish Helm charts -- [The Chart Repository Guide](https://helm.sh/docs/topics/chart_repository/#github-pages-example) -- [Chart Releaser Action to Automate GitHub Page Charts ](https://helm.sh/docs/howto/chart_releaser_action/#github-actions-workflow) -- [Example on how to publish a chart on GitHub pages](https://github.com/technosophos/tscharts) +Table: +| Secret Name | Description | Set By | example/required keys | +| --- | --- | --- | --- | +| amazon-mq-broker-secret | The secret for the Amazon MQ broker | cloud-platform-environments | see [cloud-platform-environments](https://github.com/ministryofjustice/cloud-platform-environments/blob/7968f9c66f6914d33db35b68209c55b2dcb25d7d/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-delius-alfresco-stage/resources/amq.tf#L218) | +| alfresco-license | The Alfresco license file | manual | ` : ` +| legacy-rds-instance | The RDS instance for the legacy Delius Alfresco stack | manual | `DATABASE_NAME: , DATABASE_USERNAME: , DATABASE_PASSWORD: , RDS_INSTANCE_ADDRESS: ` | +| rds-instance-outpur | The RDS instance for the CP Delius Alfresco stack | cloud-platform-environments | see [cloud-platform-environments](https://github.com/ministryofjustice/cloud-platform-environments/blob/7968f9c66f6914d33db35b68209c55b2dcb25d7d/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-delius-alfresco-stage/resources/rds.tf#L35) | +| quay-registry-secret | The secret for the Quay registry | manual | `.dockerconfigjson: {"auths":{"quay.io":{"username":"","password":"","email":"","auth":""}}}` | diff --git a/Taskfile.yml b/Taskfile.yml index 5ae8504..a085a8a 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -2,14 +2,30 @@ version: "3" vars: ENV: "{{.ENV}}" + FROM: "{{.FROM}}" + TO: "{{.TO}}" + FORCE: "{{.FORCE}}" NAMESPACE: - sh: if [ "{{.ENV}}" = "poc" ]; then echo "hmpps-delius-alfrsco-{{.ENV}}"; else echo "hmpps-delius-alfresco-{{.ENV}}"; fi + sh: | + if [ -z "{{.ENV}}" ]; then + echo "ERROR: ENV variable is not set" >&2 + exit 1 + elif [ "{{.ENV}}" = "poc" ]; then + echo "hmpps-delius-alfrsco-{{.ENV}}" + else + echo "hmpps-delius-alfresco-{{.ENV}}" + fi BUCKET_NAME: sh: kubectl get secret s3-bucket-output -n {{.NAMESPACE}} -o jsonpath='{.data.BUCKET_NAME}' | base64 --decode OPEN_SEARCH_PREFIX: sh: kubectl get svc --namespace {{.NAMESPACE}} | grep 'opensearch-proxy-service-cloud-platform' | awk '{ print $1 }' OPENSEARCH_HOST: sh: echo "{{.OPEN_SEARCH_PREFIX}}.{{.NAMESPACE}}.svc.cluster.local" + MESSAGEBROKER_URL: + sh: | + kubectl get secrets amazon-mq-broker-secret -o json | \ + jq -r ".data | map_values(@base64d) | .BROKER_URL" | \ + sed -e 's/(/\\(/g' -e 's/)/\\)/g' -e 's/,/\\,/g' ALLOWLIST: sh: yq 'join(",")' ./kustomize/{{.ENV}}/allowlist.yaml RDS_JDBC_URL: @@ -22,9 +38,10 @@ vars: ATOMIC: "true" ATOMIC_FLAG: sh: if [ "{{.ATOMIC}}" = "true" ]; then echo "--atomic"; else echo ""; fi - CHART_VERSION: "6.0.2" + CHART_VERSION: "7.0.3" tasks: + # Perform a helm upgrade on the alfresco-content-services chart helm_upgrade: cmds: - echo "NAMESPACE set to {{.NAMESPACE}}" @@ -82,11 +99,12 @@ tasks: cmds: - | helm upgrade --install alfresco-content-services alfresco/alfresco-content-services --version {{.CHART_VERSION}} --namespace {{.NAMESPACE}} \ - --values=../base/values.yaml --values=values.yaml \ + --values=../base/values.yaml --values=../base/values-versions.yaml --values=values.yaml \ --set s3connector.config.bucketName={{.BUCKET_NAME}} \ --set database.url={{.RDS_JDBC_URL}} \ - --set global.elasticsearch.host={{.OPENSEARCH_HOST}} \ - --set alfresco-search-enterprise.searchIndex.host={{.OPENSEARCH_HOST}} \ + --set-string messageBroker.url="{{.MESSAGEBROKER_URL}}" \ + --set global.search.url=http://{{.OPENSEARCH_HOST}}:8080 \ + --set global.search.host={{.OPENSEARCH_HOST}} \ --wait --timeout=60m \ --post-renderer ../kustomizer.sh --post-renderer-args "{{.HELM_POST_RENDERER_ARGS}}" \ {{.DEBUG_FLAG}} {{.ATOMIC_FLAG}} @@ -103,225 +121,28 @@ tasks: cmds: - yq '.metadata.annotations."nginx.ingress.kubernetes.io/whitelist-source-range" = "placeholder"' -i patch-ingress-repository.yaml - yq '.metadata.annotations."nginx.ingress.kubernetes.io/whitelist-source-range" = "placeholder"' -i patch-ingress-share.yaml - - simple_reindex: - cmds: - - | - helm install "reindex-default-$(openssl rand -hex 4)" ./jobs/reindex --set "global.elasticsearch.host={{.OPENSEARCH_HOST}}" --set "fromId=27451380" --set "toId=27908429" --namespace {{.NAMESPACE}} - - reindex_list: - cmds: - - | - # Set your batch size (you can adjust this number as needed) - BATCH_SIZE=40 - - # Path to your JSON file containing the list of IDs - JSON_FILE="ids.json" - - RANDOM_ID=$(openssl rand -hex 4) - - # Function to create Helm job for a given batch of IDs - create_helm_job() { - # Concatenate the batch of IDs into a comma-separated string - # $1, $2, ... represent individual IDs - local idList="" - for id in "$@"; do - if [ -z "$idList" ]; then - idList="$id" - else - idList="$idList,$id" - fi - done - - # Debugging: print the batch being passed - echo "Creating job for IDs: $idList" # This will show only the batch, not the whole list - - # Run Helm command to create the job with the current batch of IDs - helm upgrade --install "reindex-list-${RANDOM_ID}" \ - --set "idList={${idList}}" \ - --set "global.elasticsearch.host={{.OPENSEARCH_HOST}}" \ - --set "global.namespace={{.NAMESPACE}}" \ - ./jobs/reindex-list \ - --namespace "{{.NAMESPACE}}" - echo "Waiting for the jobs to complete..." - kubectl wait --for=condition=complete job --namespace {{.NAMESPACE}} -l "reindex-type=list" --timeout=10h || echo "Jobs completed!" - echo "Jobs completed!" - } - - # Parse the list of IDs from the JSON file using jq - # The IDs will be saved as a space-separated list into the 'ids' variable - ids=$(jq -r '.list[]' "$JSON_FILE") - - # Initialize the index for processing - index=0 - - # Loop over the IDs and create jobs in batches - for id in $ids; do - # Add the current ID to the current batch - batch[$index]="$id" - index=$((index + 1)) - - # If the batch reaches the specified batch size, process it - if [ "$index" -ge "$BATCH_SIZE" ]; then - # Create the Helm job for the current batch - create_helm_job "${batch[@]}" - - # Reset the batch for the next set of IDs - index=0 - unset batch - # kubectl wait --for=condition=complete job --namespace {{.NAMESPACE}} -l "reindex-type=list" --timeout=10h || echo "Jobs completed!" - helm uninstall "reindex-list-${RANDOM_ID}" --namespace {{.NAMESPACE}} - fi - done - - # If there are any remaining IDs (less than BATCH_SIZE), create the last job - if [ "$index" -gt 0 ]; then - create_helm_job "${batch[@]}" - fi - - echo "All jobs have been created!" - echo "Cleaning up..." - helm uninstall "reindex-list-${RANDOM_ID}" --namespace {{.NAMESPACE}} - echo "Cleanup complete!" - - - - simple_reindex_date: - cmds: - - | - helm install "reindex-default-$(openssl rand -hex 4)" ./jobs/reindex_date --set "global.elasticsearch.host={{.OPENSEARCH_HOST}}" --set "fromTime=201707060001" --set "toTime=201707070001" --namespace {{.NAMESPACE}} - - simple_reindex_date_metadata-only: - cmds: - - | - helm install "reindex-default-date-meta" ./jobs/reindex_date --set "global.elasticsearch.host={{.OPENSEARCH_HOST}}" --set "fromTime=202402010100" --set "toTime=202402100100" --set "content=false" --namespace {{.NAMESPACE}} - - batch_reindex: - vars: - START: "{{.START | default 0}}" - END: "{{.END | default 10050}}" - CHUNK: "{{.CHUNK | default 1000}}" - CONCURRENCY: "{{.CONCURRENCY | default 5}}" - ARRAY: - sh: | - arr=$( - for i in $(seq -f "%.0f" {{.START}} {{.CHUNK}} {{.END}}); do - new_start=$i - end=$((i + {{.CHUNK}} - 1)) - if [ $end -gt {{.END}} ]; then - end={{.END}} - fi - cat << EOF - ${new_start}-${end} - EOF - done - ) - echo "$arr" - cmds: - - echo "Starting batch reindex from {{.START}} to {{.END}} in chunks of {{.CHUNK}}" - - task: run_reindex_batches - vars: - OPENSEARCH_HOST: "{{.OPENSEARCH_HOST}}" - NAMESPACE: "{{.NAMESPACE}}" - ARRAY: "{{.ARRAY}}" - CONCURRENCY: "{{.CONCURRENCY}}" - - task: reindex_helm_cleanup - vars: - NAMESPACE: "{{.NAMESPACE}}" - - run_reindex_batches: + # reindexes by id from the FROM_ID to the TO_ID + # ID FORMAT: alf-node id + reindex_by_id: cmds: - | - pending="{{.ARRAY}}" - # count the number of items - total_items=$(echo "$pending" | wc -l) - echo "Total items: $total_items" - - previous_completed=$(cat completed.txt) || true - if [ -z "$previous_completed" ]; then - echo "No previous completed items" - else - echo "Count of previous completed items: $(echo "$previous_completed" | wc -l)" - fi - - # remove the completed items from the pending list - for item in $previous_completed; do - pending=$(echo "$pending" | grep -v "$item") - done - - total_items=$(echo "$pending" | wc -l) - echo "Total items: $total_items" - - - started=() - completed=() - - # while pending is not empty - while [ -n "$pending" ]; do - # echo "Pending: $pending" - # Get the first item - item=$(echo "$pending" | head -n 1) - echo "Processing item: $item" + helm install "reindex-default-$(openssl rand -hex 4)" ./jobs/reindex --set "global.elasticsearch.host={{.OPENSEARCH_HOST}}" --set "fromId={{.FROM}}" --set "toId={{.TO}}" --namespace {{.NAMESPACE}} - # Get the start and end values - start=$(echo "$item" | cut -d '-' -f 1) - end=$(echo "$item" | cut -d '-' -f 2) - echo "Start: $start, End: $end" - - # check the number of jobs running - running_jobs=$(kubectl get jobs --namespace {{.NAMESPACE}} -l "reindex-job" -o json | jq '.items | length') - echo "Running jobs: $running_jobs" - if [ $running_jobs -ge {{.CONCURRENCY}} ]; then - echo "No available slots, waiting for 5 seconds" - sleep 5 - else - echo "Found at least 1 available slot!" - echo "Available slots left: $(({{.CONCURRENCY}} - $running_jobs))" - # run the job - echo "helm install reindex-${start}-${end} ./jobs/reindex --set global.elasticsearch.host={{.OPENSEARCH_HOST}} --set fromId=${start} --set toId=${end} --namespace {{.NAMESPACE}}" - helm install "reindex-${start}-${end}" ./jobs/reindex --set "global.elasticsearch.host={{.OPENSEARCH_HOST}}" --set "fromId=${start}" --set "toId=${end}" --namespace {{.NAMESPACE}} - # Remove the item from the list - pending=$(echo "$pending" | tail -n +2) - fi - - # check for completed jobs - completed_jobs=$(kubectl get jobs --namespace {{.NAMESPACE}} -l "reindex-job" -o json | jq -r '.items[] | select(.status.succeeded == 1) | .metadata.labels["reindex-job"]') - if [ -z "$completed_jobs" ]; then - echo "No completed jobs" - else - echo "Completed jobs: $completed_jobs" - echo "$completed_jobs" | while IFS= read -r job; do - echo "Processing completed job: $job" - completed+=("$job") - echo "$job" >> completed.txt - echo "Job $job completed" - helm uninstall "reindex-$job" --namespace {{.NAMESPACE}} - done - fi - done - - reindex_helm_cleanup: + # reindexes by date from the FROM_DATE to the TO_DATE + # DATE FORMAT: YYYYMMDDHHMM + reindex_by_date: cmds: - | - # wait for all jobs to complete - kubectl wait --for=condition=complete jobs --namespace {{.NAMESPACE}} -l "reindex-job" --timeout=4h + helm install "reindex-default-$(openssl rand -hex 4)" ./jobs/reindex_date --set "global.elasticsearch.host={{.OPENSEARCH_HOST}}" --set "fromTime={{.FROM}}" --set "toTime={{.TO}}" --namespace {{.NAMESPACE}} - completed_jobs=$(kubectl get jobs --namespace {{.NAMESPACE}} -l "reindex-job" -o json | jq -r '.items[] | select(.status.succeeded == 1) | .metadata.labels["reindex-job"]') - if [ -z "$completed_jobs" ]; then - echo "No completed jobs" - else - echo "Completed jobs: $completed_jobs" - echo "$completed_jobs" | while IFS= read -r job; do - echo "Processing completed job: $job" - completed+=("$job") - echo "$job" >> completed.txt - echo "Job $job completed" - helm uninstall "reindex-$job" --namespace {{.NAMESPACE}} - done - fi + # reindex_by_date_metadata-only: + # cmds: + # - | + # helm install "reindex-default-date-meta" ./jobs/reindex_date --set "global.elasticsearch.host={{.OPENSEARCH_HOST}}" --set "fromTime=202402010100" --set "toTime=202402100100" --set "content=false" --namespace {{.NAMESPACE}} - helm_bulk_uninstall: + # uninstalls all helm releases with the prefix + helm_uninstall_prefix: vars: PREFIX: "{{.PREFIX}}" cmds: @@ -330,4 +151,15 @@ tasks: echo "Uninstalling release: $release" helm uninstall "$release" -n "$NAMESPACE" done - \ No newline at end of file + + kubectl_remove_pods_prefix: + vars: + PREFIX: "{{.PREFIX}}" + FORCE_FLAG: + sh: if [ "{{.FORCE}}" = "true" ]; then echo "--force"; else echo ""; fi + cmds: + - | + kubectl get pods -n {{.NAMESPACE}} | grep "^{{.PREFIX}}" | awk '{print $1}' | while IFS= read -r pod; do + echo "Deleting pod: $pod" + kubectl delete pod "$pod" -n "$NAMESPACE" {{.FORCE_FLAG}} + done diff --git a/jobs/migrate-db/templates/job.yaml b/jobs/migrate-db/templates/job.yaml index 02e685c..2a6f9e1 100644 --- a/jobs/migrate-db/templates/job.yaml +++ b/jobs/migrate-db/templates/job.yaml @@ -28,6 +28,8 @@ apiVersion: batch/v1 kind: Job metadata: name: migrate-db + labels: + name-prefix: migrate-db spec: template: spec: diff --git a/jobs/migrate-s3/templates/job.yaml b/jobs/migrate-s3/templates/job.yaml index 1e88b13..d4616bf 100644 --- a/jobs/migrate-s3/templates/job.yaml +++ b/jobs/migrate-s3/templates/job.yaml @@ -20,6 +20,8 @@ apiVersion: batch/v1 kind: Job metadata: name: migrate-s3-{{ . | toString | replace "/" "-" | replace "." "" | trimSuffix "-" }} + labels: + name-prefix: migrate-s3 spec: template: spec: diff --git a/jobs/refresh-db/templates/job.yaml b/jobs/refresh-db/templates/job.yaml index 1d3a837..d739544 100644 --- a/jobs/refresh-db/templates/job.yaml +++ b/jobs/refresh-db/templates/job.yaml @@ -43,6 +43,8 @@ apiVersion: batch/v1 kind: Job metadata: name: refresh-db + labels: + name-prefix: refresh-db spec: template: spec: diff --git a/jobs/reindex-list/templates/reindexing-config.yaml b/jobs/reindex-list/templates/reindexing-config.yaml index 6616917..1de8cb2 100644 --- a/jobs/reindex-list/templates/reindexing-config.yaml +++ b/jobs/reindex-list/templates/reindexing-config.yaml @@ -5,8 +5,8 @@ metadata: data: ELASTICSEARCH_INDEXNAME: "{{ .Values.indexName }}" {{ template "alfresco-search-enterprise.config.spring" . }} - ALFRESCO_SHAREDFILESTORE_BASEURL: http://alfresco-content-services-alfresco-filestore:80/alfresco/api/-default-/private/sfs/versions/1/file/ - ALFRESCO_ACCEPTEDCONTENTMEDIATYPESCACHE_BASEURL: http://alfresco-content-services-alfresco-router/transform/config + ALFRESCO_SHAREDFILESTORE_BASEURL: https://alf-sfs.preprod.delius-core.hmpps-preproduction.modernisation-platform.service.justice.gov.uk/alfresco/api/-default-/private/sfs/versions/1/file/ + ALFRESCO_ACCEPTEDCONTENTMEDIATYPESCACHE_BASEURL: http://alfresco-content-services-transform-router/transform/config ALFRESCO_REINDEX_PATHINDEXINGENABLED: {{ .Values.pathIndexingEnabled | quote }} SPRING_DATASOURCE_URL: {{ .Values.postgresql.url }} {{- if .Values.environment }} diff --git a/jobs/reindex/templates/reindexing-config.yaml b/jobs/reindex/templates/reindexing-config.yaml index b9086dc..14d1ca7 100644 --- a/jobs/reindex/templates/reindexing-config.yaml +++ b/jobs/reindex/templates/reindexing-config.yaml @@ -5,8 +5,8 @@ metadata: data: ELASTICSEARCH_INDEXNAME: "{{ .Values.indexName }}" {{ template "alfresco-search-enterprise.config.spring" . }} - ALFRESCO_SHAREDFILESTORE_BASEURL: http://alfresco-content-services-alfresco-filestore:80/alfresco/api/-default-/private/sfs/versions/1/file/ - ALFRESCO_ACCEPTEDCONTENTMEDIATYPESCACHE_BASEURL: http://alfresco-content-services-alfresco-router/transform/config + ALFRESCO_SHAREDFILESTORE_BASEURL: https://alf-sfs.preprod.delius-core.hmpps-preproduction.modernisation-platform.service.justice.gov.uk/alfresco/api/-default-/private/sfs/versions/1/file/ + ALFRESCO_ACCEPTEDCONTENTMEDIATYPESCACHE_BASEURL: http://alfresco-content-services-transform-router/transform/config ALFRESCO_REINDEX_PATHINDEXINGENABLED: {{ .Values.pathIndexingEnabled | quote }} SPRING_DATASOURCE_URL: {{ .Values.postgresql.url }} {{- if .Values.environment }} diff --git a/jobs/reindex_date/templates/reindexing-config.yaml b/jobs/reindex_date/templates/reindexing-config.yaml index 90ab791..9c1cba6 100644 --- a/jobs/reindex_date/templates/reindexing-config.yaml +++ b/jobs/reindex_date/templates/reindexing-config.yaml @@ -5,8 +5,8 @@ metadata: data: ELASTICSEARCH_INDEXNAME: "{{ .Values.indexName }}" {{ template "alfresco-search-enterprise.config.spring" . }} - ALFRESCO_SHAREDFILESTORE_BASEURL: http://alfresco-content-services-alfresco-filestore:80/alfresco/api/-default-/private/sfs/versions/1/file/ - ALFRESCO_ACCEPTEDCONTENTMEDIATYPESCACHE_BASEURL: http://alfresco-content-services-alfresco-router/transform/config + ALFRESCO_SHAREDFILESTORE_BASEURL: https://alf-sfs.preprod.delius-core.hmpps-preproduction.modernisation-platform.service.justice.gov.uk/alfresco/api/-default-/private/sfs/versions/1/file/ + ALFRESCO_ACCEPTEDCONTENTMEDIATYPESCACHE_BASEURL: http://alfresco-content-services-transform-router/transform/config ALFRESCO_REINDEX_PATHINDEXINGENABLED: {{ .Values.pathIndexingEnabled | quote }} SPRING_DATASOURCE_URL: {{ .Values.postgresql.url }} {{- if .Values.environment }} diff --git a/kustomize/base/kustomization.yaml b/kustomize/base/kustomization.yaml index 7e9a02e..332fb04 100644 --- a/kustomize/base/kustomization.yaml +++ b/kustomize/base/kustomization.yaml @@ -7,10 +7,12 @@ resources: patches: - path: patch-ingress-repository.yaml - path: patch-ingress-share.yaml - - path: patch-delete-reindexing-config-map.yaml - - path: patch-live-path-indexing.yaml - - path: patch-live-metadata-indexing.yaml - - path: patch-live-content-indexing.yaml - - path: patch-live-mediation-indexing.yaml - - path: patch-shared-filestore.yaml + - path: patch-live-indexing-path.yaml + - path: patch-live-indexing-metadata.yaml + - path: patch-live-indexing-mediation.yaml + - path: patch-live-indexing-content.yaml - path: patch-router.yaml + - path: patch-tika.yaml + - path: patch-transform-misc.yaml + - path: patch-transform-libreoffice.yaml + - path: patch-transform-imagemagick.yaml diff --git a/kustomize/base/patch-ingress-repository.yaml b/kustomize/base/patch-ingress-repository.yaml index 2362385..ddd5f53 100644 --- a/kustomize/base/patch-ingress-repository.yaml +++ b/kustomize/base/patch-ingress-repository.yaml @@ -1,7 +1,7 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: alfresco-content-services-alfresco-cs-repository + name: alfresco-content-services-alfresco-repository annotations: external-dns.alpha.kubernetes.io/aws-weight: "100" kubernetes.io/ingress.class: default diff --git a/kustomize/base/patch-ingress-share.yaml b/kustomize/base/patch-ingress-share.yaml index ed6a361..66f58b7 100644 --- a/kustomize/base/patch-ingress-share.yaml +++ b/kustomize/base/patch-ingress-share.yaml @@ -1,7 +1,7 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: alfresco-content-services-alfresco-cs-share + name: alfresco-content-services-share annotations: external-dns.alpha.kubernetes.io/aws-weight: "100" kubernetes.io/ingress.class: default diff --git a/kustomize/base/patch-live-content-indexing.yaml b/kustomize/base/patch-live-indexing-content.yaml similarity index 77% rename from kustomize/base/patch-live-content-indexing.yaml rename to kustomize/base/patch-live-indexing-content.yaml index 8d24aa9..f28469f 100644 --- a/kustomize/base/patch-live-content-indexing.yaml +++ b/kustomize/base/patch-live-indexing-content.yaml @@ -18,6 +18,9 @@ spec: value: "60000" # 60 seconds expiry timeout - name: JAVA_OPTS value: "-Dspring.activemq.packages.trustAll=true" - # - name: INPUT_ALFRESCO_CONTENT_BATCH_EVENT_CHANNEL - # value: sjms-batch:contentstore.event?completionTimeout=1000&completionSize=10&aggregationStrategy=#eventAggregator&?consumerCount=20 + - name: ALFRESCO_SHAREDFILESTORE_BASEURL + valueFrom: + configMapKeyRef: + name: alfresco-infrastructure + key: SFS_URL_API diff --git a/kustomize/base/patch-live-mediation-indexing.yaml b/kustomize/base/patch-live-indexing-mediation.yaml similarity index 59% rename from kustomize/base/patch-live-mediation-indexing.yaml rename to kustomize/base/patch-live-indexing-mediation.yaml index 4dd4cd3..b5dfe50 100644 --- a/kustomize/base/patch-live-mediation-indexing.yaml +++ b/kustomize/base/patch-live-indexing-mediation.yaml @@ -1,8 +1,11 @@ apiVersion: apps/v1 -kind: Deployment +kind: StatefulSet metadata: - name: alfresco-content-services-alfresco-search-enterprise-mediation + name: alfresco-search-enterprise-mediation spec: + serviceName: alfresco-search-enterprise-mediation + strategy: + type: Recreate template: spec: containers: @@ -10,7 +13,7 @@ spec: env: - name: SPRING_ACTIVEMQ_POOL_ENABLED value: "true" - - name: SPRING_ACTIVEMQ_POOL_MAXCONNECTIONS + - name: SPRING_ACTIVEMQ_POOL_MAX_CONNECTIONS value: "100" - name: SPRING_ACTIVEMQ_POOL_IDLE_TIMEOUT value: "30000" # 30 seconds idle timeout @@ -18,5 +21,8 @@ spec: value: "60000" # 60 seconds expiry timeout - name: JAVA_OPTS value: "-Dspring.activemq.packages.trustAll=true" - # - name: INPUT_ALFRESCO_MEDIATION_BATCH_EVENT_CHANNEL - # value: sjms-batch:mediation.event?completionTimeout=1000&completionSize=10&aggregationStrategy=#eventAggregator&?consumerCount=20 + - name: ALFRESCO_SHAREDFILESTORE_BASEURL + valueFrom: + configMapKeyRef: + name: alfresco-infrastructure + key: SFS_URL_API diff --git a/kustomize/base/patch-live-metadata-indexing.yaml b/kustomize/base/patch-live-indexing-metadata.yaml similarity index 77% rename from kustomize/base/patch-live-metadata-indexing.yaml rename to kustomize/base/patch-live-indexing-metadata.yaml index 3d93309..ae99a76 100644 --- a/kustomize/base/patch-live-metadata-indexing.yaml +++ b/kustomize/base/patch-live-indexing-metadata.yaml @@ -18,5 +18,8 @@ spec: value: "60000" # 60 seconds expiry timeout - name: JAVA_OPTS value: "-Dspring.activemq.packages.trustAll=true" - # - name: INPUT_ALFRESCO_METADATA_BATCH_EVENT_CHANNEL - # value: sjms-batch:metadata.event?completionTimeout=1000&completionSize=10&aggregationStrategy=#eventAggregator&?consumerCount=20 + - name: ALFRESCO_SHAREDFILESTORE_BASEURL + valueFrom: + configMapKeyRef: + name: alfresco-infrastructure + key: SFS_URL_API diff --git a/kustomize/base/patch-live-indexing-path.yaml b/kustomize/base/patch-live-indexing-path.yaml new file mode 100644 index 0000000..5690f65 --- /dev/null +++ b/kustomize/base/patch-live-indexing-path.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: alfresco-content-services-alfresco-search-enterprise-path +spec: + template: + spec: + containers: + - name: alfresco-search-enterprise-path + env: + - name: JAVA_OPTS + value: "-Dspring.activemq.packages.trustAll=true" + - name: ALFRESCO_SHAREDFILESTORE_BASEURL + valueFrom: + configMapKeyRef: + name: alfresco-infrastructure + key: SFS_URL_API diff --git a/kustomize/base/patch-live-path-indexing.yaml b/kustomize/base/patch-live-path-indexing.yaml deleted file mode 100644 index 14baae9..0000000 --- a/kustomize/base/patch-live-path-indexing.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: alfresco-content-services-alfresco-search-enterprise-path -spec: - template: - spec: - containers: - - name: alfresco-search-enterprise-path - env: - # - name: SPRING_ACTIVEMQ_POOL_ENABLED - # value: "true" - # - name: SPRING_ACTIVEMQ_POOL_MAXCONNECTIONS - # value: "100" - # - name: SPRING_ACTIVEMQ_POOL_IDLE_TIMEOUT - # value: "30000" # 30 seconds idle timeout - # - name: SPRING_ACTIVEMQ_POOL_EXPIRY_TIMEOUT - # value: "60000" # 60 seconds expiry timeout - - name: JAVA_OPTS - value: "-Dspring.activemq.packages.trustAll=true" - # - name: INPUT_ALFRESCO_PATH_BATCH_EVENT_CHANNEL - # value: sjms-batch:path.event?completionTimeout=1000&completionSize=10&aggregationStrategy=#eventAggregator&?consumerCount=20 diff --git a/kustomize/base/patch-router.yaml b/kustomize/base/patch-router.yaml index f904722..d557fc5 100644 --- a/kustomize/base/patch-router.yaml +++ b/kustomize/base/patch-router.yaml @@ -1,12 +1,12 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: alfresco-content-services-alfresco-router + name: alfresco-content-services-transform-router spec: template: spec: containers: - - name: alfresco-content-services + - name: alfresco-transform-service env: - name: SPRING_ACTIVEMQ_POOL_ENABLED value: "true" @@ -16,3 +16,8 @@ spec: value: "30000" # 30 seconds idle timeout - name: SPRING_ACTIVEMQ_POOL_EXPIRY_TIMEOUT value: "60000" # 60 seconds expiry timeout + - name: FILE_STORE_URL + valueFrom: + configMapKeyRef: + name: alfresco-infrastructure + key: SFS_URL_API diff --git a/kustomize/base/patch-shared-filestore.yaml b/kustomize/base/patch-shared-filestore.yaml deleted file mode 100644 index 20a82b7..0000000 --- a/kustomize/base/patch-shared-filestore.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: alfresco-content-services-alfresco-filestore -spec: - strategy: - type: Recreate - rollingUpdate: null - template: - spec: - containers: - - name: alfresco-content-services - env: - - name: scheduler.content.age.millis - value: "518400000" # 3 days - - name: scheduler.cleanup.interval - value: "259200000" # 1 days diff --git a/kustomize/base/patch-tika.yaml b/kustomize/base/patch-tika.yaml new file mode 100644 index 0000000..0d2c6ce --- /dev/null +++ b/kustomize/base/patch-tika.yaml @@ -0,0 +1,15 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: alfresco-content-services-tika +spec: + template: + spec: + containers: + - name: alfresco-transform-service + env: + - name: FILE_STORE_URL + valueFrom: + configMapKeyRef: + name: alfresco-infrastructure + key: SFS_URL_API diff --git a/kustomize/base/patch-transform-imagemagick.yaml b/kustomize/base/patch-transform-imagemagick.yaml new file mode 100644 index 0000000..cf9a79c --- /dev/null +++ b/kustomize/base/patch-transform-imagemagick.yaml @@ -0,0 +1,16 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: alfresco-content-services-imagemagick +spec: + template: + spec: + containers: + - name: alfresco-transform-service + env: + - name: FILE_STORE_URL + valueFrom: + configMapKeyRef: + name: alfresco-infrastructure + key: SFS_URL_API + diff --git a/kustomize/base/patch-transform-libreoffice.yaml b/kustomize/base/patch-transform-libreoffice.yaml new file mode 100644 index 0000000..1b87228 --- /dev/null +++ b/kustomize/base/patch-transform-libreoffice.yaml @@ -0,0 +1,15 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: alfresco-content-services-libreoffice +spec: + template: + spec: + containers: + - name: alfresco-transform-service + env: + - name: FILE_STORE_URL + valueFrom: + configMapKeyRef: + name: alfresco-infrastructure + key: SFS_URL_API diff --git a/kustomize/base/patch-transform-misc.yaml b/kustomize/base/patch-transform-misc.yaml new file mode 100644 index 0000000..c7b5611 --- /dev/null +++ b/kustomize/base/patch-transform-misc.yaml @@ -0,0 +1,15 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: alfresco-content-services-transform-misc +spec: + template: + spec: + containers: + - name: alfresco-transform-service + env: + - name: FILE_STORE_URL + valueFrom: + configMapKeyRef: + name: alfresco-infrastructure + key: SFS_URL_API diff --git a/kustomize/base/values-versions.yaml b/kustomize/base/values-versions.yaml new file mode 100644 index 0000000..578608f --- /dev/null +++ b/kustomize/base/values-versions.yaml @@ -0,0 +1,66 @@ +alfresco-transform-service: + transformrouter: + image: + repository: quay.io/alfresco/alfresco-transform-router + tag: 2.1.1 + pdfrenderer: + image: + tag: 3.1.1 + imagemagick: + image: + tag: 3.1.1 + libreoffice: + image: + tag: 3.1.1 + tika: + image: + tag: 3.1.1 + transformmisc: + image: + tag: 3.1.1 + filestore: + image: + tag: 2.1.1 +alfresco-search: + searchServicesImage: + tag: 2.0.5.2 + insightEngineImage: + tag: 2.0.5.2 +alfresco-search-enterprise: + liveIndexing: + mediation: + image: + tag: 3.2.0.2 + content: + image: + tag: 3.2.0.2 + metadata: + image: + tag: 3.2.0.2 + path: + image: + tag: 3.2.0.2 + reindexing: + image: + tag: 3.2.0.2 +alfresco-digital-workspace: + image: + tag: 3.1.1 +alfresco-control-center: + image: + tag: 7.9.0 +postgresql: + image: + tag: 14.4.0 +postgresql-syncservice: + image: + tag: 14.4.0 +alfresco-sync-service: + image: + tag: 3.11.1 +alfresco-connector-ms365: + image: + tag: 1.1.3.2 +alfresco-connector-msteams: + image: + tag: 1.1.0 diff --git a/kustomize/base/values.yaml b/kustomize/base/values.yaml index 94d1640..bfe5010 100644 --- a/kustomize/base/values.yaml +++ b/kustomize/base/values.yaml @@ -14,50 +14,81 @@ # max heap to 1/4th of container's memory which may not be ideal. Hence, setting # up explicit Container memory and then assigning a percentage of it to the JVM # for performance tuning. -repository: - # -- Administrator password for ACS in NTLM hash format to set at bootstrap time - # will only work on completely fresh database - # adminPassword: "209c6174da490caeb422f3fa5a7ae634" - # -- The name of the secret holding the ACS repository license if any. - # it must be contained within a `data['*.lic']` property - # For details on how to manage license, see: - # https://github.com/Alfresco/acs-deployment/blob/master/docs/helm/examples/alf_license.md - licenseSecret: alfresco-license - edition: Enterprise - replicaCount: 1 - nodeSelector: {} +infrastructure: + configMapName: &infrastructure_cmName alfresco-infrastructure +global: + # -- list of trusted URLs. + # URLs a re used to configure Cross-origin protections + # Also the first entry is considered the main hosting domain of the platform. + known_urls: null # added to each environment values file + # -- For a full information of configuring the outbound email system, see + # https://docs.alfresco.com/content-services/latest/config/email/#manage-outbound-emails + mail: + # -- SMTP server to use for the system to send outgoing email + host: null + # -- SMTP server port + port: 587 + # -- SMTP protocol to use. Either smtp or smtps + protocol: smtp + username: anonymous + password: null + smtp: + auth: true + starttls: + enable: true + smtps: + auth: true + search: + # -- set this URL if you have an external search service + url: null # set by helm install task as inline value + # -- set the type of search service used externally (solr6 or elasticsearch) + flavor: elasticsearch + # -- set the security level used with the external search service (secret, none or https) + securecomms: none + # -- Mandatory secret to provide when using Solr search with 'secret' security level + sharedSecret: null + # -- Name of the secret managed by this chart + secretName: &acs_search_secretName alfresco-search-secret + # -- If a private image registry a secret can be defined and passed to + # kubernetes, see: + # https://github.com/Alfresco/acs-deployment/blob/a924ad6670911f64f1bba680682d266dd4ea27fb/docs/helm/eks-deployment.md#docker-registry-secret + alfrescoRegistryPullSecrets: quay-registry-secret strategy: - type: Recreate - image: - repository: 754256621582.dkr.ecr.eu-west-2.amazonaws.com/hmpps-migration/alfresco-content-repository - tag: release_7.3.2_elasticsearch-r5.0.1-content-latest - pullPolicy: IfNotPresent - internalPort: 8080 - hazelcastPort: 5701 - initContainers: - db: - image: - repository: busybox - tag: 1.35.0 - pullPolicy: IfNotPresent - resources: - limits: - cpu: "0.25" - memory: "10Mi" - service: - name: alfresco - type: ClusterIP - externalPort: &repositoryExternalPort 80 - ingress: - path: / - maxUploadSize: "5g" - annotations: {} - # nginx.ingress.kubernetes.io/enable-cors: "true" - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - hostName: apps.live.cloud-platform.service.justice.gov.uk + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + registryPullSecrets: + - quay-registry-secret + ai: + # -- Enable AI capabilities in ADW AI plugin + enabled: false +database: + # -- Enable using an external database for Alfresco Content Services. Must disable `postgresql.enabled` when true. + external: true + # -- Postgresql jdbc driver name ex: org.postgresql.Driver. It should be available in the container image. + driver: null + # -- External Postgresql database user + user: null + # -- External Postgresql database password + password: null + # -- External Postgresql jdbc url ex: `jdbc:postgresql://oldfashioned-mule-postgresql-acs:5432/alfresco` + url: null + # -- Name of the secret managed by this chart + configMapName: *infrastructure_cmName + # -- Name of the secret managed by this chart + # secretName: &acs_database_secretName alfresco-cs-database + # -- An existing secret that contains DATABASE_USERNAME and DATABASE_PASSWORD keys. + # When using embedded postgres you need to also set `postgresql.existingSecret`. + existingSecretName: rds-instance-output +# -- Activemq connection details (activemq.enabled must also be set to false) +messageBroker: + url: null + user: null + password: null + # -- Name of the secret managed by this chart + # secretName: &acs_messageBroker_secretName acs-alfresco-cs-brokersecret + existingSecretName: amazon-mq-broker-secret +alfresco-repository: environment: JAVA_OPTS: >- -Dindex.subsystem.name=elasticsearch @@ -77,7 +108,9 @@ repository: -Dsystem.delete_not_exists.read_only=false -Dsystem.delete_not_exists.timeout_seconds=3600 -Dfilecontentstore.subsystem.name=S3 - -Ds3.flatRoot=false + CATALINA_OPTS: >- + -Ds3.bucketLocation=eu-west-2 + nameOverride: alfresco-repository securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -91,13 +124,6 @@ repository: runAsUser: 33000 runAsGroup: 1000 fsGroup: 1000 - resources: - requests: - cpu: "1" - memory: "1500Mi" - limits: - cpu: "4" - memory: "3000Mi" # -- The startup probe to cover the worse case startup time for slow clusters startupProbe: periodSeconds: 30 @@ -113,547 +139,156 @@ repository: initialDelaySeconds: 130 periodSeconds: 20 timeoutSeconds: 15 + # image: set by environment values file + configuration: + repository: + existingConfigMap: alf-prop-config-map + existingSecrets: + - name: alfresco-license + key: Alfresco-ent73-NOMSNationalOffenderManagementService-Expires10.03.2025.lic + purpose: acs-license + - name: s3-bucket-output + key: ACCESSKEY + purpose: property:s3.accessKey + - name: s3-bucket-output + key: SECRETKEY + purpose: property:s3.secretKey + - name: s3-bucket-output + key: BUCKET_NAME + purpose: property:s3.bucketName + - name: sfs-url + key: SFS_URL + purpose: property:sfs.url + db: + existingConfigMap: + name: *infrastructure_cmName + existingSecret: + name: rds-instance-output + messageBroker: + existingConfigMap: + name: *infrastructure_cmName + existingSecret: + name: amazon-mq-broker-secret + search: + flavor: elasticsearch + # existingConfigMap: + # name: *infrastructure_cmName + # existingSecret: + # name: *acs_search_secretName + # keys: + # username: SEARCH_USERNAME + # password: SEARCH_PASSWORD persistence: # -- Persist repository data enabled: false - baseSize: 20Gi + baseSize: 100Gi # -- Specify a storageClass for dynamic provisioning accessModes: - ReadWriteOnce - # -- Bind PVC based on storageClass (e.g. dynamic provisioning) - storageClass: - # -- Use pre-provisioned pv through its claim (e.g. static provisioning) - existingClaim: - data: - mountPath: /usr/local/tomcat/alf_data - subPath: alfresco-content-services/repository-data - extraVolumes: [] - extraVolumeMounts: [] - extraSideContainers: [] - extraInitContainers: [] - command: [] - # -- Provide additional log statements by adding classes and/or packages in a - # key:value maner org.alfresco.repo.content.transform.TransformerDebug: debug - extraLogStatements: {} - # -- An existing secret that contains REPO_ADMIN_PASSWORD as an alternative for `repository.adminPassword` value - existingSecretName: -# -- Declares the api-explorer service used by the content repository -apiexplorer: - ingress: - path: /api-explorer -ooiService: - replicaCount: 2 +activemq: + nameOverride: activemq + enabled: false + # -- Possibility to choose Node for pod, with a key-value pair label + # e.g {"kubernetes.io/hostname": multinode-demo-m02} nodeSelector: {} + adminUser: + # -- Default username for the embedded broker admin user + user: admin + # -- Default password for the embedded broker admin user + password: admin + existingSecretName: amazon-mq-broker-secret + existingSecretName: null +alfresco-connector-ms365: + # -- Enable/Disable Alfresco Content Connector for Microsoft 365 + enabled: false image: repository: quay.io/alfresco/alfresco-ooi-service - tag: 1.1.3.1 - pullPolicy: IfNotPresent - internalPort: 9095 - service: - name: ooi-service - type: ClusterIP - externalPort: 80 - ingress: - path: /ooi-service - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - podSecurityContext: - runAsNonRoot: true - runAsUser: 33006 - resources: - requests: - cpu: "0.25" - memory: "1000Mi" - limits: - cpu: "2" - memory: "1000Mi" - environment: - JAVA_OPTS: "-Dalfresco.base-url=http://acs-alfresco-cs-repository:80" - readinessProbe: - initialDelaySeconds: 20 - periodSeconds: 60 - timeoutSeconds: 10 - livenessProbe: - initialDelaySeconds: 10 - periodSeconds: 20 - timeoutSeconds: 10 -# -- Enable/Disable Alfresco Content Connector for Microsoft Teams -msTeams: + tag: 2.0.0 + repository: + existingConfigMap: + # -- Name of the configmap which hold the repository connection details + name: *infrastructure_cmName + keys: + # -- Name of the key in the configmap which points to the repository + # service hostname + host: repo_svc_name + # -- Name of the key in the configmap which points to the repository + # service port + port: repo_svc_port +alfresco-connector-msteams: + # -- Enable/Disable Alfresco Content Connector for Microsoft Teams enabled: false -msTeamsService: - replicaCount: 2 - nodeSelector: {} image: repository: quay.io/alfresco/alfresco-ms-teams-service - tag: 1.1.0 - pullPolicy: IfNotPresent - internalPort: 3978 - service: - name: ms-teams-service - type: ClusterIP - externalPort: 80 - ingress: - path: /ms-teams-service - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - podSecurityContext: - runAsNonRoot: true - runAsUser: 33041 - resources: - requests: - cpu: "0.5" - memory: "1000Mi" - limits: - cpu: "1" - memory: "1000Mi" - readinessProbe: - initialDelaySeconds: 20 - periodSeconds: 60 - timeoutSeconds: 10 - livenessProbe: - initialDelaySeconds: 10 - periodSeconds: 20 - timeoutSeconds: 10 - alfresco: - baseUrl: change_me_alf_base_url - digitalWorkspace: - contextPath: /workspace/ - microsoft: - app: - id: change_me_app_id - password: change_me_app_pwd - oauth: - connectionName: alfresco - teams: - chat: - filenameEnabled: true - metadataEnabled: true - imageEnabled: true -transformrouter: - replicaCount: 1 - nodeSelector: {} - image: - repository: quay.io/alfresco/alfresco-transform-router tag: 2.0.0 - pullPolicy: IfNotPresent - internalPort: 8095 - service: - name: transform-router - type: ClusterIP - externalPort: 80 - environment: - JAVA_OPTS: >- - -XX:MinRAMPercentage=50 - -XX:MaxRAMPercentage=80 - readinessProbe: - initialDelaySeconds: 140 - periodSeconds: 60 - timeoutSeconds: 10 - livenessProbe: - initialDelaySeconds: 140 - periodSeconds: 120 - timeoutSeconds: 60 - securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault - podSecurityContext: - runAsNonRoot: true - runAsUser: 33016 - resources: - requests: - cpu: "0.25" - memory: "300Mi" - limits: - cpu: "1" - memory: "512Mi" -# -- Declares the alfresco-pdf-renderer service used by the content repository -# to transform pdf files -pdfrenderer: - replicaCount: 1 - nodeSelector: {} - image: - repository: alfresco/alfresco-pdf-renderer - tag: 3.0.0 - pullPolicy: IfNotPresent - internalPort: 8090 - service: - name: pdfrenderer - type: ClusterIP - externalPort: 80 - securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault - podSecurityContext: - runAsNonRoot: true - runAsUser: 33001 - resources: - requests: - cpu: "0.25" - memory: "300Mi" - limits: - cpu: "2" - memory: "1000Mi" - environment: - JAVA_OPTS: >- - -XX:MinRAMPercentage=50 - -XX:MaxRAMPercentage=80 - readinessProbe: - initialDelaySeconds: 20 - periodSeconds: 60 - timeoutSeconds: 10 - livenessProbe: - initialDelaySeconds: 10 - periodSeconds: 20 - timeoutSeconds: 10 - livenessPercent: 150 - livenessTransformPeriodSeconds: 600 - maxTransforms: 10000 - maxTransformSeconds: 1200 -# -- Declares the alfresco-imagemagick service used by the content repository -# to transform image files -imagemagick: - replicaCount: 1 - nodeSelector: {} - image: - repository: alfresco/alfresco-imagemagick - tag: 3.0.0 - pullPolicy: IfNotPresent - internalPort: 8090 - service: - name: imagemagick - type: ClusterIP - externalPort: 80 - securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault - podSecurityContext: - runAsNonRoot: true - runAsUser: 33002 - resources: - requests: - cpu: "0.5" - memory: "300Mi" - limits: - cpu: "4" - memory: "1000Mi" - environment: - JAVA_OPTS: >- - -XX:MinRAMPercentage=50 - -XX:MaxRAMPercentage=80 - readinessProbe: - initialDelaySeconds: 20 - periodSeconds: 60 - timeoutSeconds: 10 - livenessProbe: - initialDelaySeconds: 10 - periodSeconds: 20 - timeoutSeconds: 10 - livenessPercent: 150 - livenessTransformPeriodSeconds: 600 - maxTransforms: 10000 - maxTransformSeconds: 900 -# -- Declares the alfresco-libreoffice service used by the content repository -# to transform office files -libreoffice: - replicaCount: 1 - nodeSelector: {} - image: - repository: alfresco/alfresco-libreoffice - tag: 3.0.0 - pullPolicy: IfNotPresent - internalPort: 8090 - service: - name: libreoffice - type: ClusterIP - externalPort: 80 - resources: - requests: - cpu: "0.5" - memory: "400Mi" - limits: - cpu: "4" - memory: "1000Mi" - securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault - podSecurityContext: - runAsNonRoot: true - runAsUser: 33003 - environment: - JAVA_OPTS: >- - -XX:MinRAMPercentage=50 - -XX:MaxRAMPercentage=80 - readinessProbe: - initialDelaySeconds: 20 - periodSeconds: 60 - timeoutSeconds: 10 - livenessProbe: - initialDelaySeconds: 10 - periodSeconds: 20 - timeoutSeconds: 10 - livenessPercent: 250 - livenessTransformPeriodSeconds: 600 - maxTransforms: 99999 - maxTransformSeconds: 1800 -# -- Declares the alfresco-tika service used by the content repository -# to transform office files -tika: - replicaCount: 1 - nodeSelector: {} - image: - repository: alfresco/alfresco-tika - tag: 3.0.0 - pullPolicy: IfNotPresent - internalPort: 8090 - service: - name: tika - type: ClusterIP - externalPort: 80 - securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault - podSecurityContext: - runAsNonRoot: true - runAsUser: 33004 - resources: - requests: - cpu: "0.25" - memory: "600Mi" - limits: - cpu: "2" - memory: "2Gi" - environment: - JAVA_OPTS: >- - -Xms1024M - -Xmx1638M - readinessProbe: - initialDelaySeconds: 60 - periodSeconds: 60 - timeoutSeconds: 10 - livenessProbe: - initialDelaySeconds: 60 - periodSeconds: 20 - timeoutSeconds: 10 - livenessPercent: 400 - livenessTransformPeriodSeconds: 600 - maxTransforms: 10000 - maxTransformSeconds: 1800 -# -- Declares the alfresco-tika service used by the content repository -# to transform office files -transformmisc: +alfresco-transform-service: enabled: true - replicaCount: 1 - nodeSelector: {} - image: - repository: alfresco/alfresco-transform-misc - tag: 3.0.0 - pullPolicy: IfNotPresent - internalPort: 8090 - service: - name: transformmisc - type: ClusterIP - externalPort: 80 - securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault - podSecurityContext: - runAsNonRoot: true - runAsUser: 33006 - resources: - requests: - cpu: "0.25" - memory: "300Mi" - limits: - cpu: "2" - memory: "1000Mi" - environment: - JAVA_OPTS: >- - -XX:MinRAMPercentage=50 - -XX:MaxRAMPercentage=80 - readinessProbe: - initialDelaySeconds: 20 - periodSeconds: 60 - timeoutSeconds: 10 - livenessProbe: - initialDelaySeconds: 10 - periodSeconds: 20 - timeoutSeconds: 10 - livenessPercent: 400 - livenessTransformPeriodSeconds: 600 - maxTransforms: 10000 - maxTransformSeconds: 1800 -aiTransformer: - replicaCount: 2 - nodeSelector: {} - image: - repository: quay.io/alfresco/alfresco-ai-docker-engine - tag: 1.5.0 - pullPolicy: IfNotPresent - internalPort: 8090 - service: - name: ai-transformer - type: ClusterIP - externalPort: 80 - securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault - podSecurityContext: - runAsUser: 33015 - resources: - requests: - cpu: "0.25" - memory: "1000Mi" - limits: - cpu: "2" - memory: "1000Mi" - environment: - JAVA_OPTS: >- - -XX:MinRAMPercentage=50 - -XX:MaxRAMPercentage=80 - readinessProbe: - initialDelaySeconds: 20 - periodSeconds: 60 - timeoutSeconds: 10 - livenessProbe: - initialDelaySeconds: 10 - periodSeconds: 20 - timeoutSeconds: 10 - livenessPercent: 400 - livenessTransformPeriodSeconds: 600 - maxTransforms: 10000 - maxTransformSeconds: 1800 -# -- Declares the alfresco-shared-file-store used by the content repository -# and transform service -filestore: - replicaCount: 1 - nodeSelector: {} - image: - repository: ghcr.io/ministryofjustice/hmpps-delius-alfresco-shared-file-store - tag: 2.1.2-4 - pullPolicy: IfNotPresent - internalPort: 8099 - initContainer: - image: - repository: busybox - tag: 1.35.0 - pullPolicy: IfNotPresent - resources: - limits: - cpu: "0.50" - memory: "10Mi" - service: - name: filestore - type: ClusterIP - externalPort: 80 - securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault - podSecurityContext: - runAsUser: 33030 - runAsGroup: 1000 - fsGroup: 1000 - resources: - requests: - cpu: "0.25" - memory: "200Mi" - limits: - cpu: "2" - memory: "2000Mi" - environment: - scheduler.content.age.millis: "86400000" - scheduler.cleanup.interval: "86400000" - JAVA_OPTS: >- - -XX:MinRAMPercentage=50 - -XX:MaxRAMPercentage=80 - readinessProbe: - initialDelaySeconds: 20 - periodSeconds: 60 - timeoutSeconds: 10 - livenessProbe: - initialDelaySeconds: 10 - periodSeconds: 20 - timeoutSeconds: 10 - livenessPercent: 150 - livenessSavePeriodSeconds: 600 - persistence: - # -- Persist filestore data + messageBroker: + existingSecretName: amazon-mq-broker-secret + transformrouter: + # -- Declares the alfresco-transform-router service used by the content repository + # to route transformation requests enabled: true - # -- Specify a storageClass for dynamic provisioning - accessModes: - - ReadWriteOnce - # -- Bind PVC based on storageClass (e.g. dynamic provisionning) - storageClass: - # -- Use pre-provisioned pv through its claim (e.g. static provisionning) - existingClaim: null - data: - mountPath: "/tmp/Alfresco" - subPath: "alfresco-content-services/filestore-data" -# -- Define the alfresco-share properties to use in the k8s cluster -# This is the default presentation layer(UI) of Alfresco Content Services + replicaCount: 2 + # image: # set by environment values file + pdfrenderer: + # -- Declares the alfresco-pdf-renderer service used by the content repository + # to transform pdf files + enabled: true + # image: set by environment values file + imagemagick: + # -- Declares the alfresco-imagemagick service used by the content repository + # to transform image files + enabled: true + # image: set by environment values file + libreoffice: + # -- Declares the alfresco-libreoffice service used by the content repository + # to transform office files + enabled: true + # image: set by environment values file + tika: + # -- Declares the alfresco-tika service used by the content repository + # to transform office files + enabled: true + # image: set by environment values file + transformmisc: + # -- Declares the alfresco-tika service used by the content repository + # to transform office files + enabled: true + image: + repository: alfresco/alfresco-transform-misc + tag: 5.0.1 + filestore: + # -- Declares the alfresco-shared-file-store used by the content repository + # and transform service + # due to platform constraints, the filestore is in MP + enabled: false + replicaCount: 0 + image: + repository: quay.io/alfresco/alfresco-shared-file-store + tag: 4.0.1 + persistence: + # -- Persist filestore data + enabled: true + data: + mountPath: "/tmp/Alfresco" + subPath: "alfresco-content-services/filestore-data" share: - replicaCount: 1 - nodeSelector: {} - image: - # repository: quay.io/alfresco/alfresco-share - repository: 754256621582.dkr.ecr.eu-west-2.amazonaws.com/hmpps-migration/alfresco-share - tag: release_7.3.2_elasticsearch-r5.0.1-share-latest - pullPolicy: IfNotPresent - internalPort: 8080 - service: - name: share - type: ClusterIP - externalPort: 80 - ingress: - path: / - annotations: {} - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local + # -- toggle deploying Alfresco Share UI + enabled: true + # image: set by environment values file + nameOverride: share + repository: + existingConfigMap: + # -- Name of the configmap which hold the repository connection details + name: *infrastructure_cmName + keys: + # -- Name of the key in the configmap which points to the repository + # service hostname + host: repo_svc_name + # -- Name of the key in the configmap which points to the repository + # service port + port: repo_svc_port securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -672,67 +307,26 @@ share: limits: cpu: "4" memory: "2000Mi" - environment: - CATALINA_OPTS: >- - -XX:MinRAMPercentage=50 - -XX:MaxRAMPercentage=80 - readinessProbe: - initialDelaySeconds: 60 - periodSeconds: 20 - timeoutSeconds: 15 - livenessProbe: - initialDelaySeconds: 200 - periodSeconds: 20 - timeoutSeconds: 10 - extraVolumeMounts: [] - extraVolumes: [] - extraSideContainers: [] - extraInitContainers: [] - command: [] -activemq: - nameOverride: activemq - enabled: false - resources: - requests: - cpu: "0.5" - memory: "1024Mi" - limits: - cpu: "2" - memory: "4096Mi" - # -- Possibility to choose Node for pod, with a key-value pair label - # e.g {"kubernetes.io/hostname": multinode-demo-m02} - nodeSelector: {} - adminUser: - # -- Default username for the embedded broker admin user - user: admin - # -- Default password for the embedded broker admin user - password: admin - # -- external activemq connection setting when activemq.enabled=false - securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault -messageBroker: &acs_messageBroker - url: null - user: null - password: null - # -- Name of the secret managed by this chart - # secretName: &acs_messageBroker_secretName acs-alfresco-cs-brokersecret - # -- Alternatively, provide credentials via an existing secret that contains - # BROKER_URL, BROKER_USERNAME and BROKER_PASSWORD keys - existingSecretName: amazon-mq-broker-secret -alfresco-elasticsearch-connector: - enabled: false alfresco-search: - searchServicesImage: - repository: alfresco/alfresco-search-services - tag: 2.0.7 - nodeSelector: {} enabled: false + repository: + existingConfigMap: + name: *infrastructure_cmName + keys: + host: repo_svc_name + port: repo_svc_port + securecomms: SEARCH_SECURECOMMS + existingSecret: + name: *acs_search_secretName + keys: + sharedSecret: SOLR_SECRET + searchServicesImage: + repository: quay.io/alfresco/search-services + tag: 2.0.8.2 + insightEngineImage: + repository: quay.io/alfresco/insight-engine + tag: 2.0.8.2 + nameOverride: alfresco-search # If an external Solr service is to be used then enabled must be set to false # and external has to be configured accordingly. external: @@ -746,83 +340,66 @@ alfresco-search: # -- Alfresco Search services endpoint ('/solr') enabled: false # -- Default solr basic auth user/password: admin / admin - # You can create your own with htpasswd utilility & encode it with base64. + # You can create your own with htpasswd utility & encode it with base64. # Example: `echo -n "$(htpasswd -nbm admin admin)" | base64 | tr -d '\n'` # basicAuth: YWRtaW46JGFwcjEkVVJqb29uS00kSEMuS1EwVkRScFpwSHB2a3JwTDd1Lg== - basicAuth: + basicAuth: null tls: [] # - secretName: chart-example-tls # hosts: # - chart-example.local - securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault -database: - # -- Enable using an external database for Alfresco Content Services. Must disable `postgresql.enabled` when true. - external: true - # -- Postgresql jdbc driver name ex: org.postgresql.Driver. It should be available in the container image. - driver: - # -- External Postgresql database user - user: - # -- External Postgresql database password - password: - # -- External Postgresql jdbc url ex: `jdbc:postgresql://oldfashioned-mule-postgresql-acs:5432/alfresco` - url: - # -- Name of the secret managed by this chart - # secretName: &acs_database_secretName acs-alfresco-cs-dbsecret - secretName: - # -- An existing secret that contains DATABASE_USERNAME and DATABASE_PASSWORD keys. - # When using embedded postgres you need to also set `postgresql.existingSecret`. - existingSecretName: rds-instance-output alfresco-search-enterprise: - indexName: alfresco enabled: true - elasticsearch: - # -- Enables the embedded elasticsearch cluster - enabled: false + search: + existingConfigMap: + name: *infrastructure_cmName + existingSecret: + name: *acs_search_secretName + ats: + existingConfigMap: + name: *infrastructure_cmName messageBroker: - existingSecretName: amazon-mq-broker-secret - searchIndex: - # -- The host where service is available - host: null - # -- The port where service is available - port: 8080 - # -- Valid values are http or https - protocol: http - # -- The username required to access the service, if any - user: null - # -- The password required to access the service, if any - password: null - reindexing: - enabled: false # leave as false - reindexing job is now standalone - postgresql: - url: - hostname: - database: - existingSecretName: rds-instance-output - image: - tag: 3.2.1 + existingConfigMap: + name: *infrastructure_cmName + existingSecret: + name: amazon-mq-broker-secret + keys: + username: BROKER_USERNAME + password: BROKER_PASSWORD liveIndexing: + # set in value-versions yaml mediation: image: - tag: 3.2.1 + tag: 4.0.0.1 + replicaCount: 1 content: image: - tag: 3.2.1 + tag: 4.0.0.1 + replicaCount: 1 metadata: image: - tag: 3.2.1 + tag: 4.0.0.1 + replicaCount: 1 path: image: - tag: 3.2.1 + tag: 4.0.0.1 + replicaCount: 1 + reindexing: + enabled: false # leave as false - reindexing job is now standalone + repository: + existingConfigMap: + name: *infrastructure_cmName + db: + existingSecret: + name: rds-instance-output + existingConfigMap: + name: *infrastructure_cmName + image: + tag: 4.0.0.1 alfresco-digital-workspace: nodeSelector: {} enabled: false + nameOverride: "alfresco-dw" service: envType: frontend ingress: @@ -836,17 +413,14 @@ alfresco-digital-workspace: # - chart-example.local image: repository: quay.io/alfresco/alfresco-digital-workspace - tag: 3.1.1 + tag: 4.3.0 pullPolicy: IfNotPresent + registryPullSecrets: + - "{{ $.Values.global.alfrescoRegistryPullSecrets }}" env: APP_CONFIG_PROVIDER: "ECM" APP_CONFIG_AUTH_TYPE: "BASIC" API_URL: "{protocol}//{hostname}{:port}" - # APP_CONFIG_PLUGIN_MICROSOFT_ONLINE: - # APP_CONFIG_MICROSOFT_ONLINE_OOI_URL: - # APP_CONFIG_MICROSOFT_ONLINE_CLIENTID: - # APP_CONFIG_MICROSOFT_ONLINE_AUTHORITY: - # APP_CONFIG_MICROSOFT_ONLINE_REDIRECT: extraEnv: |- {{- if .Values.global.ai.enabled }} - name: APP_CONFIG_PLUGIN_AI_SERVICE @@ -882,8 +456,10 @@ alfresco-control-center: # - chart-example.local image: repository: quay.io/alfresco/alfresco-control-center - tag: 7.9.0 + tag: 8.3.0 pullPolicy: IfNotPresent + registryPullSecrets: + - "{{ $.Values.global.alfrescoRegistryPullSecrets }}" env: APP_CONFIG_PROVIDER: "ECM" APP_CONFIG_AUTH_TYPE: "BASIC" @@ -902,9 +478,6 @@ alfresco-control-center: limits: cpu: "1" memory: "1024Mi" -# -- Enable/Disable Alfresco Collaboration Connector for Microsoft 365 -ooi: - enabled: false postgresql: # -- Toggle embedded postgres for Alfresco Content Services repository # Check [PostgreSQL Bitnami chart @@ -917,7 +490,7 @@ postgresql: commonAnnotations: application: alfresco-content-services auth: - existingSecret: + existingSecret: null username: alfresco password: alfresco database: alfresco @@ -932,132 +505,29 @@ postgresql: log_min_messages = LOG resources: requests: - cpu: "0.5" - memory: "1500Mi" + cpu: "500m" + memory: "1Gi" limits: cpu: "8" - memory: "8192Mi" + memory: "8Gi" + service: + ports: + postgresql: 5432 persistence: # -- set the storageClass to use for dynamic provisioning. # setting it to null means "default storageClass". storageClass: null # -- provide an existing persistent volume claim name to persist SQL data - # Make sure the root folder has the appropriate permissions/ownhership set. + # Make sure the root folder has the appropriate permissions/ownership set. existingClaim: null subPath: "alfresco-content-services/database-data" -s3connector: - # -- Enable the S3 Connector - # For a full list of properties on the S3 connector see: - # https://docs.alfresco.com/s3connector/references/s3-contentstore-ref-config-props.html - enabled: true - config: - bucketName: - bucketLocation: eu-west-2 - secrets: - accessKey: true - secretKey: true - encryption: - awsKmsKeyId: - # -- An existing kubernetes secret that contains ACCESSKEY, SECRETKEY, ENCRYPTION, KMSKEYID keys - existingSecretName: s3-bucket-output -# -- For a full information of configuring the inbound email system, see -# https://docs.alfresco.com/content-services/latest/config/email/#manage-inbound-emails -email: - server: - enabled: false - port: 1125 - domain: - enableTLS: true - hideTLS: false - requireTLS: false - auth: - enabled: true - connections: - max: 3 - allowed: - senders: .* - blocked: - senders: - inbound: - enabled: false - unknownUser: anonymous - emailContributorsAuthority: EMAIL_CONTRIBUTORS - handler: - folder: - overwriteDuplicates: true - ssl: - secretName: - initContainers: - pemToKeystore: - image: - repository: registry.access.redhat.com/redhat-sso-7/sso71-openshift - tag: 1.1-16 - pullPolicy: IfNotPresent - pemToTruststore: - image: - repository: registry.access.redhat.com/redhat-sso-7/sso71-openshift - tag: 1.1-16 - pullPolicy: IfNotPresent - setPerms: - image: - repository: busybox - tag: 1.35.0 - pullPolicy: IfNotPresent -# -- For a full information of configuring the outbound email system, see -# https://docs.alfresco.com/content-services/latest/config/email/#manage-outbound-emails -mail: - # -- SMTP(S) host server to enable delivery of site invitations, activity notifications and workflow tasks by email - host: - port: 25 - protocol: smtps - encoding: UTF-8 - username: - password: - # -- An existing kubernetes secret that contains MAIL_PASSWORD as per `mail.password` value - existingSecretName: - from: - # -- Specifies the email address from which email notifications are sent - default: - enabled: false - smtp: - auth: true - debug: false - timeout: 30000 - starttls: - enable: true - smtps: - auth: true - starttls: - enable: true -# -- For a full information of configuring the imap subsystem, see -# https://docs.alfresco.com/content-services/latest/config/email/#enable-imap-protocol-using-alfresco-globalproperties -imap: - server: - enabled: false - host: "0.0.0.0" - port: 1143 - imap: - enabled: true - imaps: - enabled: true - port: 1144 - mail: - from: - default: - to: - default: -metadataKeystore: - # keystorePassword: "" - # keyPassword: "" - defaultKeystorePassword: "mp6yc0UD9e" - defaultKeyPassword: "oKIWzVdEdA" alfresco-sync-service: # -- Toggle deployment of Alfresco Sync Service (Desktop-Sync) # Check [Alfresco Sync Service # Documentation](https://github.com/Alfresco/alfresco-helm-charts/tree/main/charts/alfresco-sync-service) enabled: false image: - tag: 3.8.0 + tag: 4.0.1 postgresql: enabled: true image: @@ -1070,60 +540,32 @@ alfresco-sync-service: primary: resources: requests: - cpu: "0.5" - memory: "1500Mi" + cpu: 250m + memory: 1Gi limits: cpu: "4" - memory: "1500Mi" + memory: 4Gi messageBroker: existingSecretName: amazon-mq-broker-secret repository: - nameOverride: alfresco-cs-repository - port: *repositoryExternalPort -global: - # A shared secret is now required in order to authenticate connections between - # solr and repo (typically: tracking) - tracking: - # -- Select how solr and repo authenticate to each other - # none: work only prior to acs 7.2 (and was the default) - # secret: use a shared secret (to specify using `tracking.sharedsecret`) - # https: to use mTLS auth (require appropriate certificate configuration) - auth: secret - # -- Shared secret to authenticate repo/solr traffic. - # Strong enough secret can be generated with `openssl rand 20 -base64` - # please do not set a value here for sharedsecret. Instead, overwirte it on the commandline - sharedsecret: - # -- If a private image registry a secret can be defined and passed to - # kubernetes, see: - # https://github.com/Alfresco/acs-deployment/blob/a924ad6670911f64f1bba680682d266dd4ea27fb/docs/helm/eks-deployment.md#docker-registry-secret - alfrescoRegistryPullSecrets: quay-registry-secret - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - registryPullSecrets: - - quay-registry-secret - # -- Choose if you want AI capabilities (globally - including ADW AI plugin) - ai: - enabled: false - # ai: - # aws: - # accessKey: - # secretAccessKey: - # region: - # s3Bucket: - # comprehendRoleARN: - # -- Shared connections details for Elasticsearch/Opensearch, required when - # .enabled is true - elasticsearch: - # -- The host where service is available. The provided default is for when - # elasticsearch.enabled is true - host: null - # -- The port where service is available - port: 8080 - # -- Valid values are http or https - protocol: http - # -- The username required to access the service, if any - user: null - # -- The password required to access the service, if any - password: null + nameOverride: alfresco-repository + port: 80 + # -- toggle deploying Alfresco ai transformer +alfresco-ai-transformer: + enabled: false + messageBroker: + existingSecretName: amazon-mq-broker-secret + image: + repository: quay.io/alfresco/alfresco-ai-docker-engine + tag: 3.0.1 +# aws: +# accessKey: +# secretAccessKey: +# region: +# s3Bucket: +# comprehendRoleARN: +elasticsearch: + # -- Enables the embedded elasticsearch cluster + enabled: false + replicas: 1 + clusterHealthCheckParams: "wait_for_status=yellow&timeout=1s" diff --git a/kustomize/base/values.yaml.old b/kustomize/base/values.yaml.old new file mode 100644 index 0000000..f79c415 --- /dev/null +++ b/kustomize/base/values.yaml.old @@ -0,0 +1,1063 @@ +# This is a YAML-formatted file. +# It declares variables to be passed into your templates. +# ACS will be created in a k8s cluster with a minimum of 16GB memory to split +# among below nodes: +# 2 x repository, 1 x share, 1 x postgres and +# 1 x transformers (pdfrenderer, imagemagick, libreoffice, tika, misc) +# +# Limit container memory and assign X percentage to JVM. There are couple of +# ways to allocate JVM Memory for ACS Containers, for example: +# JAVA_OPTS: "-XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap" +# But, as per Oracle docs +# (https://docs.oracle.com/javase/9/gctuning/parallel-collector1.htm#JSGCT-GUID-CAB83393-3438-44ED-98F0-D15641B43C7D) +# If container memory is not explicitly set, then the above flags will default +# max heap to 1/4th of container's memory which may not be ideal. Hence, setting +# up explicit Container memory and then assigning a percentage of it to the JVM +# for performance tuning. +repository: + # -- Administrator password for ACS in NTLM hash format to set at bootstrap time + # will only work on completely fresh database + # adminPassword: "209c6174da490caeb422f3fa5a7ae634" + # -- The name of the secret holding the ACS repository license if any. + # it must be contained within a `data['*.lic']` property + # For details on how to manage license, see: + # https://github.com/Alfresco/acs-deployment/blob/master/docs/helm/examples/alf_license.md + licenseSecret: alfresco-license + edition: Enterprise + replicaCount: 1 + nodeSelector: {} + strategy: + type: Recreate + image: + repository: 754256621582.dkr.ecr.eu-west-2.amazonaws.com/hmpps-migration/alfresco-content-repository + tag: release_7.3.2_elasticsearch-r5.0.1-content-latest + pullPolicy: IfNotPresent + internalPort: 8080 + hazelcastPort: 5701 + initContainers: + db: + image: + repository: busybox + tag: 1.35.0 + pullPolicy: IfNotPresent + resources: + limits: + cpu: "0.25" + memory: "10Mi" + service: + name: alfresco + type: ClusterIP + externalPort: &repositoryExternalPort 80 + ingress: + path: / + maxUploadSize: "5g" + annotations: {} + # nginx.ingress.kubernetes.io/enable-cors: "true" + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + hostName: apps.live.cloud-platform.service.justice.gov.uk + environment: + JAVA_OPTS: >- + -Dindex.subsystem.name=elasticsearch + -Delasticsearch.indexName=alfresco + -Delasticsearch.createIndexIfNotExists=true + -Dtransform.service.enabled=true + -XX:MinRAMPercentage=50 + -XX:MaxRAMPercentage=80 + -Dencryption.keystore.type=JCEKS + -Dencryption.cipherAlgorithm=DESede/CBC/PKCS5Padding + -Dencryption.keyAlgorithm=DESede + -Dencryption.keystore.location=/usr/local/tomcat/shared/classes/alfresco/extension/keystore/keystore + -Dmetadata-keystore.aliases=metadata + -Dmetadata-keystore.metadata.algorithm=DESede + -Dsystem.workflow.engine.activiti.enabled=false + -Dsystem.prop_table_cleaner.algorithm=V2 + -Dsystem.delete_not_exists.read_only=false + -Dsystem.delete_not_exists.timeout_seconds=3600 + -Dfilecontentstore.subsystem.name=S3 + -Ds3.flatRoot=false + -Dsfs.url=https://alf-sfs.preprod.delius-core.hmpps-preproduction.modernisation-platform.service.justice.gov.uk/ + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + podSecurityContext: + runAsNonRoot: true + runAsUser: 33000 + runAsGroup: 1000 + fsGroup: 1000 + resources: + requests: + cpu: "1" + memory: "1500Mi" + limits: + cpu: "4" + memory: "3000Mi" + # -- The startup probe to cover the worse case startup time for slow clusters + startupProbe: + periodSeconds: 30 + failureThreshold: 10 + # The repository readiness probe is used to check startup only as a failure + # of the liveness probe later will result in the pod being restarted. + readinessProbe: + initialDelaySeconds: 60 + periodSeconds: 20 + timeoutSeconds: 10 + failureThreshold: 6 + livenessProbe: + initialDelaySeconds: 130 + periodSeconds: 20 + timeoutSeconds: 15 + persistence: + # -- Persist repository data + enabled: false + baseSize: 20Gi + # -- Specify a storageClass for dynamic provisioning + accessModes: + - ReadWriteOnce + # -- Bind PVC based on storageClass (e.g. dynamic provisioning) + storageClass: + # -- Use pre-provisioned pv through its claim (e.g. static provisioning) + existingClaim: + data: + mountPath: /usr/local/tomcat/alf_data + subPath: alfresco-content-services/repository-data + extraVolumes: [] + extraVolumeMounts: [] + extraSideContainers: [] + extraInitContainers: [] + command: [] + # -- Provide additional log statements by adding classes and/or packages in a + # key:value maner org.alfresco.repo.content.transform.TransformerDebug: debug + extraLogStatements: {} + # -- An existing secret that contains REPO_ADMIN_PASSWORD as an alternative for `repository.adminPassword` value + existingSecretName: +# -- Declares the api-explorer service used by the content repository +apiexplorer: + ingress: + path: /api-explorer +ooiService: + replicaCount: 2 + nodeSelector: {} + image: + repository: quay.io/alfresco/alfresco-ooi-service + tag: 1.1.3.1 + pullPolicy: IfNotPresent + internalPort: 9095 + service: + name: ooi-service + type: ClusterIP + externalPort: 80 + ingress: + path: /ooi-service + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + podSecurityContext: + runAsNonRoot: true + runAsUser: 33006 + resources: + requests: + cpu: "0.25" + memory: "1000Mi" + limits: + cpu: "2" + memory: "1000Mi" + environment: + JAVA_OPTS: "-Dalfresco.base-url=http://acs-alfresco-cs-repository:80" + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 60 + timeoutSeconds: 10 + livenessProbe: + initialDelaySeconds: 10 + periodSeconds: 20 + timeoutSeconds: 10 +# -- Enable/Disable Alfresco Content Connector for Microsoft Teams +msTeams: + enabled: false +msTeamsService: + replicaCount: 2 + nodeSelector: {} + image: + repository: quay.io/alfresco/alfresco-ms-teams-service + tag: 1.1.0 + pullPolicy: IfNotPresent + internalPort: 3978 + service: + name: ms-teams-service + type: ClusterIP + externalPort: 80 + ingress: + path: /ms-teams-service + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + podSecurityContext: + runAsNonRoot: true + runAsUser: 33041 + resources: + requests: + cpu: "0.5" + memory: "1000Mi" + limits: + cpu: "1" + memory: "1000Mi" + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 60 + timeoutSeconds: 10 + livenessProbe: + initialDelaySeconds: 10 + periodSeconds: 20 + timeoutSeconds: 10 + alfresco: + baseUrl: change_me_alf_base_url + digitalWorkspace: + contextPath: /workspace/ + microsoft: + app: + id: change_me_app_id + password: change_me_app_pwd + oauth: + connectionName: alfresco + teams: + chat: + filenameEnabled: true + metadataEnabled: true + imageEnabled: true +transformrouter: + replicaCount: 1 + nodeSelector: {} + image: + repository: quay.io/alfresco/alfresco-transform-router + tag: 2.0.0 + pullPolicy: IfNotPresent + internalPort: 8095 + service: + name: transform-router + type: ClusterIP + externalPort: 80 + environment: + JAVA_OPTS: >- + -XX:MinRAMPercentage=50 + -XX:MaxRAMPercentage=80 + readinessProbe: + initialDelaySeconds: 140 + periodSeconds: 60 + timeoutSeconds: 10 + livenessProbe: + initialDelaySeconds: 140 + periodSeconds: 120 + timeoutSeconds: 60 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + podSecurityContext: + runAsNonRoot: true + runAsUser: 33016 + resources: + requests: + cpu: "0.25" + memory: "300Mi" + limits: + cpu: "1" + memory: "512Mi" +# -- Declares the alfresco-pdf-renderer service used by the content repository +# to transform pdf files +pdfrenderer: + replicaCount: 1 + nodeSelector: {} + image: + repository: alfresco/alfresco-pdf-renderer + tag: 3.0.0 + pullPolicy: IfNotPresent + internalPort: 8090 + service: + name: pdfrenderer + type: ClusterIP + externalPort: 80 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + podSecurityContext: + runAsNonRoot: true + runAsUser: 33001 + resources: + requests: + cpu: "0.25" + memory: "300Mi" + limits: + cpu: "2" + memory: "1000Mi" + environment: + JAVA_OPTS: >- + -XX:MinRAMPercentage=50 + -XX:MaxRAMPercentage=80 + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 60 + timeoutSeconds: 10 + livenessProbe: + initialDelaySeconds: 10 + periodSeconds: 20 + timeoutSeconds: 10 + livenessPercent: 150 + livenessTransformPeriodSeconds: 600 + maxTransforms: 10000 + maxTransformSeconds: 1200 +# -- Declares the alfresco-imagemagick service used by the content repository +# to transform image files +imagemagick: + replicaCount: 1 + nodeSelector: {} + image: + repository: alfresco/alfresco-imagemagick + tag: 3.0.0 + pullPolicy: IfNotPresent + internalPort: 8090 + service: + name: imagemagick + type: ClusterIP + externalPort: 80 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + podSecurityContext: + runAsNonRoot: true + runAsUser: 33002 + resources: + requests: + cpu: "0.5" + memory: "300Mi" + limits: + cpu: "4" + memory: "1000Mi" + environment: + JAVA_OPTS: >- + -XX:MinRAMPercentage=50 + -XX:MaxRAMPercentage=80 + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 60 + timeoutSeconds: 10 + livenessProbe: + initialDelaySeconds: 10 + periodSeconds: 20 + timeoutSeconds: 10 + livenessPercent: 150 + livenessTransformPeriodSeconds: 600 + maxTransforms: 10000 + maxTransformSeconds: 900 +# -- Declares the alfresco-libreoffice service used by the content repository +# to transform office files +libreoffice: + replicaCount: 1 + nodeSelector: {} + image: + repository: alfresco/alfresco-libreoffice + tag: 3.0.0 + pullPolicy: IfNotPresent + internalPort: 8090 + service: + name: libreoffice + type: ClusterIP + externalPort: 80 + resources: + requests: + cpu: "0.5" + memory: "400Mi" + limits: + cpu: "4" + memory: "1000Mi" + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + podSecurityContext: + runAsNonRoot: true + runAsUser: 33003 + environment: + JAVA_OPTS: >- + -XX:MinRAMPercentage=50 + -XX:MaxRAMPercentage=80 + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 60 + timeoutSeconds: 10 + livenessProbe: + initialDelaySeconds: 10 + periodSeconds: 20 + timeoutSeconds: 10 + livenessPercent: 250 + livenessTransformPeriodSeconds: 600 + maxTransforms: 99999 + maxTransformSeconds: 1800 +# -- Declares the alfresco-tika service used by the content repository +# to transform office files +tika: + replicaCount: 1 + nodeSelector: {} + image: + repository: alfresco/alfresco-tika + tag: 3.0.0 + pullPolicy: IfNotPresent + internalPort: 8090 + service: + name: tika + type: ClusterIP + externalPort: 80 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + podSecurityContext: + runAsNonRoot: true + runAsUser: 33004 + resources: + requests: + cpu: "0.25" + memory: "600Mi" + limits: + cpu: "2" + memory: "2Gi" + environment: + JAVA_OPTS: >- + -Xms1024M + -Xmx1638M + readinessProbe: + initialDelaySeconds: 60 + periodSeconds: 60 + timeoutSeconds: 10 + livenessProbe: + initialDelaySeconds: 60 + periodSeconds: 20 + timeoutSeconds: 10 + livenessPercent: 400 + livenessTransformPeriodSeconds: 600 + maxTransforms: 10000 + maxTransformSeconds: 1800 +# -- Declares the alfresco-tika service used by the content repository +# to transform office files +transformmisc: + enabled: true + replicaCount: 1 + nodeSelector: {} + image: + repository: alfresco/alfresco-transform-misc + tag: 3.0.0 + pullPolicy: IfNotPresent + internalPort: 8090 + service: + name: transformmisc + type: ClusterIP + externalPort: 80 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + podSecurityContext: + runAsNonRoot: true + runAsUser: 33006 + resources: + requests: + cpu: "0.25" + memory: "300Mi" + limits: + cpu: "2" + memory: "1000Mi" + environment: + JAVA_OPTS: >- + -XX:MinRAMPercentage=50 + -XX:MaxRAMPercentage=80 + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 60 + timeoutSeconds: 10 + livenessProbe: + initialDelaySeconds: 10 + periodSeconds: 20 + timeoutSeconds: 10 + livenessPercent: 400 + livenessTransformPeriodSeconds: 600 + maxTransforms: 10000 + maxTransformSeconds: 1800 +aiTransformer: + replicaCount: 2 + nodeSelector: {} + image: + repository: quay.io/alfresco/alfresco-ai-docker-engine + tag: 1.5.0 + pullPolicy: IfNotPresent + internalPort: 8090 + service: + name: ai-transformer + type: ClusterIP + externalPort: 80 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + podSecurityContext: + runAsUser: 33015 + resources: + requests: + cpu: "0.25" + memory: "1000Mi" + limits: + cpu: "2" + memory: "1000Mi" + environment: + JAVA_OPTS: >- + -XX:MinRAMPercentage=50 + -XX:MaxRAMPercentage=80 + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 60 + timeoutSeconds: 10 + livenessProbe: + initialDelaySeconds: 10 + periodSeconds: 20 + timeoutSeconds: 10 + livenessPercent: 400 + livenessTransformPeriodSeconds: 600 + maxTransforms: 10000 + maxTransformSeconds: 1800 +# -- Declares the alfresco-shared-file-store used by the content repository +# and transform service +filestore: + enabled: false +# -- Define the alfresco-share properties to use in the k8s cluster +# This is the default presentation layer(UI) of Alfresco Content Services +share: + replicaCount: 1 + nodeSelector: {} + image: + # repository: quay.io/alfresco/alfresco-share + repository: 754256621582.dkr.ecr.eu-west-2.amazonaws.com/hmpps-migration/alfresco-share + tag: release_7.3.2_elasticsearch-r5.0.1-share-latest + pullPolicy: IfNotPresent + internalPort: 8080 + service: + name: share + type: ClusterIP + externalPort: 80 + ingress: + path: / + annotations: {} + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: + - NET_RAW + - ALL + seccompProfile: + type: RuntimeDefault + podSecurityContext: + runAsUser: 65534 + resources: + requests: + cpu: "1" + memory: "512Mi" + limits: + cpu: "4" + memory: "2000Mi" + environment: + CATALINA_OPTS: >- + -XX:MinRAMPercentage=50 + -XX:MaxRAMPercentage=80 + readinessProbe: + initialDelaySeconds: 60 + periodSeconds: 20 + timeoutSeconds: 15 + livenessProbe: + initialDelaySeconds: 200 + periodSeconds: 20 + timeoutSeconds: 10 + extraVolumeMounts: [] + extraVolumes: [] + extraSideContainers: [] + extraInitContainers: [] + command: [] +activemq: + nameOverride: activemq + enabled: false + resources: + requests: + cpu: "0.5" + memory: "1024Mi" + limits: + cpu: "2" + memory: "4096Mi" + # -- Possibility to choose Node for pod, with a key-value pair label + # e.g {"kubernetes.io/hostname": multinode-demo-m02} + nodeSelector: {} + adminUser: + # -- Default username for the embedded broker admin user + user: admin + # -- Default password for the embedded broker admin user + password: admin + # -- external activemq connection setting when activemq.enabled=false + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault +messageBroker: &acs_messageBroker + url: null + user: null + password: null + # -- Name of the secret managed by this chart + # secretName: &acs_messageBroker_secretName acs-alfresco-cs-brokersecret + # -- Alternatively, provide credentials via an existing secret that contains + # BROKER_URL, BROKER_USERNAME and BROKER_PASSWORD keys + existingSecretName: amazon-mq-broker-secret +alfresco-elasticsearch-connector: + enabled: false +alfresco-search: + searchServicesImage: + repository: alfresco/alfresco-search-services + tag: 2.0.7 + nodeSelector: {} + enabled: false + # If an external Solr service is to be used then enabled must be set to false + # and external has to be configured accordingly. + external: + # -- Host dns/ip of the external solr6 instance. + host: null + # -- Port of the external solr6 instance. + port: null + alfresco-insight-zeppelin: + enabled: false + ingress: + # -- Alfresco Search services endpoint ('/solr') + enabled: false + # -- Default solr basic auth user/password: admin / admin + # You can create your own with htpasswd utilility & encode it with base64. + # Example: `echo -n "$(htpasswd -nbm admin admin)" | base64 | tr -d '\n'` + # basicAuth: YWRtaW46JGFwcjEkVVJqb29uS00kSEMuS1EwVkRScFpwSHB2a3JwTDd1Lg== + basicAuth: + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault +database: + # -- Enable using an external database for Alfresco Content Services. Must disable `postgresql.enabled` when true. + external: true + # -- Postgresql jdbc driver name ex: org.postgresql.Driver. It should be available in the container image. + driver: + # -- External Postgresql database user + user: + # -- External Postgresql database password + password: + # -- External Postgresql jdbc url ex: `jdbc:postgresql://oldfashioned-mule-postgresql-acs:5432/alfresco` + url: + # -- Name of the secret managed by this chart + # secretName: &acs_database_secretName acs-alfresco-cs-dbsecret + secretName: + # -- An existing secret that contains DATABASE_USERNAME and DATABASE_PASSWORD keys. + # When using embedded postgres you need to also set `postgresql.existingSecret`. + existingSecretName: rds-instance-output +alfresco-search-enterprise: + indexName: alfresco + enabled: true + elasticsearch: + # -- Enables the embedded elasticsearch cluster + enabled: false + messageBroker: + existingSecretName: amazon-mq-broker-secret + searchIndex: + # -- The host where service is available + host: null + # -- The port where service is available + port: 8080 + # -- Valid values are http or https + protocol: http + # -- The username required to access the service, if any + user: null + # -- The password required to access the service, if any + password: null + reindexing: + enabled: false # leave as false - reindexing job is now standalone + postgresql: + url: + hostname: + database: + existingSecretName: rds-instance-output + image: + tag: 3.2.1 + liveIndexing: + mediation: + image: + tag: 3.2.1 + content: + image: + tag: 3.2.1 + metadata: + image: + tag: 3.2.1 + path: + image: + tag: 3.2.1 +alfresco-digital-workspace: + nodeSelector: {} + enabled: false + service: + envType: frontend + ingress: + path: /workspace + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/proxy-body-size: "5g" + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + image: + repository: quay.io/alfresco/alfresco-digital-workspace + tag: 3.1.1 + pullPolicy: IfNotPresent + env: + APP_CONFIG_PROVIDER: "ECM" + APP_CONFIG_AUTH_TYPE: "BASIC" + API_URL: "{protocol}//{hostname}{:port}" + # APP_CONFIG_PLUGIN_MICROSOFT_ONLINE: + # APP_CONFIG_MICROSOFT_ONLINE_OOI_URL: + # APP_CONFIG_MICROSOFT_ONLINE_CLIENTID: + # APP_CONFIG_MICROSOFT_ONLINE_AUTHORITY: + # APP_CONFIG_MICROSOFT_ONLINE_REDIRECT: + extraEnv: |- + {{- if .Values.global.ai.enabled }} + - name: APP_CONFIG_PLUGIN_AI_SERVICE + value: '{{ .Values.global.ai.enabled }}' + {{- end }} + securityContext: + runAsNonRoot: true + runAsUser: 101 + capabilities: + drop: + - NET_RAW + - ALL + resources: + requests: + cpu: "0.25" + memory: "256Mi" + limits: + cpu: "1" + memory: "1024Mi" +alfresco-control-center: + nodeSelector: {} + enabled: false + nameOverride: "alfresco-cc" + service: + envType: frontend + ingress: + path: /control-center + annotations: + kubernetes.io/ingress.class: nginx + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + image: + repository: quay.io/alfresco/alfresco-control-center + tag: 7.9.0 + pullPolicy: IfNotPresent + env: + APP_CONFIG_PROVIDER: "ECM" + APP_CONFIG_AUTH_TYPE: "BASIC" + API_URL: "{protocol}//{hostname}{:port}" + securityContext: + runAsNonRoot: true + runAsUser: 101 + capabilities: + drop: + - NET_RAW + - ALL + resources: + requests: + cpu: "0.25" + memory: "256Mi" + limits: + cpu: "1" + memory: "1024Mi" +# -- Enable/Disable Alfresco Collaboration Connector for Microsoft 365 +ooi: + enabled: false +postgresql: + # -- Toggle embedded postgres for Alfresco Content Services repository + # Check [PostgreSQL Bitnami chart + # Documentation](https://github.com/bitnami/charts/tree/main/bitnami/postgresql) + enabled: false + nameOverride: postgresql-acs + image: + tag: 14.4.0 + pullPolicy: IfNotPresent + commonAnnotations: + application: alfresco-content-services + auth: + existingSecret: + username: alfresco + password: alfresco + database: alfresco + primary: + extendedConfiguration: | + max_connections = 250 + shared_buffers = 512MB + effective_cache_size = 2GB + wal_level = minimal + max_wal_senders = 0 + max_replication_slots = 0 + log_min_messages = LOG + resources: + requests: + cpu: "0.5" + memory: "1500Mi" + limits: + cpu: "8" + memory: "8192Mi" + persistence: + # -- set the storageClass to use for dynamic provisioning. + # setting it to null means "default storageClass". + storageClass: null + # -- provide an existing persistent volume claim name to persist SQL data + # Make sure the root folder has the appropriate permissions/ownhership set. + existingClaim: null + subPath: "alfresco-content-services/database-data" +s3connector: + # -- Enable the S3 Connector + # For a full list of properties on the S3 connector see: + # https://docs.alfresco.com/s3connector/references/s3-contentstore-ref-config-props.html + enabled: true + config: + bucketName: + bucketLocation: eu-west-2 + secrets: + accessKey: true + secretKey: true + encryption: + awsKmsKeyId: + # -- An existing kubernetes secret that contains ACCESSKEY, SECRETKEY, ENCRYPTION, KMSKEYID keys + existingSecretName: s3-bucket-output +# -- For a full information of configuring the inbound email system, see +# https://docs.alfresco.com/content-services/latest/config/email/#manage-inbound-emails +email: + server: + enabled: false + port: 1125 + domain: + enableTLS: true + hideTLS: false + requireTLS: false + auth: + enabled: true + connections: + max: 3 + allowed: + senders: .* + blocked: + senders: + inbound: + enabled: false + unknownUser: anonymous + emailContributorsAuthority: EMAIL_CONTRIBUTORS + handler: + folder: + overwriteDuplicates: true + ssl: + secretName: + initContainers: + pemToKeystore: + image: + repository: registry.access.redhat.com/redhat-sso-7/sso71-openshift + tag: 1.1-16 + pullPolicy: IfNotPresent + pemToTruststore: + image: + repository: registry.access.redhat.com/redhat-sso-7/sso71-openshift + tag: 1.1-16 + pullPolicy: IfNotPresent + setPerms: + image: + repository: busybox + tag: 1.35.0 + pullPolicy: IfNotPresent +# -- For a full information of configuring the outbound email system, see +# https://docs.alfresco.com/content-services/latest/config/email/#manage-outbound-emails +mail: + # -- SMTP(S) host server to enable delivery of site invitations, activity notifications and workflow tasks by email + host: + port: 25 + protocol: smtps + encoding: UTF-8 + username: + password: + # -- An existing kubernetes secret that contains MAIL_PASSWORD as per `mail.password` value + existingSecretName: + from: + # -- Specifies the email address from which email notifications are sent + default: + enabled: false + smtp: + auth: true + debug: false + timeout: 30000 + starttls: + enable: true + smtps: + auth: true + starttls: + enable: true +# -- For a full information of configuring the imap subsystem, see +# https://docs.alfresco.com/content-services/latest/config/email/#enable-imap-protocol-using-alfresco-globalproperties +imap: + server: + enabled: false + host: "0.0.0.0" + port: 1143 + imap: + enabled: true + imaps: + enabled: true + port: 1144 + mail: + from: + default: + to: + default: +metadataKeystore: + # keystorePassword: "" + # keyPassword: "" + defaultKeystorePassword: "mp6yc0UD9e" + defaultKeyPassword: "oKIWzVdEdA" +alfresco-sync-service: + # -- Toggle deployment of Alfresco Sync Service (Desktop-Sync) + # Check [Alfresco Sync Service + # Documentation](https://github.com/Alfresco/alfresco-helm-charts/tree/main/charts/alfresco-sync-service) + enabled: false + image: + tag: 3.8.0 + postgresql: + enabled: true + image: + tag: 14.4.0 + auth: + enablePostgresUser: false + username: alfresco + password: admin + database: syncservice-postgresql + primary: + resources: + requests: + cpu: "0.5" + memory: "1500Mi" + limits: + cpu: "4" + memory: "1500Mi" + messageBroker: + existingSecretName: amazon-mq-broker-secret + repository: + nameOverride: alfresco-cs-repository + port: *repositoryExternalPort +global: + # A shared secret is now required in order to authenticate connections between + # solr and repo (typically: tracking) + tracking: + # -- Select how solr and repo authenticate to each other + # none: work only prior to acs 7.2 (and was the default) + # secret: use a shared secret (to specify using `tracking.sharedsecret`) + # https: to use mTLS auth (require appropriate certificate configuration) + auth: secret + # -- Shared secret to authenticate repo/solr traffic. + # Strong enough secret can be generated with `openssl rand 20 -base64` + # please do not set a value here for sharedsecret. Instead, overwirte it on the commandline + sharedsecret: + # -- If a private image registry a secret can be defined and passed to + # kubernetes, see: + # https://github.com/Alfresco/acs-deployment/blob/a924ad6670911f64f1bba680682d266dd4ea27fb/docs/helm/eks-deployment.md#docker-registry-secret + alfrescoRegistryPullSecrets: quay-registry-secret + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + registryPullSecrets: + - quay-registry-secret + # -- Choose if you want AI capabilities (globally - including ADW AI plugin) + ai: + enabled: false + # ai: + # aws: + # accessKey: + # secretAccessKey: + # region: + # s3Bucket: + # comprehendRoleARN: + # -- Shared connections details for Elasticsearch/Opensearch, required when + # .enabled is true + elasticsearch: + # -- The host where service is available. The provided default is for when + # elasticsearch.enabled is true + host: null + # -- The port where service is available + port: 8080 + # -- Valid values are http or https + protocol: http + # -- The username required to access the service, if any + user: null + # -- The password required to access the service, if any + password: null diff --git a/kustomize/dev/alf-prop-config-map.yaml b/kustomize/dev/alf-prop-config-map.yaml new file mode 100644 index 0000000..8e9a9e6 --- /dev/null +++ b/kustomize/dev/alf-prop-config-map.yaml @@ -0,0 +1,80 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: alf-prop-config-map +data: + alfresco-global.properties: | + deployment.method=HELM_CHART + alfresco.cluster.enabled=true + alfresco.host=hmpps-delius-alfresco-preprod.apps.live.cloud-platform.service.justice.gov.uk + alfresco.protocol=https + alfresco.port=443 + aos.baseUrlOverwrite=https://hmpps-delius-alfresco-preprod.apps.live.cloud-platform.service.justice.gov.uk/alfresco/aos + csrf.filter.origin=https://hmpps-delius-alfresco-preprod.apps.live.cloud-platform.service.justice.gov.uk + csrf.filter.referer=https://hmpps-delius-alfresco-preprod.apps.live.cloud-platform.service.justice.gov.uk/.* + share.protocol=https + share.host=hmpps-delius-alfresco-preprod.apps.live.cloud-platform.service.justice.gov.uk + share.port=443 + local.transform.service.enabled=true + transform.service.enabled=false + localTransform.core-aio.url= + localTransform.pdfrenderer.url=http://alfresco-content-services-pdfrenderer + localTransform.imagemagick.url=http://alfresco-content-services-imagemagick + localTransform.libreoffice.url=http://alfresco-content-services-libreoffice + localTransform.tika.url=http://alfresco-content-services-tika + localTransform.misc.url=http://alfresco-content-services-transform-misc + events.subsystem.autoStart=false + + #Zaizi additions + zaizi.noms.root.folder=NOMS + zaizi.noms.crn.pattern=([A-Z])([0-9]{3})([0-9]{3}) + zaizi.noms.invalidCharacters=\\/:*\"\"<>|?!$#%^& + + spg.ndelius.users=N00 + spg.crc.users=C01,C02,C03,C04,C05,C06,C07,C08,C09,C10,C11,C12,C13,C14,C15,C16,C17,C18,C19,C20,C21,C22,C23 + + # The User to Schema Cache + cache.spgUserToSchemaVersionCache.tx.maxItems=100 + cache.spgUserToSchemaVersionCache.tx.statsEnabled=${caches.tx.statsEnabled} + cache.spgUserToSchemaVersionCache.maxItems=500 + cache.spgUserToSchemaVersionCache.timeToLiveSeconds=0 + cache.spgUserToSchemaVersionCache.maxIdleSeconds=0 + cache.spgUserToSchemaVersionCache.cluster.type=local + cache.spgUserToSchemaVersionCache.backup-count=1 + cache.spgUserToSchemaVersionCache.eviction-policy=LRU + cache.spgUserToSchemaVersionCache.eviction-percentage=25 + cache.spgUserToSchemaVersionCache.merge-policy=hz.ADD_NEW_ENTRY + cache.spgUserToSchemaVersionCache.readBackupData=false + cache.spgUserToSchemaVersionCache.cluster.type=invalidating + + # Notify when a messaging to be sent to MPX taking morethan specified time. Value is in milliseconds. + message.mpx.log.messageSendingTakenMorethan=1000 + + zaizi.noms.mpx.schema.version=0-9-9 + zaizi.noms.mpx.schema.date=2016-09-05 + messaging.events.nspg.schema=classpath:SPG-XML_Message_Root-V0-9-9.xsd + + zaizi.noms.mpx.schema2.version=0-9-10 + zaizi.noms.mpx.schema2.date=2017-03-30 + messaging.events.nspg2.schema=classpath:SPG-XML_Message_Root-V0-9-10-2.xsd + + zaizi.noms.mpx.schema.911.version=0-9-11 + zaizi.noms.mpx.schema.911.date=2017-09-04 + messaging.events.nspg.911.schema=classpath:SPG-XML_Message_Root-V0-9-11.xsd + + zaizi.noms.mpx.schema.912.version=0-9-12 + zaizi.noms.mpx.schema.912.date=2017-12-05 + messaging.events.nspg.912.schema=classpath:SPG-XML_Message_Root-V0-9-12.xsd + + zaizi.noms.mpx.schema.913.version=0-9-13 + zaizi.noms.mpx.schema.913.date=2018-02-08 + messaging.events.nspg.913.schema=classpath:SPG-XML_Message_Root-V0-9-13.xsd + + zaizi.noms.mpx.schema.914.version=0-9-14 + zaizi.noms.mpx.schema.914.date=2019-10-21 + messaging.events.nspg.914.schema=classpath:SPG-XML_Message_Root-V0-9-14.xsd + + # NSPG Administration Groups Patch + patch.nspg.administration.deferred=false + patch.nspg.administration.roles.cronExpression=0 0 0 ? 1 1 2030 + patch.nspg.administration.roles.startDelay=0 diff --git a/kustomize/dev/kustomization.yaml b/kustomize/dev/kustomization.yaml index eaf31f0..4ed2cda 100644 --- a/kustomize/dev/kustomization.yaml +++ b/kustomize/dev/kustomization.yaml @@ -3,7 +3,9 @@ kind: Kustomization resources: - ../base + - alf-prop-config-map.yaml patches: - path: patch-ingress-repository.yaml - path: patch-ingress-share.yaml + - path: patch-infra-config-map.yaml diff --git a/kustomize/dev/output.yaml b/kustomize/dev/output.yaml new file mode 100644 index 0000000..a1649be --- /dev/null +++ b/kustomize/dev/output.yaml @@ -0,0 +1,2152 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: alfresco-repository + app.kubernetes.io/version: 23.1.1 + helm.sh/chart: alfresco-repository-0.1.2 + name: alfresco-repo-sa +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: alfresco-search-enterprise + app.kubernetes.io/version: 4.0.0.1 + helm.sh/chart: alfresco-search-enterprise-3.0.3 + name: alfresco-search-enterprise-sa +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: share + app.kubernetes.io/version: 23.1.1 + helm.sh/chart: share-0.2.1 + name: share-sa +--- +apiVersion: v1 +data: + alfresco-global.properties: | + deployment.method=HELM_CHART + alfresco.cluster.enabled=true + alfresco.host=hmpps-delius-alfresco-preprod.apps.live.cloud-platform.service.justice.gov.uk + alfresco.protocol=https + alfresco.port=443 + aos.baseUrlOverwrite=https://hmpps-delius-alfresco-preprod.apps.live.cloud-platform.service.justice.gov.uk/alfresco/aos + csrf.filter.origin=https://hmpps-delius-alfresco-preprod.apps.live.cloud-platform.service.justice.gov.uk + csrf.filter.referer=https://hmpps-delius-alfresco-preprod.apps.live.cloud-platform.service.justice.gov.uk/.* + share.protocol=https + share.host=hmpps-delius-alfresco-preprod.apps.live.cloud-platform.service.justice.gov.uk + share.port=443 + local.transform.service.enabled=true + transform.service.enabled=false + localTransform.core-aio.url= + localTransform.pdfrenderer.url=http://alfresco-content-services-pdfrenderer + localTransform.imagemagick.url=http://alfresco-content-services-imagemagick + localTransform.libreoffice.url=http://alfresco-content-services-libreoffice + localTransform.tika.url=http://alfresco-content-services-tika + localTransform.misc.url=http://alfresco-content-services-transform-misc + events.subsystem.autoStart=false + + #Zaizi additions + zaizi.noms.root.folder=NOMS + zaizi.noms.crn.pattern=([A-Z])([0-9]{3})([0-9]{3}) + zaizi.noms.invalidCharacters=\\/:*\"\"<>|?!$#%^& + + spg.ndelius.users=N00 + spg.crc.users=C01,C02,C03,C04,C05,C06,C07,C08,C09,C10,C11,C12,C13,C14,C15,C16,C17,C18,C19,C20,C21,C22,C23 + + # The User to Schema Cache + cache.spgUserToSchemaVersionCache.tx.maxItems=100 + cache.spgUserToSchemaVersionCache.tx.statsEnabled=${caches.tx.statsEnabled} + cache.spgUserToSchemaVersionCache.maxItems=500 + cache.spgUserToSchemaVersionCache.timeToLiveSeconds=0 + cache.spgUserToSchemaVersionCache.maxIdleSeconds=0 + cache.spgUserToSchemaVersionCache.cluster.type=local + cache.spgUserToSchemaVersionCache.backup-count=1 + cache.spgUserToSchemaVersionCache.eviction-policy=LRU + cache.spgUserToSchemaVersionCache.eviction-percentage=25 + cache.spgUserToSchemaVersionCache.merge-policy=hz.ADD_NEW_ENTRY + cache.spgUserToSchemaVersionCache.readBackupData=false + cache.spgUserToSchemaVersionCache.cluster.type=invalidating + + # Notify when a messaging to be sent to MPX taking morethan specified time. Value is in milliseconds. + message.mpx.log.messageSendingTakenMorethan=1000 + + zaizi.noms.mpx.schema.version=0-9-9 + zaizi.noms.mpx.schema.date=2016-09-05 + messaging.events.nspg.schema=classpath:SPG-XML_Message_Root-V0-9-9.xsd + + zaizi.noms.mpx.schema2.version=0-9-10 + zaizi.noms.mpx.schema2.date=2017-03-30 + messaging.events.nspg2.schema=classpath:SPG-XML_Message_Root-V0-9-10-2.xsd + + zaizi.noms.mpx.schema.911.version=0-9-11 + zaizi.noms.mpx.schema.911.date=2017-09-04 + messaging.events.nspg.911.schema=classpath:SPG-XML_Message_Root-V0-9-11.xsd + + zaizi.noms.mpx.schema.912.version=0-9-12 + zaizi.noms.mpx.schema.912.date=2017-12-05 + messaging.events.nspg.912.schema=classpath:SPG-XML_Message_Root-V0-9-12.xsd + + zaizi.noms.mpx.schema.913.version=0-9-13 + zaizi.noms.mpx.schema.913.date=2018-02-08 + messaging.events.nspg.913.schema=classpath:SPG-XML_Message_Root-V0-9-13.xsd + + zaizi.noms.mpx.schema.914.version=0-9-14 + zaizi.noms.mpx.schema.914.date=2019-10-21 + messaging.events.nspg.914.schema=classpath:SPG-XML_Message_Root-V0-9-14.xsd + + # NSPG Administration Groups Patch + patch.nspg.administration.deferred=false + patch.nspg.administration.roles.cronExpression=0 0 0 ? 1 1 2030 + patch.nspg.administration.roles.startDelay=0 +kind: ConfigMap +metadata: + name: alf-prop-config-map +--- +apiVersion: v1 +data: + CATALINA_OPTS: -Ddeployment.method=HELM_CHART -Ddb.url="$DATABASE_URL" -Ddb.username=${DATABASE_USERNAME} + -Ddb.password=${DATABASE_PASSWORD} -Ddb.driver="${DATABASE_DRIVER}" -Dmessaging.broker.url="$BROKER_URL" + -Dmessaging.broker.username="$BROKER_USERNAME" -Dmessaging.broker.password="$BROKER_PASSWORD" + -Dindex.subsystem.name="$SEARCH_FLAVOR" -Dmetadata-keystore.password="$ENC_METADATA_STOREPASS" + -Dmetadata-keystore.metadata.password="$ENC_METADATA_KEYPASS" -Delasticsearch.host=$SEARCH_HOST + -Delasticsearch.port=$SEARCH_PORT -Delasticsearch.secureComms=$SEARCH_SECURECOMMS + -Delasticsearch.user=$ELASTICSEARCH_USERNAME -Delasticsearch.password=$ELASTICSEARCH_PASSWORD + -Delasticsearch.createIndexIfNotExists=true -Ds3.accessKey="$ACCESSKEY" -Ds3.secretKey="$SECRETKEY" + -Ds3.bucketName="$BUCKET_NAME" -Dsfs.url="$SFS_URL" -Dimap.server.enabled=false + -Dimap.server.port=1143 -Demail.server.enabled=false -Demail.inbound.enabled=false + -Demail.server.port=1025 -Ds3.bucketLocation=eu-west-2 + JAVA_OPTS: -Dencryption.keystore.type=JCEKS -Dencryption.cipherAlgorithm=DESede/CBC/PKCS5Padding + -Dencryption.keyAlgorithm=DESede -Dencryption.keystore.location=/usr/local/tomcat/shared/classes/alfresco/extension/keystore/keystore + -Dmetadata-keystore.aliases=metadata -Dmetadata-keystore.metadata.algorithm=DESede + -Dindex.subsystem.name=elasticsearch -Delasticsearch.indexName=alfresco -Delasticsearch.createIndexIfNotExists=true + -Dtransform.service.enabled=true -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 + -Dencryption.keystore.type=JCEKS -Dencryption.cipherAlgorithm=DESede/CBC/PKCS5Padding + -Dencryption.keyAlgorithm=DESede -Dencryption.keystore.location=/usr/local/tomcat/shared/classes/alfresco/extension/keystore/keystore + -Dmetadata-keystore.aliases=metadata -Dmetadata-keystore.metadata.algorithm=DESede + -Dsystem.workflow.engine.activiti.enabled=false -Dsystem.prop_table_cleaner.algorithm=V2 + -Dsystem.delete_not_exists.read_only=false -Dsystem.delete_not_exists.timeout_seconds=3600 + -Dfilecontentstore.subsystem.name=S3 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: alfresco-repository + app.kubernetes.io/version: 23.1.1 + helm.sh/chart: alfresco-repository-0.1.2 + name: alfresco-content-services-alfresco-opts +--- +apiVersion: v1 +data: + JAVA_OPTS: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 + initialDelaySeconds: "10" + livenessPercent: "150" + livenessTransformPeriodSeconds: "600" + maxTransformSeconds: "900" + maxTransforms: "10000" + path: /live + periodSeconds: "20" + timeoutSeconds: "10" +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: imagemagick + app.kubernetes.io/version: 4.0.1 + helm.sh/chart: alfresco-transform-service-0.3.2 + name: alfresco-content-services-imagemagick-configmap +--- +apiVersion: v1 +data: + JAVA_OPTS: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 + initialDelaySeconds: "10" + livenessPercent: "250" + livenessTransformPeriodSeconds: "600" + maxTransformSeconds: "1800" + maxTransforms: "99999" + path: /live + periodSeconds: "20" + timeoutSeconds: "10" +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: libreoffice + app.kubernetes.io/version: 4.0.1 + helm.sh/chart: alfresco-transform-service-0.3.2 + name: alfresco-content-services-libreoffice-configmap +--- +apiVersion: v1 +data: + JAVA_OPTS: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 + initialDelaySeconds: "10" + livenessPercent: "150" + livenessTransformPeriodSeconds: "600" + maxTransformSeconds: "1200" + maxTransforms: "10000" + path: /live + periodSeconds: "20" + timeoutSeconds: "10" +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: pdfrenderer + app.kubernetes.io/version: 4.0.1 + helm.sh/chart: alfresco-transform-service-0.3.2 + name: alfresco-content-services-pdfrenderer-configmap +--- +apiVersion: v1 +data: + JAVA_OPTS: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 + initialDelaySeconds: "30" + livenessPercent: "400" + livenessTransformPeriodSeconds: "600" + maxTransformSeconds: "1800" + maxTransforms: "10000" + path: /live + periodSeconds: "20" + timeoutSeconds: "10" +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tika + app.kubernetes.io/version: 4.0.1 + helm.sh/chart: alfresco-transform-service-0.3.2 + name: alfresco-content-services-tika-configmap +--- +apiVersion: v1 +data: + JAVA_OPTS: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 + initialDelaySeconds: "10" + livenessPercent: "400" + livenessTransformPeriodSeconds: "600" + maxTransformSeconds: "1800" + maxTransforms: "10000" + path: /live + periodSeconds: "20" + timeoutSeconds: "10" +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: transform-misc + app.kubernetes.io/version: 4.0.1 + helm.sh/chart: alfresco-transform-service-0.3.2 + name: alfresco-content-services-transform-misc-configmap +--- +apiVersion: v1 +data: + IMAGEMAGICK_URL: http://alfresco-content-services-imagemagick:80 + JAVA_OPTS: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 + LIBREOFFICE_URL: http://alfresco-content-services-libreoffice:80 + MISC_URL: http://alfresco-content-services-transform-misc:80 + PDF_RENDERER_URL: http://alfresco-content-services-pdfrenderer:80 + TIKA_URL: http://alfresco-content-services-tika:80 + initialDelaySeconds: "20" + path: /actuator/health + periodSeconds: "30" + timeoutSeconds: "10" +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: transform-router + app.kubernetes.io/version: 4.0.1 + helm.sh/chart: alfresco-transform-service-0.3.2 + name: alfresco-content-services-transform-router-configmap +--- +apiVersion: v1 +data: + ATS_URL: http://alfresco-content-services-transform-router/transform/config + BROKER_URL: failover:(nio+ssl://b-5c25f40d-edd0-49e9-95a0-01ea61b5444f-1.mq.eu-west-2.amazonaws.com:61617)?initialReconnectDelay=1000&maxReconnectAttempts=-1&useExponentialBackOff=true&maxReconnectDelay=30000?reconnectSupported=true + DATABASE_DRIVER: org.postgresql.Driver + DATABASE_URL: jdbc:postgresql://cloud-platform-9a95f5dfd5d72b23.cdwm328dlye6.eu-west-2.rds.amazonaws.com:5432/alfresco + REPOSITORY_URL: http://alfresco-content-services-alfresco-repository:80/alfresco + SEARCH_FLAVOR: elasticsearch + SEARCH_HOST: opensearch-proxy-service-cloud-platform-e7170919.hmpps-delius-alfresco-dev.svc.cluster.local + SEARCH_PORT: "8080" + SEARCH_SECURECOMMS: none + SEARCH_URL: http://opensearch-proxy-service-cloud-platform-e7170919.hmpps-delius-alfresco-dev.svc.cluster.local:8080 + SFS_URL: https://alf-sfs.dev.delius-core.hmpps-development.modernisation-platform.service.justice.gov.uk/ + SFS_URL_API: https://alf-sfs.dev.delius-core.hmpps-development.modernisation-platform.service.justice.gov.uk/alfresco/api/-default-/private/sfs/versions/1/file/ + repo_svc_name: alfresco-content-services-alfresco-repository + repo_svc_port: "80" +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: alfresco-content-services + app.kubernetes.io/version: 23.1.1 + helm.sh/chart: alfresco-content-services-7.0.3 + name: alfresco-infrastructure +--- +apiVersion: v1 +data: + alfresco-global.properties: "deployment.method=HELM_CHART\nalfresco.cluster.enabled=true\nalfresco.host=hmpps-delius-alfresco-dev.apps.live.cloud-platform.service.justice.gov.uk\nalfresco.protocol=https\nalfresco.port=443\naos.baseUrlOverwrite=https://hmpps-delius-alfresco-dev.apps.live.cloud-platform.service.justice.gov.uk/alfresco/aos\ncsrf.filter.origin=https://hmpps-delius-alfresco-dev.apps.live.cloud-platform.service.justice.gov.uk\ncsrf.filter.referer=https://hmpps-delius-alfresco-dev.apps.live.cloud-platform.service.justice.gov.uk/.*\nshare.protocol=https\nshare.host=hmpps-delius-alfresco-dev.apps.live.cloud-platform.service.justice.gov.uk\nshare.port=443\nlocal.transform.service.enabled=true\ntransform.service.enabled=false + \ \nlocalTransform.core-aio.url=\nlocalTransform.pdfrenderer.url=http://alfresco-content-services-pdfrenderer\nlocalTransform.imagemagick.url=http://alfresco-content-services-imagemagick\nlocalTransform.libreoffice.url=http://alfresco-content-services-libreoffice\nlocalTransform.tika.url=http://alfresco-content-services-tika\nlocalTransform.misc.url=http://alfresco-content-services-transform-misc\nevents.subsystem.autoStart=false\n" +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: alfresco-content-services + app.kubernetes.io/version: 23.1.1 + helm.sh/chart: alfresco-content-services-7.0.3 + name: repository +--- +apiVersion: v1 +data: + SEARCH_PASSWORD: "" + SEARCH_USERNAME: "" +kind: Secret +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: alfresco-content-services + app.kubernetes.io/version: 23.1.1 + helm.sh/chart: alfresco-content-services-7.0.3 + name: alfresco-search-secret +type: Opaque +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: alfresco-repository + app.kubernetes.io/version: 23.1.1 + helm.sh/chart: alfresco-repository-0.1.2 + name: alfresco-content-services-alfresco-repository +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: http + selector: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: alfresco-repository + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: imagemagick + app.kubernetes.io/version: 4.0.1 + helm.sh/chart: alfresco-transform-service-0.3.2 + name: alfresco-content-services-imagemagick +spec: + ports: + - name: imagemagick + port: 80 + targetPort: 8090 + selector: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: imagemagick + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: libreoffice + app.kubernetes.io/version: 4.0.1 + helm.sh/chart: alfresco-transform-service-0.3.2 + name: alfresco-content-services-libreoffice +spec: + ports: + - name: libreoffice + port: 80 + targetPort: 8090 + selector: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: libreoffice + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: pdfrenderer + app.kubernetes.io/version: 4.0.1 + helm.sh/chart: alfresco-transform-service-0.3.2 + name: alfresco-content-services-pdfrenderer +spec: + ports: + - name: pdfrenderer + port: 80 + targetPort: 8090 + selector: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: pdfrenderer + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: share + name: alfresco-content-services-share +spec: + ports: + - name: share + port: 80 + targetPort: 8080 + selector: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: share + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tika + app.kubernetes.io/version: 4.0.1 + helm.sh/chart: alfresco-transform-service-0.3.2 + name: alfresco-content-services-tika +spec: + ports: + - name: tika + port: 80 + targetPort: 8090 + selector: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: tika + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: transform-misc + app.kubernetes.io/version: 4.0.1 + helm.sh/chart: alfresco-transform-service-0.3.2 + name: alfresco-content-services-transform-misc +spec: + ports: + - name: transformmisc + port: 80 + targetPort: 8090 + selector: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: transform-misc + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: transform-router + app.kubernetes.io/version: 4.0.1 + helm.sh/chart: alfresco-transform-service-0.3.2 + name: alfresco-content-services-transform-router +spec: + ports: + - name: transform-router + port: 80 + protocol: TCP + targetPort: 8095 + selector: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: transform-router + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: indexing-mediation + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: alfresco-search-enterprise + app.kubernetes.io/version: 4.0.0.1 + helm.sh/chart: alfresco-search-enterprise-3.0.3 + name: alfresco-search-enterprise-mediation-headless +spec: + clusterIP: None + ports: + - name: http + port: 8080 + selector: + app.kubernetes.io/component: indexing-mediation + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: alfresco-search-enterprise +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: alfresco-repository + app.kubernetes.io/version: 23.1.1 + helm.sh/chart: alfresco-repository-0.1.2 + name: alfresco-content-services-alfresco-repository +spec: + replicas: 2 + selector: + matchLabels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: alfresco-repository + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: null + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: alfresco-repository + spec: + containers: + - env: + - name: ENC_METADATA_STOREPASS + value: mp6yc0UD9e + - name: ENC_METADATA_KEYPASS + value: oKIWzVdEdA + - name: DATABASE_URL + valueFrom: + configMapKeyRef: + key: DATABASE_URL + name: alfresco-infrastructure + - name: DATABASE_DRIVER + valueFrom: + configMapKeyRef: + key: DATABASE_DRIVER + name: alfresco-infrastructure + - name: DATABASE_PASSWORD + valueFrom: + secretKeyRef: + key: DATABASE_PASSWORD + name: rds-instance-output + - name: DATABASE_USERNAME + valueFrom: + secretKeyRef: + key: DATABASE_USERNAME + name: rds-instance-output + - name: ACCESSKEY + valueFrom: + secretKeyRef: + key: ACCESSKEY + name: s3-bucket-output + optional: true + - name: SECRETKEY + valueFrom: + secretKeyRef: + key: SECRETKEY + name: s3-bucket-output + optional: true + - name: BUCKET_NAME + valueFrom: + secretKeyRef: + key: BUCKET_NAME + name: s3-bucket-output + optional: true + - name: SFS_URL + valueFrom: + secretKeyRef: + key: SFS_URL + name: sfs-url + optional: true + - name: SEARCH_FLAVOR + valueFrom: + configMapKeyRef: + key: SEARCH_FLAVOR + name: alfresco-infrastructure + - name: SEARCH_HOST + valueFrom: + configMapKeyRef: + key: SEARCH_HOST + name: alfresco-infrastructure + - name: SEARCH_PORT + valueFrom: + configMapKeyRef: + key: SEARCH_PORT + name: alfresco-infrastructure + - name: SEARCH_SECURECOMMS + valueFrom: + configMapKeyRef: + key: SEARCH_SECURECOMMS + name: alfresco-infrastructure + - name: ELASTICSEARCH_USERNAME + valueFrom: + secretKeyRef: + key: SEARCH_USERNAME + name: alfresco-search-secret + optional: true + - name: ELASTICSEARCH_PASSWORD + valueFrom: + secretKeyRef: + key: SEARCH_PASSWORD + name: alfresco-search-secret + optional: true + - name: SOLR_SECRET + valueFrom: + secretKeyRef: + key: SOLR_SECRET + name: alfresco-search-secret + optional: true + - name: BROKER_URL + valueFrom: + configMapKeyRef: + key: BROKER_URL + name: alfresco-infrastructure + - name: BROKER_USERNAME + valueFrom: + secretKeyRef: + key: BROKER_USERNAME + name: amazon-mq-broker-secret + optional: true + - name: BROKER_PASSWORD + valueFrom: + secretKeyRef: + key: BROKER_PASSWORD + name: amazon-mq-broker-secret + optional: true + envFrom: + - configMapRef: + name: alfresco-content-services-alfresco-opts + image: 754256621582.dkr.ecr.eu-west-2.amazonaws.com/hmpps-migration/alfresco-content-repository:release_7.3.2_elasticsearch-r5.0.2-content-latest + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /alfresco/api/-default-/public/alfresco/versions/1/probes/-live- + port: http + initialDelaySeconds: 130 + periodSeconds: 20 + timeoutSeconds: 15 + name: alfresco-repository + ports: + - containerPort: 8080 + name: http + protocol: TCP + - containerPort: 5701 + name: hazelcast + protocol: TCP + readinessProbe: + failureThreshold: 6 + httpGet: + path: /alfresco/api/-default-/public/alfresco/versions/1/probes/-ready- + port: http + initialDelaySeconds: 60 + periodSeconds: 20 + timeoutSeconds: 10 + resources: + limits: + cpu: "4" + memory: 8Gi + requests: + cpu: 250m + memory: 2Gi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 10 + httpGet: + path: /alfresco/api/-default-/public/alfresco/versions/1/probes/-live- + port: http + periodSeconds: 30 + timeoutSeconds: 3 + volumeMounts: + - mountPath: /usr/local/tomcat/alf_data + name: data + subPath: alfresco-content-services/repository-data + - mountPath: /usr/local/tomcat/shared/classes/alfresco-global.properties + name: global-properties + readOnly: true + subPath: alfresco-global.properties + - mountPath: /usr/local/tomcat/shared/classes/alfresco/extension/license + name: acs-license + readOnly: true + imagePullSecrets: + - name: quay-registry-secret + initContainers: + - command: + - sh + - -c + - | + NCTARGET=$(echo DATABASE_URL | awk -F ';|/' '{print $3}') + if [[ "$NCTARGET" == *":"* ]]; then + until nc -vw1 $NCTARGET; do + sleep 2 + done + else echo "No port in jdbc URL $DATABASE_URL. Can't guess it so skipping db status check" + fi + env: + - name: DATABASE_URL + valueFrom: + configMapKeyRef: + key: DATABASE_URL + name: alfresco-infrastructure + - name: DATABASE_DRIVER + valueFrom: + configMapKeyRef: + key: DATABASE_DRIVER + name: alfresco-infrastructure + image: busybox:1.35 + imagePullPolicy: IfNotPresent + name: wait-db-ready + resources: + limits: + cpu: "0.25" + memory: 10Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + - ALL + runAsNonRoot: true + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 33000 + serviceAccountName: alfresco-repo-sa + terminationGracePeriodSeconds: 60 + volumes: + - emptyDir: + sizeLimit: 100Gi + name: data + - configMap: + defaultMode: 256 + items: + - key: alfresco-global.properties + path: alfresco-global.properties + name: alf-prop-config-map + name: global-properties + - name: acs-license + secret: + defaultMode: 256 + items: + - key: Alfresco-ent73-NOMSNationalOffenderManagementService-Expires10.03.2025.lic + path: license.lic + optional: true + secretName: alfresco-license +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: content-indexing + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: alfresco-search-enterprise + app.kubernetes.io/version: 4.0.0.1 + helm.sh/chart: alfresco-search-enterprise-3.0.3 + name: alfresco-content-services-alfresco-search-enterprise-content +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: content-indexing + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: alfresco-search-enterprise + template: + metadata: + annotations: + checksum/secret-broker: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/secret-database: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/secret-elasticsearch: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + labels: + app.kubernetes.io/component: content-indexing + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: alfresco-search-enterprise + spec: + containers: + - env: + - name: SPRING_ACTIVEMQ_POOL_ENABLED + value: "true" + - name: SPRING_ACTIVEMQ_POOL_MAXCONNECTIONS + value: "200" + - name: SPRING_ACTIVEMQ_POOL_IDLE_TIMEOUT + value: "30000" + - name: SPRING_ACTIVEMQ_POOL_EXPIRY_TIMEOUT + value: "60000" + - name: JAVA_OPTS + value: -Dspring.activemq.packages.trustAll=true + - name: ALFRESCO_SHAREDFILESTORE_BASEURL + valueFrom: + configMapKeyRef: + key: SFS_URL_API + name: alfresco-infrastructure + - name: BROKER_USERNAME + valueFrom: + secretKeyRef: + key: BROKER_USERNAME + name: amazon-mq-broker-secret + - name: BROKER_PASSWORD + valueFrom: + secretKeyRef: + key: BROKER_PASSWORD + name: amazon-mq-broker-secret + - name: BROKER_URL + valueFrom: + configMapKeyRef: + key: BROKER_URL + name: alfresco-infrastructure + - name: SPRING_ACTIVEMQ_BROKERURL + value: $(BROKER_URL) + - name: SPRING_ACTIVEMQ_USER + value: $(BROKER_USERNAME) + - name: SPRING_ACTIVEMQ_PASSWORD + value: $(BROKER_PASSWORD) + - name: SPRING_ELASTICSEARCH_REST_USERNAME + valueFrom: + secretKeyRef: + key: SEARCH_USERNAME + name: alfresco-search-secret + - name: SPRING_ELASTICSEARCH_REST_PASSWORD + valueFrom: + secretKeyRef: + key: SEARCH_PASSWORD + name: alfresco-search-secret + - name: SPRING_ELASTICSEARCH_REST_URIS + valueFrom: + configMapKeyRef: + key: SEARCH_URL + name: alfresco-infrastructure + - name: ELASTICSEARCH_INDEXNAME + value: alfresco + - name: ALFRESCO_ACCEPTEDCONTENTMEDIATYPESCACHE_REFRESHTIME + value: 0 0 * * * * + - name: ALFRESCO_ACCEPTEDCONTENTMEDIATYPESCACHE_ENABLED + value: "true" + - name: ALFRESCO_PATHINDEXINGCOMPONENT_ENABLED + value: "true" + - name: ALFRESCO_ACCEPTEDCONTENTMEDIATYPESCACHE_BASEURL + valueFrom: + configMapKeyRef: + key: ATS_URL + name: alfresco-infrastructure + image: quay.io/alfresco/alfresco-elasticsearch-live-indexing-content:3.2.0.2 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /actuator/health + port: http + initialDelaySeconds: 300 + timeoutSeconds: 60 + name: alfresco-search-enterprise-content + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + httpGet: + path: /actuator/health + port: http + initialDelaySeconds: 60 + timeoutSeconds: 60 + resources: + limits: + cpu: "2" + memory: 2048Mi + requests: + cpu: "0.5" + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + - ALL + runAsNonRoot: true + imagePullSecrets: + - name: quay-registry-secret + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsNonRoot: true + runAsUser: 33099 + serviceAccountName: alfresco-search-enterprise-sa +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: metadata-indexing + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: alfresco-search-enterprise + app.kubernetes.io/version: 4.0.0.1 + helm.sh/chart: alfresco-search-enterprise-3.0.3 + name: alfresco-content-services-alfresco-search-enterprise-metadata +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: metadata-indexing + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: alfresco-search-enterprise + template: + metadata: + annotations: + checksum/secret-broker: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/secret-database: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/secret-elasticsearch: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + labels: + app.kubernetes.io/component: metadata-indexing + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: alfresco-search-enterprise + spec: + containers: + - env: + - name: SPRING_ACTIVEMQ_POOL_ENABLED + value: "true" + - name: SPRING_ACTIVEMQ_POOL_MAXCONNECTIONS + value: "100" + - name: SPRING_ACTIVEMQ_POOL_IDLE_TIMEOUT + value: "30000" + - name: SPRING_ACTIVEMQ_POOL_EXPIRY_TIMEOUT + value: "60000" + - name: JAVA_OPTS + value: -Dspring.activemq.packages.trustAll=true + - name: ALFRESCO_SHAREDFILESTORE_BASEURL + valueFrom: + configMapKeyRef: + key: SFS_URL_API + name: alfresco-infrastructure + - name: BROKER_USERNAME + valueFrom: + secretKeyRef: + key: BROKER_USERNAME + name: amazon-mq-broker-secret + - name: BROKER_PASSWORD + valueFrom: + secretKeyRef: + key: BROKER_PASSWORD + name: amazon-mq-broker-secret + - name: BROKER_URL + valueFrom: + configMapKeyRef: + key: BROKER_URL + name: alfresco-infrastructure + - name: SPRING_ACTIVEMQ_BROKERURL + value: $(BROKER_URL) + - name: SPRING_ACTIVEMQ_USER + value: $(BROKER_USERNAME) + - name: SPRING_ACTIVEMQ_PASSWORD + value: $(BROKER_PASSWORD) + - name: SPRING_ELASTICSEARCH_REST_USERNAME + valueFrom: + secretKeyRef: + key: SEARCH_USERNAME + name: alfresco-search-secret + - name: SPRING_ELASTICSEARCH_REST_PASSWORD + valueFrom: + secretKeyRef: + key: SEARCH_PASSWORD + name: alfresco-search-secret + - name: SPRING_ELASTICSEARCH_REST_URIS + valueFrom: + configMapKeyRef: + key: SEARCH_URL + name: alfresco-infrastructure + - name: ELASTICSEARCH_INDEXNAME + value: alfresco + - name: ALFRESCO_ACCEPTEDCONTENTMEDIATYPESCACHE_REFRESHTIME + value: 0 0 * * * * + - name: ALFRESCO_ACCEPTEDCONTENTMEDIATYPESCACHE_ENABLED + value: "true" + - name: ALFRESCO_PATHINDEXINGCOMPONENT_ENABLED + value: "true" + - name: ALFRESCO_ACCEPTEDCONTENTMEDIATYPESCACHE_BASEURL + valueFrom: + configMapKeyRef: + key: ATS_URL + name: alfresco-infrastructure + image: quay.io/alfresco/alfresco-elasticsearch-live-indexing-metadata:3.2.0.2 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /actuator/health + port: http + initialDelaySeconds: 300 + timeoutSeconds: 60 + name: alfresco-search-enterprise-metadata + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + httpGet: + path: /actuator/health + port: http + initialDelaySeconds: 60 + timeoutSeconds: 60 + resources: + limits: + cpu: "2" + memory: 2048Mi + requests: + cpu: "0.5" + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + - ALL + runAsNonRoot: true + imagePullSecrets: + - name: quay-registry-secret + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsNonRoot: true + runAsUser: 33099 + serviceAccountName: alfresco-search-enterprise-sa +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: path-indexing + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: alfresco-search-enterprise + app.kubernetes.io/version: 4.0.0.1 + helm.sh/chart: alfresco-search-enterprise-3.0.3 + name: alfresco-content-services-alfresco-search-enterprise-path +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: path-indexing + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: alfresco-search-enterprise + template: + metadata: + annotations: + checksum/secret-broker: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/secret-database: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/secret-elasticsearch: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + labels: + app.kubernetes.io/component: path-indexing + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: alfresco-search-enterprise + spec: + containers: + - env: + - name: JAVA_OPTS + value: -Dspring.activemq.packages.trustAll=true + - name: ALFRESCO_SHAREDFILESTORE_BASEURL + valueFrom: + configMapKeyRef: + key: SFS_URL_API + name: alfresco-infrastructure + - name: BROKER_USERNAME + valueFrom: + secretKeyRef: + key: BROKER_USERNAME + name: amazon-mq-broker-secret + - name: BROKER_PASSWORD + valueFrom: + secretKeyRef: + key: BROKER_PASSWORD + name: amazon-mq-broker-secret + - name: BROKER_URL + valueFrom: + configMapKeyRef: + key: BROKER_URL + name: alfresco-infrastructure + - name: SPRING_ACTIVEMQ_BROKERURL + value: $(BROKER_URL) + - name: SPRING_ACTIVEMQ_USER + value: $(BROKER_USERNAME) + - name: SPRING_ACTIVEMQ_PASSWORD + value: $(BROKER_PASSWORD) + - name: SPRING_ELASTICSEARCH_REST_USERNAME + valueFrom: + secretKeyRef: + key: SEARCH_USERNAME + name: alfresco-search-secret + - name: SPRING_ELASTICSEARCH_REST_PASSWORD + valueFrom: + secretKeyRef: + key: SEARCH_PASSWORD + name: alfresco-search-secret + - name: SPRING_ELASTICSEARCH_REST_URIS + valueFrom: + configMapKeyRef: + key: SEARCH_URL + name: alfresco-infrastructure + - name: ELASTICSEARCH_INDEXNAME + value: alfresco + - name: ALFRESCO_ACCEPTEDCONTENTMEDIATYPESCACHE_REFRESHTIME + value: 0 0 * * * * + - name: ALFRESCO_ACCEPTEDCONTENTMEDIATYPESCACHE_ENABLED + value: "true" + - name: ALFRESCO_PATHINDEXINGCOMPONENT_ENABLED + value: "true" + - name: ALFRESCO_ACCEPTEDCONTENTMEDIATYPESCACHE_BASEURL + valueFrom: + configMapKeyRef: + key: ATS_URL + name: alfresco-infrastructure + image: quay.io/alfresco/alfresco-elasticsearch-live-indexing-path:3.2.0.2 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /actuator/health + port: http + initialDelaySeconds: 300 + timeoutSeconds: 60 + name: alfresco-search-enterprise-path + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + httpGet: + path: /actuator/health + port: http + initialDelaySeconds: 60 + timeoutSeconds: 60 + resources: + limits: + cpu: "2" + memory: 2048Mi + requests: + cpu: "0.5" + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + - ALL + runAsNonRoot: true + imagePullSecrets: + - name: quay-registry-secret + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsNonRoot: true + runAsUser: 33099 + serviceAccountName: alfresco-search-enterprise-sa +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: imagemagick + app.kubernetes.io/version: 4.0.1 + helm.sh/chart: alfresco-transform-service-0.3.2 + name: alfresco-content-services-imagemagick +spec: + replicas: 2 + selector: + matchLabels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: imagemagick + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: + checksum.alfresco.org/config-imagemagick: 566aba8e50a56d4e04236474beef22ea5abced2c1d2362005bf62385e4e3dee4 + checksum.alfresco.org/secret-messagebroker: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: imagemagick + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-imagemagick + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 10 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-imagemagick + topologyKey: kubernetes.io/hostname + weight: 5 + containers: + - env: + - name: FILE_STORE_URL + valueFrom: + configMapKeyRef: + key: SFS_URL_API + name: alfresco-infrastructure + - name: ACTIVEMQ_URL + value: $(BROKER_URL) + - name: ACTIVEMQ_USER + value: $(BROKER_USERNAME) + - name: ACTIVEMQ_PASSWORD + value: $(BROKER_PASSWORD) + envFrom: + - configMapRef: + name: alfresco-content-services-imagemagick-configmap + - secretRef: + name: amazon-mq-broker-secret + image: alfresco/alfresco-imagemagick:3.1.1 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /live + port: 8090 + initialDelaySeconds: 10 + periodSeconds: 20 + timeoutSeconds: 10 + name: alfresco-transform-service + ports: + - containerPort: 8090 + readinessProbe: + httpGet: + path: /ready + port: 8090 + initialDelaySeconds: 20 + periodSeconds: 60 + timeoutSeconds: 10 + resources: + limits: + cpu: "4" + memory: 4Gi + requests: + cpu: 250m + memory: 250Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + - ALL + runAsNonRoot: true + imagePullSecrets: + - name: quay-registry-secret + securityContext: + runAsNonRoot: true + runAsUser: 33002 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: libreoffice + app.kubernetes.io/version: 4.0.1 + helm.sh/chart: alfresco-transform-service-0.3.2 + name: alfresco-content-services-libreoffice +spec: + replicas: 2 + selector: + matchLabels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: libreoffice + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: + checksum.alfresco.org/config-libreoffice: ba3050ad9def6f86804f8a2519245fe11c64069bc4887aa649189cddeaea96f8 + checksum.alfresco.org/secret-messagebroker: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: libreoffice + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-libreoffice + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 10 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-libreoffice + topologyKey: kubernetes.io/hostname + weight: 5 + containers: + - env: + - name: FILE_STORE_URL + valueFrom: + configMapKeyRef: + key: SFS_URL_API + name: alfresco-infrastructure + - name: ACTIVEMQ_URL + value: $(BROKER_URL) + - name: ACTIVEMQ_USER + value: $(BROKER_USERNAME) + - name: ACTIVEMQ_PASSWORD + value: $(BROKER_PASSWORD) + envFrom: + - configMapRef: + name: alfresco-content-services-libreoffice-configmap + - secretRef: + name: amazon-mq-broker-secret + image: alfresco/alfresco-libreoffice:3.1.1 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /live + port: 8090 + initialDelaySeconds: 10 + periodSeconds: 20 + timeoutSeconds: 10 + name: alfresco-transform-service + ports: + - containerPort: 8090 + readinessProbe: + httpGet: + path: /ready + port: 8090 + initialDelaySeconds: 20 + periodSeconds: 60 + timeoutSeconds: 10 + resources: + limits: + cpu: "4" + memory: 4Gi + requests: + cpu: 250m + memory: 500Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + - ALL + runAsNonRoot: true + imagePullSecrets: + - name: quay-registry-secret + securityContext: + runAsNonRoot: true + runAsUser: 33003 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: pdfrenderer + app.kubernetes.io/version: 4.0.1 + helm.sh/chart: alfresco-transform-service-0.3.2 + name: alfresco-content-services-pdfrenderer +spec: + replicas: 2 + selector: + matchLabels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: pdfrenderer + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: + checksum.alfresco.org/config-pdfrenderer: 840c990299f6a97eac592f0391f94c6411b3830f0c32279bb6b61ee8164347cd + checksum.alfresco.org/secret-messagebroker: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: pdfrenderer + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-pdfrenderer + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 10 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-pdfrenderer + topologyKey: kubernetes.io/hostname + weight: 5 + containers: + - env: + - name: ACTIVEMQ_URL + value: $(BROKER_URL) + - name: ACTIVEMQ_USER + value: $(BROKER_USERNAME) + - name: ACTIVEMQ_PASSWORD + value: $(BROKER_PASSWORD) + envFrom: + - configMapRef: + name: alfresco-content-services-pdfrenderer-configmap + - secretRef: + name: amazon-mq-broker-secret + image: alfresco/alfresco-pdf-renderer:3.1.1 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /live + port: 8090 + initialDelaySeconds: 10 + periodSeconds: 20 + timeoutSeconds: 10 + name: alfresco-transform-service + ports: + - containerPort: 8090 + readinessProbe: + httpGet: + path: /ready + port: 8090 + initialDelaySeconds: 20 + periodSeconds: 60 + timeoutSeconds: 10 + resources: + limits: + cpu: "2" + memory: 2Gi + requests: + cpu: 100m + memory: 250Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + - ALL + runAsNonRoot: true + imagePullSecrets: + - name: quay-registry-secret + securityContext: + runAsNonRoot: true + runAsUser: 33001 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + checkov.io/skip1: CKV_K8S_20=Requires APPS-1832 + checkov.io/skip2: CKV_K8S_23=Requires APPS-1832 + checkov.io/skip3: CKV_K8S_40=Requires APPS-1832 + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: share + app.kubernetes.io/version: 23.1.1 + helm.sh/chart: share-0.2.1 + name: alfresco-content-services-share +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: share + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: null + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: share + spec: + containers: + - env: + - name: CSRF_FILTER_REFERER + value: https://hmpps-delius-alfresco-dev.apps.live.cloud-platform.service.justice.gov.uk/.*\|https://share.hmpps-delius-alfresco-dev.apps.live.cloud-platform.service.justice.gov.uk/.*\|https://alf-sfs.dev.delius-core.hmpps-preproduction.modernisation-platform.service.justice.gov.uk/.* + - name: CSRF_FILTER_ORIGIN + value: https://hmpps-delius-alfresco-dev.apps.live.cloud-platform.service.justice.gov.uk,https://share.hmpps-delius-alfresco-dev.apps.live.cloud-platform.service.justice.gov.uk,https://alf-sfs.dev.delius-core.hmpps-preproduction.modernisation-platform.service.justice.gov.uk + - name: BASEURL + value: https://hmpps-delius-alfresco-dev.apps.live.cloud-platform.service.justice.gov.uk + - name: JAVA_OPTS + value: -Dalfresco.proxy=$BASEURL + - name: REPO_HOST + valueFrom: + configMapKeyRef: + key: repo_svc_name + name: alfresco-infrastructure + - name: REPO_PORT + valueFrom: + configMapKeyRef: + key: repo_svc_port + name: alfresco-infrastructure + - name: CATALINA_OPTS + value: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 + image: 754256621582.dkr.ecr.eu-west-2.amazonaws.com/hmpps-migration/alfresco-share:release_7.3.2_elasticsearch-r5.0.2-chart-7.0.3-share-latest + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /share + port: 8080 + initialDelaySeconds: 15 + periodSeconds: 20 + timeoutSeconds: 5 + name: alfresco-share + ports: + - containerPort: 8005 + name: tomcat-shutdown + protocol: TCP + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + httpGet: + path: /share + port: 8080 + initialDelaySeconds: 15 + periodSeconds: 30 + timeoutSeconds: 5 + resources: + limits: + cpu: "4" + memory: 2000Mi + requests: + cpu: "1" + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: [] + imagePullSecrets: + - name: quay-registry-secret + initContainers: [] + nodeSelector: {} + securityContext: + runAsNonRoot: true + runAsUser: 65534 + serviceAccountName: share-sa + volumes: [] +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tika + app.kubernetes.io/version: 4.0.1 + helm.sh/chart: alfresco-transform-service-0.3.2 + name: alfresco-content-services-tika +spec: + replicas: 2 + selector: + matchLabels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: tika + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: + checksum.alfresco.org/config-tika: 564e1cd2db773fdf247d8186115851e4b9ebb11ba072d2e7f410affd3da74287 + checksum.alfresco.org/secret-messagebroker: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: tika + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-tika + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 10 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-tika + topologyKey: kubernetes.io/hostname + weight: 5 + containers: + - env: + - name: FILE_STORE_URL + valueFrom: + configMapKeyRef: + key: SFS_URL_API + name: alfresco-infrastructure + - name: ACTIVEMQ_URL + value: $(BROKER_URL) + - name: ACTIVEMQ_USER + value: $(BROKER_USERNAME) + - name: ACTIVEMQ_PASSWORD + value: $(BROKER_PASSWORD) + envFrom: + - configMapRef: + name: alfresco-content-services-tika-configmap + - secretRef: + name: amazon-mq-broker-secret + image: alfresco/alfresco-tika:3.1.1 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /live + port: 8090 + initialDelaySeconds: 30 + periodSeconds: 20 + timeoutSeconds: 10 + name: alfresco-transform-service + ports: + - containerPort: 8090 + readinessProbe: + httpGet: + path: /ready + port: 8090 + initialDelaySeconds: 30 + periodSeconds: 60 + timeoutSeconds: 10 + resources: + limits: + cpu: "4" + memory: 4Gi + requests: + cpu: 250m + memory: 600Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + - ALL + runAsNonRoot: true + imagePullSecrets: + - name: quay-registry-secret + securityContext: + runAsNonRoot: true + runAsUser: 33004 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: transform-misc + app.kubernetes.io/version: 4.0.1 + helm.sh/chart: alfresco-transform-service-0.3.2 + name: alfresco-content-services-transform-misc +spec: + replicas: 2 + selector: + matchLabels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: transform-misc + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: + checksum.alfresco.org/config-transform-misc: f44290e592e0ee47adbb610e8a5cab7c8dcc84383fb2e3fad80e917c71b245d2 + checksum.alfresco.org/secret-messagebroker: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: transform-misc + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-transform-misc + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 10 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-transform-misc + topologyKey: kubernetes.io/hostname + weight: 5 + containers: + - env: + - name: FILE_STORE_URL + valueFrom: + configMapKeyRef: + key: SFS_URL_API + name: alfresco-infrastructure + - name: ACTIVEMQ_URL + value: $(BROKER_URL) + - name: ACTIVEMQ_USER + value: $(BROKER_USERNAME) + - name: ACTIVEMQ_PASSWORD + value: $(BROKER_PASSWORD) + envFrom: + - configMapRef: + name: alfresco-content-services-transform-misc-configmap + - secretRef: + name: amazon-mq-broker-secret + image: alfresco/alfresco-transform-misc:3.1.1 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /live + port: 8090 + initialDelaySeconds: 10 + periodSeconds: 20 + timeoutSeconds: 10 + name: alfresco-transform-service + ports: + - containerPort: 8090 + readinessProbe: + httpGet: + path: /ready + port: 8090 + initialDelaySeconds: 20 + periodSeconds: 60 + timeoutSeconds: 10 + resources: + limits: + cpu: "2" + memory: 2Gi + requests: + cpu: 100m + memory: 250Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + - ALL + runAsNonRoot: true + imagePullSecrets: + - name: quay-registry-secret + securityContext: + runAsNonRoot: true + runAsUser: 33006 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: transform-router + app.kubernetes.io/version: 4.0.1 + helm.sh/chart: alfresco-transform-service-0.3.2 + name: alfresco-content-services-transform-router +spec: + replicas: 2 + selector: + matchLabels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: transform-router + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: + checksum.alfresco.org/config-transform-router: cf7203bc6f70a192f5c3f60c603ba28aef71c9f8d3463e909bb88d47b13e0dd6 + checksum.alfresco.org/secret-messagebroker: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: transform-router + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-transform-router + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 10 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-transform-router + topologyKey: kubernetes.io/hostname + weight: 5 + containers: + - env: + - name: SPRING_ACTIVEMQ_POOL_ENABLED + value: "true" + - name: SPRING_ACTIVEMQ_POOL_MAXCONNECTIONS + value: "100" + - name: SPRING_ACTIVEMQ_POOL_IDLE_TIMEOUT + value: "30000" + - name: SPRING_ACTIVEMQ_POOL_EXPIRY_TIMEOUT + value: "60000" + - name: FILE_STORE_URL + valueFrom: + configMapKeyRef: + key: SFS_URL_API + name: alfresco-infrastructure + - name: ACTIVEMQ_URL + value: $(BROKER_URL) + - name: ACTIVEMQ_USER + value: $(BROKER_USERNAME) + - name: ACTIVEMQ_PASSWORD + value: $(BROKER_PASSWORD) + envFrom: + - configMapRef: + name: alfresco-content-services-transform-router-configmap + - secretRef: + name: amazon-mq-broker-secret + image: quay.io/alfresco/alfresco-transform-router:2.1.1 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /actuator/health + port: 8095 + initialDelaySeconds: 20 + periodSeconds: 30 + timeoutSeconds: 10 + name: alfresco-transform-service + ports: + - containerPort: 8095 + readinessProbe: + httpGet: + path: /actuator/health + port: 8095 + initialDelaySeconds: 20 + periodSeconds: 60 + timeoutSeconds: 10 + resources: + limits: + cpu: "1" + memory: 1Gi + requests: + cpu: 100m + memory: 250Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + - ALL + runAsNonRoot: true + imagePullSecrets: + - name: quay-registry-secret + securityContext: + runAsNonRoot: true + runAsUser: 33016 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: alfresco-search-enterprise-mediation +spec: + selector: + matchLabels: + app.kubernetes.io/component: indexing-mediation + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: alfresco-search-enterprise + serviceName: alfresco-search-enterprise-mediation + strategy: + type: Recreate + template: + metadata: + labels: + app.kubernetes.io/component: indexing-mediation + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: alfresco-search-enterprise + app.kubernetes.io/version: 4.0.0.1 + helm.sh/chart: alfresco-search-enterprise-3.0.3 + spec: + containers: + - env: + - name: SPRING_ACTIVEMQ_POOL_ENABLED + value: "true" + - name: SPRING_ACTIVEMQ_POOL_MAX_CONNECTIONS + value: "100" + - name: SPRING_ACTIVEMQ_POOL_IDLE_TIMEOUT + value: "30000" + - name: SPRING_ACTIVEMQ_POOL_EXPIRY_TIMEOUT + value: "60000" + - name: JAVA_OPTS + value: -Dspring.activemq.packages.trustAll=true + - name: ALFRESCO_SHAREDFILESTORE_BASEURL + valueFrom: + configMapKeyRef: + key: SFS_URL_API + name: alfresco-infrastructure + - name: BROKER_USERNAME + valueFrom: + secretKeyRef: + key: BROKER_USERNAME + name: amazon-mq-broker-secret + - name: BROKER_PASSWORD + valueFrom: + secretKeyRef: + key: BROKER_PASSWORD + name: amazon-mq-broker-secret + - name: BROKER_URL + valueFrom: + configMapKeyRef: + key: BROKER_URL + name: alfresco-infrastructure + - name: SPRING_ACTIVEMQ_BROKERURL + value: $(BROKER_URL) + - name: SPRING_ACTIVEMQ_USER + value: $(BROKER_USERNAME) + - name: SPRING_ACTIVEMQ_PASSWORD + value: $(BROKER_PASSWORD) + - name: ELASTICSEARCH_INDEXNAME + value: alfresco + - name: ALFRESCO_ACCEPTEDCONTENTMEDIATYPESCACHE_REFRESHTIME + value: 0 0 * * * * + - name: ALFRESCO_ACCEPTEDCONTENTMEDIATYPESCACHE_ENABLED + value: "true" + - name: ALFRESCO_PATHINDEXINGCOMPONENT_ENABLED + value: "true" + - name: ALFRESCO_ACCEPTEDCONTENTMEDIATYPESCACHE_BASEURL + valueFrom: + configMapKeyRef: + key: ATS_URL + name: alfresco-infrastructure + image: quay.io/alfresco/alfresco-elasticsearch-live-indexing-mediation:3.2.0.2 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /actuator/health + port: http + initialDelaySeconds: 300 + timeoutSeconds: 60 + name: alfresco-search-enterprise-mediation + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + httpGet: + path: /actuator/health + port: http + initialDelaySeconds: 60 + timeoutSeconds: 60 + resources: + limits: + cpu: "2" + memory: 2048Mi + requests: + cpu: "0.5" + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + - ALL + runAsNonRoot: true + imagePullSecrets: + - name: quay-registry-secret + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsNonRoot: true + runAsUser: 33099 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + checkov.io/skip1: CKV_K8S_153=We're filtering out snippet in named template + external-dns.alpha.kubernetes.io/aws-weight: "100" + external-dns.alpha.kubernetes.io/set-identifier: alfresco-content-services-alfresco-repository-hmpps-delius-alfresco-dev-green + kubernetes.io/ingress.class: default + nginx.ingress.kubernetes.io/affinity: cookie + nginx.ingress.kubernetes.io/proxy-body-size: 5g + nginx.ingress.kubernetes.io/proxy-read-timeout: "200" + nginx.ingress.kubernetes.io/proxy-send-timeout: "200" + nginx.ingress.kubernetes.io/server-snippet: | + location ~ ^/.*/(wc)?s(ervice)?/api/solr/.*$ {return 403;} + location ~ ^/.*/proxy/.*/api/solr/.*$ {return 403;} + location ~ ^/.*/-default-/proxy/.*/api/.*$ {return 403;} + location ~ ^/.*/s/prometheus$ {return 403;} + nginx.ingress.kubernetes.io/session-cookie-hash: sha1 + nginx.ingress.kubernetes.io/session-cookie-name: alfrescoRepo + nginx.ingress.kubernetes.io/whitelist-source-range: 3.11.29.246,18.130.165.209,35.178.35.115,35.178.209.113,3.8.51.207,35.177.252.54,35.176.93.186/32,35.177.125.252/32,35.177.137.160/32,81.134.202.29/32,51.149.250.0/24,51.149.251.0/24,213.121.161.112/28,217.33.148.210/32,13.43.9.198/32,13.42.163.245/32,18.132.208.127/32,51.149.249.0/29,51.149.249.32/29,194.33.192.0/25,194.33.193.0/25,194.33.196.0/25,194.33.197.0/25,195.59.75.0/24,194.33.248.0/29,194.33.249.0/29,62.25.106.209/32,195.92.40.49/32,62.25.109.197/32,195.92.38.16/28,212.137.36.230/32,78.33.10.50/31,78.33.10.52/30,78.33.10.56/30,78.33.10.60/32,78.33.32.99/32,78.33.32.100/30,78.33.32.104/30,78.33.32.108/32,83.98.63.176/29,194.75.210.216/29,217.138.45.109/32,217.138.45.110/32,34.241.149.106/32,52.210.79.20/32,54.228.134.38/32 + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: alfresco-repository + app.kubernetes.io/version: 23.1.1 + helm.sh/chart: alfresco-repository-0.1.2 + name: alfresco-content-services-alfresco-repository +spec: + ingressClassName: default + rules: + - host: hmpps-delius-alfresco-dev.apps.live.cloud-platform.service.justice.gov.uk + http: + paths: + - backend: + service: + name: alfresco-content-services-alfresco-repository + port: + number: 80 + path: / + pathType: Prefix + - backend: + service: + name: alfresco-content-services-alfresco-repository + port: + number: 80 + path: /api-explorer + pathType: Prefix + tls: + - hosts: + - hmpps-delius-alfresco-dev.apps.live.cloud-platform.service.justice.gov.uk +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + checkov.io/skip1: CKV_K8S_153=We're filtering out snippet in named template + external-dns.alpha.kubernetes.io/aws-weight: "100" + external-dns.alpha.kubernetes.io/set-identifier: alfresco-content-services-share-hmpps-delius-alfresco-dev-green + kubernetes.io/ingress.class: default + nginx.ingress.kubernetes.io/affinity: cookie + nginx.ingress.kubernetes.io/configuration-snippet: | + if ($request_uri = "/") { + return 301 /share/page/; + } + nginx.ingress.kubernetes.io/proxy-body-size: 5g + nginx.ingress.kubernetes.io/server-snippet: | + location ~ ^/.*/(wc)?s(ervice)?/api/solr/.*$ {return 403;} + location ~ ^/.*/proxy/.*/api/solr/.*$ {return 403;} + location ~ ^/.*/-default-/proxy/.*/api/.*$ {return 403;} + location ~ ^/.*/s/prometheus$ {return 403;} + nginx.ingress.kubernetes.io/session-cookie-expires: "604800" + nginx.ingress.kubernetes.io/session-cookie-max-age: "604800" + nginx.ingress.kubernetes.io/session-cookie-name: alfrescoShare + nginx.ingress.kubernetes.io/session-cookie-path: /share + nginx.ingress.kubernetes.io/whitelist-source-range: 3.11.29.246,18.130.165.209,35.178.35.115,35.178.209.113,3.8.51.207,35.177.252.54,35.176.93.186/32,35.177.125.252/32,35.177.137.160/32,81.134.202.29/32,51.149.250.0/24,51.149.251.0/24,213.121.161.112/28,217.33.148.210/32,13.43.9.198/32,13.42.163.245/32,18.132.208.127/32,51.149.249.0/29,51.149.249.32/29,194.33.192.0/25,194.33.193.0/25,194.33.196.0/25,194.33.197.0/25,195.59.75.0/24,194.33.248.0/29,194.33.249.0/29,62.25.106.209/32,195.92.40.49/32,62.25.109.197/32,195.92.38.16/28,212.137.36.230/32,78.33.10.50/31,78.33.10.52/30,78.33.10.56/30,78.33.10.60/32,78.33.32.99/32,78.33.32.100/30,78.33.32.104/30,78.33.32.108/32,83.98.63.176/29,194.75.210.216/29,217.138.45.109/32,217.138.45.110/32,34.241.149.106/32,52.210.79.20/32,54.228.134.38/32 + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: share + app.kubernetes.io/version: 23.1.1 + helm.sh/chart: share-0.2.1 + name: alfresco-content-services-share +spec: + ingressClassName: default + rules: + - host: share.hmpps-delius-alfresco-dev.apps.live.cloud-platform.service.justice.gov.uk + http: + paths: + - backend: + service: + name: alfresco-content-service-share + port: + number: 80 + path: / + pathType: Prefix + - backend: + service: + name: alfresco-content-services-share + port: + number: 80 + path: /share/page/ + pathType: Prefix + tls: + - hosts: + - share.hmpps-delius-alfresco-dev.apps.live.cloud-platform.service.justice.gov.uk + secretName: share-ingress-cert diff --git a/kustomize/dev/patch-infra-config-map.yaml b/kustomize/dev/patch-infra-config-map.yaml new file mode 100644 index 0000000..1188ce2 --- /dev/null +++ b/kustomize/dev/patch-infra-config-map.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: alfresco-infrastructure +data: + SFS_URL: https://alf-sfs.dev.delius-core.hmpps-development.modernisation-platform.service.justice.gov.uk/ + SFS_URL_API: https://alf-sfs.dev.delius-core.hmpps-development.modernisation-platform.service.justice.gov.uk/alfresco/api/-default-/private/sfs/versions/1/file/ diff --git a/kustomize/dev/patch-ingress-repository.yaml b/kustomize/dev/patch-ingress-repository.yaml index d950e3d..c27bd06 100644 --- a/kustomize/dev/patch-ingress-repository.yaml +++ b/kustomize/dev/patch-ingress-repository.yaml @@ -1,9 +1,9 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: alfresco-content-services-alfresco-cs-repository + name: alfresco-content-services-alfresco-repository annotations: - external-dns.alpha.kubernetes.io/set-identifier: alfresco-content-services-alfresco-cs-repository-hmpps-delius-alfresco-dev-green + external-dns.alpha.kubernetes.io/set-identifier: alfresco-content-services-alfresco-repository-hmpps-delius-alfresco-dev-green nginx.ingress.kubernetes.io/whitelist-source-range: "placeholder" spec: rules: @@ -12,14 +12,14 @@ spec: paths: - backend: service: - name: alfresco-content-services-alfresco-cs-repository + name: alfresco-content-services-alfresco-repository port: number: 80 path: / pathType: Prefix - backend: service: - name: alfresco-content-services-alfresco-cs-repository + name: alfresco-content-services-alfresco-repository port: number: 80 path: /api-explorer diff --git a/kustomize/dev/patch-ingress-share.yaml b/kustomize/dev/patch-ingress-share.yaml index 7976e2d..c91c49e 100644 --- a/kustomize/dev/patch-ingress-share.yaml +++ b/kustomize/dev/patch-ingress-share.yaml @@ -1,9 +1,9 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: alfresco-content-services-alfresco-cs-share + name: alfresco-content-services-share annotations: - external-dns.alpha.kubernetes.io/set-identifier: alfresco-content-services-alfresco-cs-share-hmpps-delius-alfresco-dev-green + external-dns.alpha.kubernetes.io/set-identifier: alfresco-content-services-share-hmpps-delius-alfresco-dev-green nginx.ingress.kubernetes.io/whitelist-source-range: "placeholder" spec: rules: @@ -12,14 +12,14 @@ spec: paths: - backend: service: - name: alfresco-content-services-alfresco-cs-share + name: alfresco-content-service-share port: number: 80 path: / pathType: Prefix - backend: service: - name: alfresco-content-services-alfresco-cs-share + name: alfresco-content-services-share port: number: 80 path: /share/page/ diff --git a/kustomize/dev/values.yaml b/kustomize/dev/values.yaml index 8ba33fd..d8b6b45 100644 --- a/kustomize/dev/values.yaml +++ b/kustomize/dev/values.yaml @@ -1,12 +1,24 @@ # this file overrides values defined in ./values.yaml -repository: +alfresco-repository: replicaCount: 2 image: + repository: 754256621582.dkr.ecr.eu-west-2.amazonaws.com/hmpps-migration/alfresco-content-repository tag: release_7.3.2_elasticsearch-r5.0.2-content-latest + persistence: + # -- Persist repository data + enabled: false + baseSize: 100Gi + # -- Specify a storageClass for dynamic provisioning + accessModes: + - ReadWriteOnce share: replicaCount: 1 image: - tag: release_7.3.2_elasticsearch-r5.0.2-share-latest -externalHost: hmpps-delius-alfresco-dev.apps.live.cloud-platform.service.justice.gov.uk -externalProtocol: https + repository: 754256621582.dkr.ecr.eu-west-2.amazonaws.com/hmpps-migration/alfresco-share + tag: release_7.3.2_elasticsearch-r5.0.2-chart-7.0.3-share-latest externalPort: 443 +global: + known_urls: + - https://hmpps-delius-alfresco-dev.apps.live.cloud-platform.service.justice.gov.uk + - https://share.hmpps-delius-alfresco-dev.apps.live.cloud-platform.service.justice.gov.uk + - https://alf-sfs.dev.delius-core.hmpps-preproduction.modernisation-platform.service.justice.gov.uk diff --git a/kustomize/kustomizer.sh b/kustomize/kustomizer.sh index d2b4825..a4c1b41 100755 --- a/kustomize/kustomizer.sh +++ b/kustomize/kustomizer.sh @@ -9,8 +9,9 @@ debug=$(echo $debug | xargs) if [ "$debug" == "true" ]; then set -x cat > ../base/resources.yaml + cp ../base/resources.yaml helm_rendered_spec.yaml kubectl kustomize - kubectl kustomize > output.yaml + kubectl kustomize > kustomized_helm_rendered_spec.yaml else cat > ../base/resources.yaml kubectl kustomize diff --git a/kustomize/poc/alf-prop-config-map.yaml b/kustomize/poc/alf-prop-config-map.yaml new file mode 100644 index 0000000..87cf4a8 --- /dev/null +++ b/kustomize/poc/alf-prop-config-map.yaml @@ -0,0 +1,80 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: alf-prop-config-map +data: + alfresco-global.properties: | + deployment.method=HELM_CHART + alfresco.cluster.enabled=true + alfresco.host=hmpps-delius-alfrsco-poc.apps.live.cloud-platform.service.justice.gov.uk + alfresco.protocol=https + alfresco.port=443 + aos.baseUrlOverwrite=https://hmpps-delius-alfrsco-poc.apps.live.cloud-platform.service.justice.gov.uk/alfresco/aos + csrf.filter.origin=https://hmpps-delius-alfrsco-poc.apps.live.cloud-platform.service.justice.gov.uk + csrf.filter.referer=https://hmpps-delius-alfrsco-poc.apps.live.cloud-platform.service.justice.gov.uk/.* + share.protocol=https + share.host=hmpps-delius-alfrsco-poc.apps.live.cloud-platform.service.justice.gov.uk + share.port=443 + local.transform.service.enabled=true + transform.service.enabled=false + localTransform.core-aio.url= + localTransform.pdfrenderer.url=http://alfresco-content-services-pdfrenderer + localTransform.imagemagick.url=http://alfresco-content-services-imagemagick + localTransform.libreoffice.url=http://alfresco-content-services-libreoffice + localTransform.tika.url=http://alfresco-content-services-tika + localTransform.misc.url=http://alfresco-content-services-transform-misc + events.subsystem.autoStart=false + + #Zaizi additions + zaizi.noms.root.folder=NOMS + zaizi.noms.crn.pattern=([A-Z])([0-9]{3})([0-9]{3}) + zaizi.noms.invalidCharacters=\\/:*\"\"<>|?!$#%^& + + spg.ndelius.users=N00 + spg.crc.users=C01,C02,C03,C04,C05,C06,C07,C08,C09,C10,C11,C12,C13,C14,C15,C16,C17,C18,C19,C20,C21,C22,C23 + + # The User to Schema Cache + cache.spgUserToSchemaVersionCache.tx.maxItems=100 + cache.spgUserToSchemaVersionCache.tx.statsEnabled=${caches.tx.statsEnabled} + cache.spgUserToSchemaVersionCache.maxItems=500 + cache.spgUserToSchemaVersionCache.timeToLiveSeconds=0 + cache.spgUserToSchemaVersionCache.maxIdleSeconds=0 + cache.spgUserToSchemaVersionCache.cluster.type=local + cache.spgUserToSchemaVersionCache.backup-count=1 + cache.spgUserToSchemaVersionCache.eviction-policy=LRU + cache.spgUserToSchemaVersionCache.eviction-percentage=25 + cache.spgUserToSchemaVersionCache.merge-policy=hz.ADD_NEW_ENTRY + cache.spgUserToSchemaVersionCache.readBackupData=false + cache.spgUserToSchemaVersionCache.cluster.type=invalidating + + # Notify when a messaging to be sent to MPX taking morethan specified time. Value is in milliseconds. + message.mpx.log.messageSendingTakenMorethan=1000 + + zaizi.noms.mpx.schema.version=0-9-9 + zaizi.noms.mpx.schema.date=2016-09-05 + messaging.events.nspg.schema=classpath:SPG-XML_Message_Root-V0-9-9.xsd + + zaizi.noms.mpx.schema2.version=0-9-10 + zaizi.noms.mpx.schema2.date=2017-03-30 + messaging.events.nspg2.schema=classpath:SPG-XML_Message_Root-V0-9-10-2.xsd + + zaizi.noms.mpx.schema.911.version=0-9-11 + zaizi.noms.mpx.schema.911.date=2017-09-04 + messaging.events.nspg.911.schema=classpath:SPG-XML_Message_Root-V0-9-11.xsd + + zaizi.noms.mpx.schema.912.version=0-9-12 + zaizi.noms.mpx.schema.912.date=2017-12-05 + messaging.events.nspg.912.schema=classpath:SPG-XML_Message_Root-V0-9-12.xsd + + zaizi.noms.mpx.schema.913.version=0-9-13 + zaizi.noms.mpx.schema.913.date=2018-02-08 + messaging.events.nspg.913.schema=classpath:SPG-XML_Message_Root-V0-9-13.xsd + + zaizi.noms.mpx.schema.914.version=0-9-14 + zaizi.noms.mpx.schema.914.date=2019-10-21 + messaging.events.nspg.914.schema=classpath:SPG-XML_Message_Root-V0-9-14.xsd + + # NSPG Administration Groups Patch + patch.nspg.administration.deferred=false + patch.nspg.administration.roles.cronExpression=0 0 0 ? 1 1 2030 + patch.nspg.administration.roles.startDelay=0 diff --git a/kustomize/poc/kustomization.yaml b/kustomize/poc/kustomization.yaml index eaf31f0..0603125 100644 --- a/kustomize/poc/kustomization.yaml +++ b/kustomize/poc/kustomization.yaml @@ -3,6 +3,7 @@ kind: Kustomization resources: - ../base + - alf-prop-config-map.yaml patches: - path: patch-ingress-repository.yaml diff --git a/kustomize/poc/output.yaml b/kustomize/poc/output.yaml new file mode 100644 index 0000000..3ee7106 --- /dev/null +++ b/kustomize/poc/output.yaml @@ -0,0 +1,2110 @@ +apiVersion: v1 +data: + FILE_STORE_URL: http://alfresco-content-services-alfresco-filestore:80/alfresco/api/-default-/private/sfs/versions/1/file + JAVA_OPTS: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 + livenessPercent: "150" + livenessTransformPeriodSeconds: "600" + maxTransformSeconds: "900" + maxTransforms: "10000" +kind: ConfigMap +metadata: + labels: + app: alfresco-content-services-alfresco-cs-imagemagick + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-imagemagick-configmap +--- +apiVersion: v1 +data: + FILE_STORE_URL: http://alfresco-content-services-alfresco-filestore:80/alfresco/api/-default-/private/sfs/versions/1/file + JAVA_OPTS: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 + livenessPercent: "250" + livenessTransformPeriodSeconds: "600" + maxTransformSeconds: "1800" + maxTransforms: "99999" +kind: ConfigMap +metadata: + labels: + app: alfresco-content-services-alfresco-cs-libreoffice + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-libreoffice-configmap +--- +apiVersion: v1 +data: + FILE_STORE_URL: http://alfresco-content-services-alfresco-filestore:80/alfresco/api/-default-/private/sfs/versions/1/file + JAVA_OPTS: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 + livenessPercent: "150" + livenessTransformPeriodSeconds: "600" + maxTransformSeconds: "1200" + maxTransforms: "10000" +kind: ConfigMap +metadata: + labels: + app: alfresco-content-services-alfresco-cs-pdfrenderer + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-pdfrenderer-configmap +--- +apiVersion: v1 +data: + ALFRESCO_OPTS: -Ddeployment.method=HELM_CHART -Dalfresco.cluster.enabled=false -Ddir.license.external=/usr/local/tomcat/shared/classes/alfresco/extension/license/ + -Dalfresco.host=hmpps-delius-alfrsco-poc.apps.live.cloud-platform.service.justice.gov.uk + -Dalfresco.protocol=https -Dalfresco.port=443 -Daos.baseUrlOverwrite=https://hmpps-delius-alfrsco-poc.apps.live.cloud-platform.service.justice.gov.uk/alfresco/aos + -Dcsrf.filter.origin=https://hmpps-delius-alfrsco-poc.apps.live.cloud-platform.service.justice.gov.uk + -Dcsrf.filter.referer=https://hmpps-delius-alfrsco-poc.apps.live.cloud-platform.service.justice.gov.uk/.* + -Dshare.protocol=https -Dshare.host=hmpps-delius-alfrsco-poc.apps.live.cloud-platform.service.justice.gov.uk + -Dshare.port=443 -Delasticsearch.host=opensearch-proxy-service-cloud-platform-62a206e0.hmpps-delius-alfrsco-poc.svc.cluster.local + -Delasticsearch.port=8080 -Delasticsearch.user= -Delasticsearch.password= -Delasticsearch.createIndexIfNotExists=true + -Delasticsearch.indexName=alfresco -Dindex.subsystem.name=elasticsearch -Dtransform.service.url=http://alfresco-content-services-alfresco-router + -Dsfs.url=http://alfresco-content-services-alfresco-filestore:80 -DlocalTransform.core-aio.url= + -DlocalTransform.pdfrenderer.url=http://alfresco-content-services-alfresco-cs-pdfrenderer + -DlocalTransform.imagemagick.url=http://alfresco-content-services-alfresco-cs-imagemagick + -DlocalTransform.libreoffice.url=http://alfresco-content-services-alfresco-cs-libreoffice + -DlocalTransform.tika.url=http://alfresco-content-services-alfresco-cs-tika -DlocalTransform.misc.url=http://alfresco-content-services-alfresco-cs-transform-misc + -Dalfresco-pdf-renderer.url=http://alfresco-content-services-alfresco-cs-pdfrenderer + -Dimg.url=http://alfresco-content-services-alfresco-cs-imagemagick -Djodconverter.url=http://alfresco-content-services-alfresco-cs-libreoffice + -Dtika.url=http://alfresco-content-services-alfresco-cs-tika -Dtransform.misc.url=http://alfresco-content-services-alfresco-cs-transform-misc + -Ds3.bucketLocation=eu-west-2 -Ds3.bucketName=cloud-platform-5ce784402d8052fe1cd006f1e7329f70 + -Devents.subsystem.autoStart=false + CATALINA_OPTS: $ALFRESCO_OPTS -Ddb.driver=org.postgresql.Driver -Ddb.url=jdbc:postgresql://cloud-platform-f05612b0b7cdbf33.cdwm328dlye6.eu-west-2.rds.amazonaws.com:5432/alfresco + -Ddb.username=$DATABASE_USERNAME -Ddb.password=$DATABASE_PASSWORD -Ds3.accessKey=$ACCESSKEY + -Ds3.secretKey=$SECRETKEY -Dmetadata-keystore.password=$METADATA_KEYSTORE_PASSWORD + -Dmetadata-keystore.metadata.password=$METADATA_KEY_PASSWORD -Dmessaging.broker.url=$BROKER_URL + -Dmessaging.broker.username=$BROKER_USERNAME -Dmessaging.broker.password=$BROKER_PASSWORD + -Dencryption.ssl.truststore.location=$JAVA_HOME/lib/security/cacerts -Dalfresco_user_store.adminpassword=$REPO_ADMIN_PASSWORD + JAVA_OPTS: -Dindex.subsystem.name=elasticsearch -Delasticsearch.indexName=alfresco + -Delasticsearch.createIndexIfNotExists=true -Dtransform.service.enabled=true -XX:MinRAMPercentage=50 + -XX:MaxRAMPercentage=80 -Dencryption.keystore.type=JCEKS -Dencryption.cipherAlgorithm=DESede/CBC/PKCS5Padding + -Dencryption.keyAlgorithm=DESede -Dencryption.keystore.location=/usr/local/tomcat/shared/classes/alfresco/extension/keystore/keystore + -Dmetadata-keystore.aliases=metadata -Dmetadata-keystore.metadata.algorithm=DESede + -Dsystem.workflow.engine.activiti.enabled=false -Dsystem.prop_table_cleaner.algorithm=V2 + -Dsystem.delete_not_exists.read_only=false -Dsystem.delete_not_exists.timeout_seconds=3600 + -Dfilecontentstore.subsystem.name=S3 -Ds3.flatRoot=false + RELEASE_NAME: alfresco-content-services +kind: ConfigMap +metadata: + labels: + app: alfresco-content-services-alfresco-cs-repository + chart: alfresco-content-services-6.0.2 + component: repository + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-repository-configmap +--- +apiVersion: v1 +data: + CATALINA_OPTS: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 + CSRF_FILTER_ORIGIN: https://hmpps-delius-alfrsco-poc.apps.live.cloud-platform.service.justice.gov.uk + CSRF_FILTER_REFERER: https://hmpps-delius-alfrsco-poc.apps.live.cloud-platform.service.justice.gov.uk/.* + JAVA_OPTS: -Dalfresco.proxy=https://hmpps-delius-alfrsco-poc.apps.live.cloud-platform.service.justice.gov.uk + REPO_HOST: alfresco-content-services-alfresco-cs-repository + REPO_PORT: "80" +kind: ConfigMap +metadata: + labels: + app: alfresco-content-services-alfresco-cs-share + chart: alfresco-content-services-6.0.2 + component: share + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-share-configmap +--- +apiVersion: v1 +data: + FILE_STORE_URL: http://alfresco-content-services-alfresco-filestore:80/alfresco/api/-default-/private/sfs/versions/1/file + JAVA_OPTS: -Xms1024M -Xmx1638M + livenessPercent: "400" + livenessTransformPeriodSeconds: "600" + maxTransformSeconds: "1800" + maxTransforms: "10000" +kind: ConfigMap +metadata: + labels: + app: alfresco-content-services-alfresco-cs-tika + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-tika-configmap +--- +apiVersion: v1 +data: + FILE_STORE_URL: http://alfresco-content-services-alfresco-filestore:80/alfresco/api/-default-/private/sfs/versions/1/file + JAVA_OPTS: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 + livenessPercent: "400" + livenessTransformPeriodSeconds: "600" + maxTransformSeconds: "1800" + maxTransforms: "10000" +kind: ConfigMap +metadata: + labels: + app: alfresco-content-services-alfresco-cs-transform-misc + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-transform-misc-configmap +--- +apiVersion: v1 +data: + JAVA_OPTS: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 + livenessPercent: "150" + livenessSavePeriodSeconds: "600" + scheduler.cleanup.interval: "86400000" + scheduler.content.age.millis: "86400000" +kind: ConfigMap +metadata: + labels: + app: alfresco-content-services-alfresco-filestore + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-filestore-configmap +--- +apiVersion: v1 +data: + FILE_STORE_URL: http://alfresco-content-services-alfresco-filestore:80/alfresco/api/-default-/private/sfs/versions/1/file + IMAGEMAGICK_URL: http://alfresco-content-services-alfresco-cs-imagemagick:80 + JAVA_OPTS: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 + LIBREOFFICE_URL: http://alfresco-content-services-alfresco-cs-libreoffice:80 + MISC_URL: http://alfresco-content-services-alfresco-cs-transform-misc:80 + PDF_RENDERER_URL: http://alfresco-content-services-alfresco-cs-pdfrenderer:80 + TIKA_URL: http://alfresco-content-services-alfresco-cs-tika:80 +kind: ConfigMap +metadata: + labels: + app: alfresco-content-services-alfresco-router + chart: alfresco-content-services-6.0.2 + component: transformrouter + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-router-configmap +--- +apiVersion: v1 +data: + ALFRESCO_ACCEPTEDCONTENTMEDIATYPESCACHE_BASEURL: http://alfresco-content-services-alfresco-router/transform/config + ALFRESCO_ACCEPTEDCONTENTMEDIATYPESCACHE_ENABLED: "true" + ALFRESCO_ACCEPTEDCONTENTMEDIATYPESCACHE_REFRESHTIME: 0 0 * * * * + ALFRESCO_PATHINDEXINGCOMPONENT_ENABLED: "true" + ALFRESCO_SHAREDFILESTORE_BASEURL: http://alfresco-content-services-alfresco-filestore:80/alfresco/api/-default-/private/sfs/versions/1/file/ + ELASTICSEARCH_INDEXNAME: alfresco + SPRING_ELASTICSEARCH_REST_URIS: http://opensearch-proxy-service-cloud-platform-62a206e0.hmpps-delius-alfrsco-poc.svc.cluster.local:8080 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: alfresco-search-enterprise + app.kubernetes.io/version: 3.3.0 + helm.sh/chart: alfresco-search-enterprise-1.2.0 + name: alfresco-content-services-alfresco-search-enterprise-configmap +--- +apiVersion: v1 +data: + BROKER_PASSWORD: YWRtaW4= + BROKER_URL: ZmFpbG92ZXI6KG5pbzovL2FsZnJlc2NvLWNvbnRlbnQtc2VydmljZXMtYWN0aXZlbXEtYnJva2VyOjYxNjE2KT90aW1lb3V0PTMwMDAmam1zLnVzZUNvbXByZXNzaW9uPXRydWU= + BROKER_USERNAME: YWRtaW4= +kind: Secret +metadata: + labels: + app: alfresco-content-services-alfresco-cs-repository + chart: alfresco-content-services-6.0.2 + component: repository + heritage: Helm + release: alfresco-content-services + name: acs-alfresco-cs-brokersecret +type: Opaque +--- +apiVersion: v1 +data: + BROKER_PASSWORD: YWRtaW4= + BROKER_USERNAME: YWRtaW4= +kind: Secret +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: activemq + app.kubernetes.io/version: 5.17.4 + helm.sh/chart: activemq-3.1.0 + name: alfresco-content-services-activemq-brokersecret +type: Opaque +--- +apiVersion: v1 +data: + METADATA_KEY_PASSWORD: b0tJV3pWZEVkQQ== + METADATA_KEYSTORE_PASSWORD: bXA2eWMwVUQ5ZQ== +kind: Secret +metadata: + labels: + app: alfresco-content-services-alfresco-cs-repository + chart: alfresco-content-services-6.0.2 + component: repository + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-metadata-keystore-secret +type: Opaque +--- +apiVersion: v1 +data: + REPO_ADMIN_PASSWORD: MjA5YzYxNzRkYTQ5MGNhZWI0MjJmM2ZhNWE3YWU2MzQ= +kind: Secret +metadata: + labels: + app: alfresco-content-services-alfresco-cs-repository + chart: alfresco-content-services-6.0.2 + component: repository + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-repository-secret +type: Opaque +--- +apiVersion: v1 +data: + ELASTICSEARCH_PASSWORD: "" + ELASTICSEARCH_USERNAME: "" +kind: Secret +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: alfresco-search-enterprise + app.kubernetes.io/version: 3.3.0 + helm.sh/chart: alfresco-search-enterprise-1.2.0 + name: alfresco-content-services-alfresco-search-enterprise-elasticsearch-secret +type: Opaque +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: activemq + app.kubernetes.io/version: 5.17.4 + helm.sh/chart: activemq-3.1.0 + name: alfresco-content-services-activemq-broker +spec: + ports: + - name: stomp + port: 61613 + protocol: TCP + targetPort: 61613 + - name: openwire + port: 61616 + protocol: TCP + targetPort: 61616 + - name: amqp + port: 5672 + protocol: TCP + targetPort: 5672 + selector: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: activemq + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: activemq + app.kubernetes.io/version: 5.17.4 + helm.sh/chart: activemq-3.1.0 + name: alfresco-content-services-activemq-web-console +spec: + ports: + - name: web-console + port: 8161 + protocol: TCP + targetPort: 8161 + selector: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: activemq + type: NodePort +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: alfresco-content-services-alfresco-cs-imagemagick + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-imagemagick +spec: + ports: + - name: imagemagick + port: 80 + targetPort: 8090 + selector: + app: alfresco-content-services-alfresco-cs-imagemagick + component: transformers + release: alfresco-content-services + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: alfresco-content-services-alfresco-cs-libreoffice + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-libreoffice +spec: + ports: + - name: libreoffice + port: 80 + targetPort: 8090 + selector: + app: alfresco-content-services-alfresco-cs-libreoffice + component: transformers + release: alfresco-content-services + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: alfresco-content-services-alfresco-cs-pdfrenderer + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-pdfrenderer +spec: + ports: + - name: pdfrenderer + port: 80 + targetPort: 8090 + selector: + app: alfresco-content-services-alfresco-cs-pdfrenderer + component: transformers + release: alfresco-content-services + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: alfresco-content-services-alfresco-cs-repository + chart: alfresco-content-services-6.0.2 + component: repository + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-repository +spec: + ports: + - name: alfresco + port: 80 + targetPort: 8080 + selector: + app: alfresco-content-services-alfresco-cs-repository + component: repository + release: alfresco-content-services + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: alfresco-content-services-alfresco-cs-share + chart: alfresco-content-services-6.0.2 + component: share + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-share +spec: + ports: + - name: share + port: 80 + targetPort: 8080 + selector: + app: alfresco-content-services-alfresco-cs-share + component: share + release: alfresco-content-services + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: alfresco-content-services-alfresco-cs-tika + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-tika +spec: + ports: + - name: tika + port: 80 + targetPort: 8090 + selector: + app: alfresco-content-services-alfresco-cs-tika + component: transformers + release: alfresco-content-services + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: alfresco-content-services-alfresco-cs-transform-misc + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-transform-misc +spec: + ports: + - name: transformmisc + port: 80 + targetPort: 8090 + selector: + app: alfresco-content-services-alfresco-cs-transform-misc + component: transformers + release: alfresco-content-services + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: alfresco-content-services-alfresco-filestore + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-filestore +spec: + ports: + - name: filestore + port: 80 + targetPort: 8099 + selector: + app: alfresco-content-services-alfresco-filestore + component: transformers + release: alfresco-content-services + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: alfresco-content-services-alfresco-router + chart: alfresco-content-services-6.0.2 + component: transformrouter + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-router +spec: + ports: + - name: transform-router + port: 80 + protocol: TCP + targetPort: 8095 + selector: + app: alfresco-content-services-alfresco-router + component: transformrouter + release: alfresco-content-services + type: ClusterIP +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: activemq-default-pvc +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 20Gi + volumeMode: Filesystem +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: filestore-default-pvc +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 20Gi + volumeMode: Filesystem +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: activemq + app.kubernetes.io/version: 5.17.4 + helm.sh/chart: activemq-3.1.0 + name: alfresco-content-services-activemq +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: activemq + strategy: + type: Recreate + template: + metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: activemq + spec: + containers: + - env: + - name: ACTIVEMQ_CONFIG_MINMEMORY + value: "512" + - name: ACTIVEMQ_CONFIG_MAXMEMORY + value: "2048" + - name: ACTIVEMQ_BROKER_NAME + value: alfresco-content-services-activemq + - name: ACTIVEMQ_ADMIN_LOGIN + valueFrom: + secretKeyRef: + key: BROKER_USERNAME + name: alfresco-content-services-activemq-brokersecret + - name: ACTIVEMQ_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + key: BROKER_PASSWORD + name: alfresco-content-services-activemq-brokersecret + image: alfresco/alfresco-activemq:5.17.4-jre17-rockylinux8 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + initialDelaySeconds: 60 + periodSeconds: 10 + tcpSocket: + port: 61616 + timeoutSeconds: 1 + name: activemq + ports: + - containerPort: 61613 + name: stomp + - containerPort: 61616 + name: openwire + - containerPort: 5672 + name: amqp + - containerPort: 8161 + name: web-console + readinessProbe: + failureThreshold: 6 + initialDelaySeconds: 5 + periodSeconds: 10 + tcpSocket: + port: 61616 + timeoutSeconds: 1 + resources: + limits: + cpu: "2" + memory: 2048Mi + requests: + cpu: "0.25" + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /opt/activemq/data + name: data + subPath: alfresco-infrastructure/activemq-data + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsUser: 33031 + terminationGracePeriodSeconds: 1 + volumes: + - name: data + persistentVolumeClaim: + claimName: activemq-default-pvc +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: alfresco-content-services-alfresco-cs-imagemagick + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-imagemagick +spec: + replicas: 1 + selector: + matchLabels: + app: alfresco-content-services-alfresco-cs-imagemagick + component: transformers + release: alfresco-content-services + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: + checksum/config: 77504232107df28e3fae1cd91fdc37518dfa5229d21f73e2058e526d7ad89c6b + labels: + app: alfresco-content-services-alfresco-cs-imagemagick + component: transformers + release: alfresco-content-services + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-alfresco-cs-imagemagick + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 10 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-alfresco-cs-imagemagick + topologyKey: kubernetes.io/hostname + weight: 5 + containers: + - env: + - name: ACTIVEMQ_URL + value: $(BROKER_URL) + - name: ACTIVEMQ_USER + value: $(BROKER_USERNAME) + - name: ACTIVEMQ_PASSWORD + value: $(BROKER_PASSWORD) + envFrom: + - configMapRef: + name: alfresco-content-services-alfresco-cs-imagemagick-configmap + - secretRef: + name: acs-alfresco-cs-brokersecret + image: alfresco/alfresco-imagemagick:3.0.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 1 + httpGet: + path: /live + port: 8090 + initialDelaySeconds: 10 + periodSeconds: 20 + timeoutSeconds: 10 + name: alfresco-content-services + ports: + - containerPort: 8090 + readinessProbe: + httpGet: + path: /ready + port: 8090 + initialDelaySeconds: 20 + periodSeconds: 60 + timeoutSeconds: 10 + resources: + limits: + cpu: "4" + memory: 1000Mi + requests: + cpu: "0.5" + memory: 300Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + imagePullSecrets: + - name: quay-registry-secret + securityContext: + runAsNonRoot: true + runAsUser: 33002 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: alfresco-content-services-alfresco-cs-libreoffice + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-libreoffice +spec: + replicas: 1 + selector: + matchLabels: + app: alfresco-content-services-alfresco-cs-libreoffice + component: transformers + release: alfresco-content-services + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: + checksum/config: c29b71fae340444799e63ddc2280c00de4c990a3dad047c0ebe70685ef7ab89c + labels: + app: alfresco-content-services-alfresco-cs-libreoffice + component: transformers + release: alfresco-content-services + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-alfresco-cs-libreoffice + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 10 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-alfresco-cs-libreoffice + topologyKey: kubernetes.io/hostname + weight: 5 + containers: + - env: + - name: ACTIVEMQ_URL + value: $(BROKER_URL) + - name: ACTIVEMQ_USER + value: $(BROKER_USERNAME) + - name: ACTIVEMQ_PASSWORD + value: $(BROKER_PASSWORD) + envFrom: + - configMapRef: + name: alfresco-content-services-alfresco-cs-libreoffice-configmap + - secretRef: + name: acs-alfresco-cs-brokersecret + image: alfresco/alfresco-libreoffice:3.0.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 1 + httpGet: + path: /live + port: 8090 + initialDelaySeconds: 10 + periodSeconds: 20 + timeoutSeconds: 10 + name: alfresco-content-services + ports: + - containerPort: 8090 + readinessProbe: + httpGet: + path: /ready + port: 8090 + initialDelaySeconds: 20 + periodSeconds: 60 + timeoutSeconds: 10 + resources: + limits: + cpu: "4" + memory: 1000Mi + requests: + cpu: "0.5" + memory: 400Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + imagePullSecrets: + - name: quay-registry-secret + securityContext: + runAsNonRoot: true + runAsUser: 33003 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: alfresco-content-services-alfresco-cs-pdfrenderer + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-pdfrenderer +spec: + replicas: 1 + selector: + matchLabels: + app: alfresco-content-services-alfresco-cs-pdfrenderer + component: transformers + release: alfresco-content-services + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: + checksum/config: e61eca295784c0d562e9f9e3fa9e70f707291420af8c0ac90b668d14b76b628f + labels: + app: alfresco-content-services-alfresco-cs-pdfrenderer + component: transformers + release: alfresco-content-services + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-alfresco-cs-pdfrenderer + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 10 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-alfresco-cs-pdfrenderer + topologyKey: kubernetes.io/hostname + weight: 5 + containers: + - env: + - name: ACTIVEMQ_URL + value: $(BROKER_URL) + - name: ACTIVEMQ_USER + value: $(BROKER_USERNAME) + - name: ACTIVEMQ_PASSWORD + value: $(BROKER_PASSWORD) + envFrom: + - configMapRef: + name: alfresco-content-services-alfresco-cs-pdfrenderer-configmap + - secretRef: + name: acs-alfresco-cs-brokersecret + image: alfresco/alfresco-pdf-renderer:3.0.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 1 + httpGet: + path: /live + port: 8090 + initialDelaySeconds: 10 + periodSeconds: 20 + timeoutSeconds: 10 + name: alfresco-content-services + ports: + - containerPort: 8090 + readinessProbe: + httpGet: + path: /ready + port: 8090 + initialDelaySeconds: 20 + periodSeconds: 60 + timeoutSeconds: 10 + resources: + limits: + cpu: "2" + memory: 1000Mi + requests: + cpu: "0.25" + memory: 300Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + imagePullSecrets: + - name: quay-registry-secret + securityContext: + runAsNonRoot: true + runAsUser: 33001 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: alfresco-content-services-alfresco-cs-repository + chart: alfresco-content-services-6.0.2 + component: repository + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-repository +spec: + replicas: 1 + selector: + matchLabels: + app: alfresco-content-services-alfresco-cs-repository + component: repository + release: alfresco-content-services + strategy: + type: Recreate + template: + metadata: + annotations: + checksum/config: d955f674815090f6eeb81d81622cc02d896f030bdbf1bc89f53335ff61aae588 + checksum/secretDatabase: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/secretS3: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + labels: + app: alfresco-content-services-alfresco-cs-repository + component: repository + release: alfresco-content-services + spec: + containers: + - envFrom: + - secretRef: + name: rds-instance-output + - secretRef: + name: s3-bucket-output + - secretRef: + name: alfresco-content-services-alfresco-cs-metadata-keystore-secret + - secretRef: + name: acs-alfresco-cs-brokersecret + - secretRef: + name: alfresco-content-services-alfresco-cs-repository-secret + - configMapRef: + name: alfresco-content-services-alfresco-cs-repository-configmap + image: 754256621582.dkr.ecr.eu-west-2.amazonaws.com/hmpps-migration/alfresco-content-repository:release_7.3.2_elasticsearch-r5.0.2-content-latest + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /bin/bash + - -c + - sleep 20 + livenessProbe: + failureThreshold: 1 + httpGet: + path: /alfresco/api/-default-/public/alfresco/versions/1/probes/-live- + port: 8080 + initialDelaySeconds: 130 + periodSeconds: 20 + timeoutSeconds: 15 + name: alfresco-content-services + ports: + - containerPort: 8080 + - containerPort: 5701 + readinessProbe: + failureThreshold: 6 + httpGet: + path: /alfresco/api/-default-/public/alfresco/versions/1/probes/-ready- + port: 8080 + initialDelaySeconds: 60 + periodSeconds: 20 + timeoutSeconds: 10 + resources: + limits: + cpu: "4" + memory: 3000Mi + requests: + cpu: "1" + memory: 1500Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 10 + httpGet: + path: /alfresco/api/-default-/public/alfresco/versions/1/probes/-ready- + port: 8080 + periodSeconds: 30 + volumeMounts: + - mountPath: /usr/local/tomcat/alf_data + name: data + subPath: alfresco-content-services/repository-data + - mountPath: /usr/local/tomcat/shared/classes/alfresco/extension/license/ + name: acs-license + imagePullSecrets: + - name: quay-registry-secret + initContainers: null + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 33000 + volumes: + - emptyDir: + sizeLimit: 20Gi + name: data + - name: acs-license + secret: + defaultMode: 256 + secretName: alfresco-license + - configMap: + name: custom-pipeline-config + optional: true + name: custom-pipeline-config-volume + - configMap: + name: custom-rendition-config + optional: true + name: custom-rendition-config-volume + - configMap: + name: custom-mimetype-config + optional: true + name: custom-mimetype-config-volume + - configMap: + name: custom-queryset-config + optional: true + name: custom-queryset-config-volume +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + checkov.io/skip1: CKV_K8S_23=Requires APPS-1832 first + checkov.io/skip2: CKV_K8S_40=Requires APPS-1832 first + labels: + app: alfresco-content-services-alfresco-cs-share + chart: alfresco-content-services-6.0.2 + component: share + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-share +spec: + replicas: 1 + selector: + matchLabels: + app: alfresco-content-services-alfresco-cs-share + component: share + release: alfresco-content-services + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: + checksum/config: 428c2ba2026a88cc7763ac0c1772943157c8a4822def1efc76743b72b74a19f8 + labels: + app: alfresco-content-services-alfresco-cs-share + component: share + release: alfresco-content-services + spec: + containers: + - envFrom: + - configMapRef: + name: alfresco-content-services-alfresco-cs-share-configmap + image: 754256621582.dkr.ecr.eu-west-2.amazonaws.com/hmpps-migration/alfresco-share:release_7.3.2_elasticsearch-r5.0.2-share-latest + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /bin/bash + - -c + - sleep 20 + livenessProbe: + failureThreshold: 1 + httpGet: + path: /share + port: 8080 + initialDelaySeconds: 200 + periodSeconds: 20 + timeoutSeconds: 10 + name: alfresco-content-services + ports: + - containerPort: 8080 + readinessProbe: + httpGet: + path: /share + port: 8080 + initialDelaySeconds: 60 + periodSeconds: 20 + timeoutSeconds: 15 + resources: + limits: + cpu: "4" + memory: 2000Mi + requests: + cpu: "1" + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + imagePullSecrets: + - name: quay-registry-secret + securityContext: + runAsNonRoot: true + runAsUser: 65534 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: alfresco-content-services-alfresco-cs-tika + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-tika +spec: + replicas: 1 + selector: + matchLabels: + app: alfresco-content-services-alfresco-cs-tika + component: transformers + release: alfresco-content-services + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: + checksum/config: 4ce771746eed38f9cac09952793879c40330a2f75a60d4008c84810fe870eb58 + labels: + app: alfresco-content-services-alfresco-cs-tika + component: transformers + release: alfresco-content-services + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-alfresco-cs-tika + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 10 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-alfresco-cs-tika + topologyKey: kubernetes.io/hostname + weight: 5 + containers: + - env: + - name: ACTIVEMQ_URL + value: $(BROKER_URL) + - name: ACTIVEMQ_USER + value: $(BROKER_USERNAME) + - name: ACTIVEMQ_PASSWORD + value: $(BROKER_PASSWORD) + envFrom: + - configMapRef: + name: alfresco-content-services-alfresco-cs-tika-configmap + - secretRef: + name: acs-alfresco-cs-brokersecret + image: alfresco/alfresco-tika:3.0.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 1 + httpGet: + path: /live + port: 8090 + initialDelaySeconds: 60 + periodSeconds: 20 + timeoutSeconds: 10 + name: alfresco-content-services + ports: + - containerPort: 8090 + readinessProbe: + httpGet: + path: /ready + port: 8090 + initialDelaySeconds: 60 + periodSeconds: 60 + timeoutSeconds: 10 + resources: + limits: + cpu: "2" + memory: 2Gi + requests: + cpu: "0.25" + memory: 600Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + imagePullSecrets: + - name: quay-registry-secret + securityContext: + runAsNonRoot: true + runAsUser: 33004 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: alfresco-content-services-alfresco-cs-transform-misc + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-transform-misc +spec: + replicas: 1 + selector: + matchLabels: + app: alfresco-content-services-alfresco-cs-transform-misc + component: transformers + release: alfresco-content-services + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: + checksum/config: c44dc1b790fba68833f95ffeecc6878f057f3dd629b3a44a44b2a8ad1a517119 + labels: + app: alfresco-content-services-alfresco-cs-transform-misc + component: transformers + release: alfresco-content-services + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-alfresco-cs-transform-misc + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 10 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-alfresco-cs-transform-misc + topologyKey: kubernetes.io/hostname + weight: 5 + containers: + - env: + - name: ACTIVEMQ_URL + value: $(BROKER_URL) + - name: ACTIVEMQ_USER + value: $(BROKER_USERNAME) + - name: ACTIVEMQ_PASSWORD + value: $(BROKER_PASSWORD) + envFrom: + - configMapRef: + name: alfresco-content-services-alfresco-cs-transform-misc-configmap + - secretRef: + name: acs-alfresco-cs-brokersecret + image: alfresco/alfresco-transform-misc:3.0.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 1 + httpGet: + path: /live + port: 8090 + initialDelaySeconds: 10 + periodSeconds: 20 + timeoutSeconds: 10 + name: alfresco-content-services + ports: + - containerPort: 8090 + readinessProbe: + httpGet: + path: /ready + port: 8090 + initialDelaySeconds: 20 + periodSeconds: 60 + timeoutSeconds: 10 + resources: + limits: + cpu: "2" + memory: 1000Mi + requests: + cpu: "0.25" + memory: 300Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + imagePullSecrets: + - name: quay-registry-secret + securityContext: + runAsNonRoot: true + runAsUser: 33006 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: alfresco-content-services-alfresco-filestore + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-filestore +spec: + replicas: 1 + selector: + matchLabels: + app: alfresco-content-services-alfresco-filestore + component: transformers + release: alfresco-content-services + strategy: + type: Recreate + template: + metadata: + annotations: + checksum/config: 934e365b21db873604fd6ac49595dfd1b1f60f86622c70ed3203cc9c3b4ee0bd + labels: + app: alfresco-content-services-alfresco-filestore + component: transformers + release: alfresco-content-services + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-alfresco-filestore + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 10 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-alfresco-filestore + topologyKey: kubernetes.io/hostname + weight: 5 + containers: + - env: + - name: scheduler.content.age.millis + value: "518400000" + - name: scheduler.cleanup.interval + value: "259200000" + envFrom: + - configMapRef: + name: alfresco-content-services-alfresco-filestore-configmap + image: ghcr.io/ministryofjustice/hmpps-delius-alfresco-shared-file-store:2.1.2-4 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 1 + httpGet: + path: /live + port: 8099 + initialDelaySeconds: 10 + periodSeconds: 20 + timeoutSeconds: 10 + name: alfresco-content-services + ports: + - containerPort: 8099 + readinessProbe: + httpGet: + path: /ready + port: 8099 + initialDelaySeconds: 20 + periodSeconds: 60 + timeoutSeconds: 10 + resources: + limits: + cpu: "2" + memory: 2000Mi + requests: + cpu: "0.25" + memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /tmp/Alfresco + name: data + subPath: alfresco-content-services/filestore-data + imagePullSecrets: + - name: quay-registry-secret + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsUser: 33030 + volumes: + - name: data + persistentVolumeClaim: + claimName: filestore-default-pvc +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: alfresco-content-services-alfresco-router + chart: alfresco-content-services-6.0.2 + component: transformrouter + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-router +spec: + replicas: 1 + selector: + matchLabels: + app: alfresco-content-services-alfresco-router + component: transformrouter + release: alfresco-content-services + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: + checksum/config: fb79f6128a708bde1b33453f31a1256968707e33ada087e455905c133a62c1f1 + checksum/config-routes: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + labels: + app: alfresco-content-services-alfresco-router + component: transformrouter + release: alfresco-content-services + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-alfresco-router + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 10 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-alfresco-router + topologyKey: kubernetes.io/hostname + weight: 5 + containers: + - env: + - name: SPRING_ACTIVEMQ_POOL_ENABLED + value: "true" + - name: SPRING_ACTIVEMQ_POOL_MAXCONNECTIONS + value: "100" + - name: SPRING_ACTIVEMQ_POOL_IDLE_TIMEOUT + value: "30000" + - name: SPRING_ACTIVEMQ_POOL_EXPIRY_TIMEOUT + value: "60000" + - name: ACTIVEMQ_URL + value: $(BROKER_URL) + - name: ACTIVEMQ_USER + value: $(BROKER_USERNAME) + - name: ACTIVEMQ_PASSWORD + value: $(BROKER_PASSWORD) + envFrom: + - configMapRef: + name: alfresco-content-services-alfresco-router-configmap + - secretRef: + name: acs-alfresco-cs-brokersecret + image: quay.io/alfresco/alfresco-transform-router:2.0.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 1 + httpGet: + path: /actuator/health + port: 8095 + initialDelaySeconds: 140 + periodSeconds: 120 + timeoutSeconds: 60 + name: alfresco-content-services + ports: + - containerPort: 8095 + readinessProbe: + httpGet: + path: /actuator/health + port: 8095 + initialDelaySeconds: 140 + periodSeconds: 60 + timeoutSeconds: 10 + resources: + limits: + cpu: "1" + memory: 512Mi + requests: + cpu: "0.25" + memory: 300Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + imagePullSecrets: + - name: quay-registry-secret + securityContext: + runAsNonRoot: true + runAsUser: 33016 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: alfresco-search-enterprise + app.kubernetes.io/version: 3.3.0 + helm.sh/chart: alfresco-search-enterprise-1.2.0 + name: alfresco-content-services-alfresco-search-enterprise-content +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: alfresco-search-enterprise + template: + metadata: + annotations: + checksum/secret-broker: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/secret-database: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/secret-elasticsearch: 33982b5f025a1ffd247c4b02293a24e8211a8efdf19d96514ead79c07c330c8d + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: alfresco-search-enterprise + spec: + containers: + - env: + - name: SPRING_ACTIVEMQ_POOL_ENABLED + value: "true" + - name: SPRING_ACTIVEMQ_POOL_MAXCONNECTIONS + value: "200" + - name: SPRING_ACTIVEMQ_POOL_IDLE_TIMEOUT + value: "30000" + - name: SPRING_ACTIVEMQ_POOL_EXPIRY_TIMEOUT + value: "60000" + - name: JAVA_OPTS + value: -Dspring.activemq.packages.trustAll=true + - name: SPRING_ACTIVEMQ_BROKERURL + value: $(BROKER_URL) + - name: SPRING_ACTIVEMQ_USER + value: $(BROKER_USERNAME) + - name: SPRING_ACTIVEMQ_PASSWORD + value: $(BROKER_PASSWORD) + - name: SPRING_ELASTICSEARCH_REST_USERNAME + valueFrom: + secretKeyRef: + key: ELASTICSEARCH_USERNAME + name: alfresco-content-services-alfresco-search-enterprise-elasticsearch-secret + - name: SPRING_ELASTICSEARCH_REST_PASSWORD + valueFrom: + secretKeyRef: + key: ELASTICSEARCH_PASSWORD + name: alfresco-content-services-alfresco-search-enterprise-elasticsearch-secret + envFrom: + - configMapRef: + name: alfresco-content-services-alfresco-search-enterprise-configmap + - secretRef: + name: acs-alfresco-cs-brokersecret + image: quay.io/alfresco/alfresco-elasticsearch-live-indexing-content:3.2.1 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /actuator/health + port: http + initialDelaySeconds: 300 + timeoutSeconds: 60 + name: alfresco-search-enterprise-content + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + httpGet: + path: /actuator/health + port: http + initialDelaySeconds: 60 + timeoutSeconds: 60 + resources: + limits: + cpu: "2" + memory: 2048Mi + requests: + cpu: "0.5" + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + - ALL + runAsNonRoot: true + imagePullSecrets: + - name: quay-registry-secret + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsNonRoot: true + runAsUser: 33099 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: alfresco-search-enterprise + app.kubernetes.io/version: 3.3.0 + helm.sh/chart: alfresco-search-enterprise-1.2.0 + name: alfresco-content-services-alfresco-search-enterprise-mediation +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: alfresco-search-enterprise + template: + metadata: + annotations: + checksum/secret-broker: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/secret-database: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/secret-elasticsearch: 33982b5f025a1ffd247c4b02293a24e8211a8efdf19d96514ead79c07c330c8d + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: alfresco-search-enterprise + spec: + containers: + - env: + - name: SPRING_ACTIVEMQ_POOL_ENABLED + value: "true" + - name: SPRING_ACTIVEMQ_POOL_MAXCONNECTIONS + value: "100" + - name: SPRING_ACTIVEMQ_POOL_IDLE_TIMEOUT + value: "30000" + - name: SPRING_ACTIVEMQ_POOL_EXPIRY_TIMEOUT + value: "60000" + - name: JAVA_OPTS + value: -Dspring.activemq.packages.trustAll=true + - name: SPRING_ACTIVEMQ_BROKERURL + value: $(BROKER_URL) + - name: SPRING_ACTIVEMQ_USER + value: $(BROKER_USERNAME) + - name: SPRING_ACTIVEMQ_PASSWORD + value: $(BROKER_PASSWORD) + - name: SPRING_ELASTICSEARCH_REST_USERNAME + valueFrom: + secretKeyRef: + key: ELASTICSEARCH_USERNAME + name: alfresco-content-services-alfresco-search-enterprise-elasticsearch-secret + - name: SPRING_ELASTICSEARCH_REST_PASSWORD + valueFrom: + secretKeyRef: + key: ELASTICSEARCH_PASSWORD + name: alfresco-content-services-alfresco-search-enterprise-elasticsearch-secret + envFrom: + - configMapRef: + name: alfresco-content-services-alfresco-search-enterprise-configmap + - secretRef: + name: acs-alfresco-cs-brokersecret + image: quay.io/alfresco/alfresco-elasticsearch-live-indexing-mediation:3.2.1 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /actuator/health + port: http + initialDelaySeconds: 300 + timeoutSeconds: 60 + name: alfresco-search-enterprise-mediation + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + httpGet: + path: /actuator/health + port: http + initialDelaySeconds: 60 + timeoutSeconds: 60 + resources: + limits: + cpu: "2" + memory: 2048Mi + requests: + cpu: "0.5" + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + - ALL + runAsNonRoot: true + imagePullSecrets: + - name: quay-registry-secret + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsNonRoot: true + runAsUser: 33099 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: alfresco-search-enterprise + app.kubernetes.io/version: 3.3.0 + helm.sh/chart: alfresco-search-enterprise-1.2.0 + name: alfresco-content-services-alfresco-search-enterprise-metadata +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: alfresco-search-enterprise + template: + metadata: + annotations: + checksum/secret-broker: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/secret-database: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/secret-elasticsearch: 33982b5f025a1ffd247c4b02293a24e8211a8efdf19d96514ead79c07c330c8d + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: alfresco-search-enterprise + spec: + containers: + - env: + - name: SPRING_ACTIVEMQ_POOL_ENABLED + value: "true" + - name: SPRING_ACTIVEMQ_POOL_MAXCONNECTIONS + value: "100" + - name: SPRING_ACTIVEMQ_POOL_IDLE_TIMEOUT + value: "30000" + - name: SPRING_ACTIVEMQ_POOL_EXPIRY_TIMEOUT + value: "60000" + - name: JAVA_OPTS + value: -Dspring.activemq.packages.trustAll=true + - name: SPRING_ACTIVEMQ_BROKERURL + value: $(BROKER_URL) + - name: SPRING_ACTIVEMQ_USER + value: $(BROKER_USERNAME) + - name: SPRING_ACTIVEMQ_PASSWORD + value: $(BROKER_PASSWORD) + - name: SPRING_ELASTICSEARCH_REST_USERNAME + valueFrom: + secretKeyRef: + key: ELASTICSEARCH_USERNAME + name: alfresco-content-services-alfresco-search-enterprise-elasticsearch-secret + - name: SPRING_ELASTICSEARCH_REST_PASSWORD + valueFrom: + secretKeyRef: + key: ELASTICSEARCH_PASSWORD + name: alfresco-content-services-alfresco-search-enterprise-elasticsearch-secret + envFrom: + - configMapRef: + name: alfresco-content-services-alfresco-search-enterprise-configmap + - secretRef: + name: acs-alfresco-cs-brokersecret + image: quay.io/alfresco/alfresco-elasticsearch-live-indexing-metadata:3.2.1 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /actuator/health + port: http + initialDelaySeconds: 300 + timeoutSeconds: 60 + name: alfresco-search-enterprise-metadata + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + httpGet: + path: /actuator/health + port: http + initialDelaySeconds: 60 + timeoutSeconds: 60 + resources: + limits: + cpu: "2" + memory: 2048Mi + requests: + cpu: "0.5" + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + - ALL + runAsNonRoot: true + imagePullSecrets: + - name: quay-registry-secret + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsNonRoot: true + runAsUser: 33099 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: alfresco-search-enterprise + app.kubernetes.io/version: 3.3.0 + helm.sh/chart: alfresco-search-enterprise-1.2.0 + name: alfresco-content-services-alfresco-search-enterprise-path +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: alfresco-search-enterprise + template: + metadata: + annotations: + checksum/secret-broker: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/secret-database: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/secret-elasticsearch: 33982b5f025a1ffd247c4b02293a24e8211a8efdf19d96514ead79c07c330c8d + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: alfresco-search-enterprise + spec: + containers: + - env: + - name: JAVA_OPTS + value: -Dspring.activemq.packages.trustAll=true + - name: SPRING_ACTIVEMQ_BROKERURL + value: $(BROKER_URL) + - name: SPRING_ACTIVEMQ_USER + value: $(BROKER_USERNAME) + - name: SPRING_ACTIVEMQ_PASSWORD + value: $(BROKER_PASSWORD) + - name: SPRING_ELASTICSEARCH_REST_USERNAME + valueFrom: + secretKeyRef: + key: ELASTICSEARCH_USERNAME + name: alfresco-content-services-alfresco-search-enterprise-elasticsearch-secret + - name: SPRING_ELASTICSEARCH_REST_PASSWORD + valueFrom: + secretKeyRef: + key: ELASTICSEARCH_PASSWORD + name: alfresco-content-services-alfresco-search-enterprise-elasticsearch-secret + envFrom: + - configMapRef: + name: alfresco-content-services-alfresco-search-enterprise-configmap + - secretRef: + name: acs-alfresco-cs-brokersecret + image: quay.io/alfresco/alfresco-elasticsearch-live-indexing-path:3.2.1 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /actuator/health + port: http + initialDelaySeconds: 300 + timeoutSeconds: 60 + name: alfresco-search-enterprise-path + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + httpGet: + path: /actuator/health + port: http + initialDelaySeconds: 60 + timeoutSeconds: 60 + resources: + limits: + cpu: "2" + memory: 2048Mi + requests: + cpu: "0.5" + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + - ALL + runAsNonRoot: true + imagePullSecrets: + - name: quay-registry-secret + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsNonRoot: true + runAsUser: 33099 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + external-dns.alpha.kubernetes.io/aws-weight: "100" + external-dns.alpha.kubernetes.io/set-identifier: alfresco-content-services-alfresco-cs-repository-hmpps-delius-alfrsco-poc-green + kubernetes.io/ingress.class: default + nginx.ingress.kubernetes.io/affinity: cookie + nginx.ingress.kubernetes.io/proxy-body-size: 5g + nginx.ingress.kubernetes.io/proxy-read-timeout: "200" + nginx.ingress.kubernetes.io/proxy-send-timeout: "200" + nginx.ingress.kubernetes.io/server-snippet: | + location ~ ^/.*/(wc)?s(ervice)?/api/solr/.*$ {return 403;} + location ~ ^/.*/proxy/.*/api/solr/.*$ {return 403;} + location ~ ^/.*/-default-/proxy/.*/api/.*$ {return 403;} + location ~ ^/.*/s/prometheus$ {return 403;} + nginx.ingress.kubernetes.io/session-cookie-hash: sha1 + nginx.ingress.kubernetes.io/session-cookie-name: alf_affinity_route + nginx.ingress.kubernetes.io/whitelist-source-range: 35.176.126.163,35.178.162.73,52.56.195.113,35.178.209.113,3.8.51.207,35.177.252.54,35.176.93.186/32,35.177.125.252/32,35.177.137.160/32,81.134.202.29/32,51.149.250.0/24,51.149.251.0/24,213.121.161.112/28,217.33.148.210/32,13.43.9.198/32,13.42.163.245/32,18.132.208.127/32,51.149.249.0/29,51.149.249.32/29,194.33.192.0/25,194.33.193.0/25,194.33.196.0/25,194.33.197.0/25,195.59.75.0/24,194.33.248.0/29,194.33.249.0/29,62.25.106.209/32,195.92.40.49/32,62.25.109.197/32,195.92.38.16/28,212.137.36.230/32,78.33.10.50/31,78.33.10.52/30,78.33.10.56/30,78.33.10.60/32,78.33.32.99/32,78.33.32.100/30,78.33.32.104/30,78.33.32.108/32,83.98.63.176/29,194.75.210.216/29,217.138.45.109/32,217.138.45.110/32,34.241.149.106/32,52.210.79.20/32,54.228.134.38/32 + labels: + app: alfresco-content-services-alfresco-cs-repository + chart: alfresco-content-services-6.0.2 + component: repository + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-repository +spec: + ingressClassName: default + rules: + - host: hmpps-delius-alfrsco-poc.apps.live.cloud-platform.service.justice.gov.uk + http: + paths: + - backend: + service: + name: alfresco-content-services-alfresco-cs-repository + port: + number: 80 + path: / + pathType: Prefix + - backend: + service: + name: alfresco-content-services-alfresco-cs-repository + port: + number: 80 + path: /api-explorer + pathType: Prefix + tls: + - hosts: + - hmpps-delius-alfrsco-poc.apps.live.cloud-platform.service.justice.gov.uk +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + external-dns.alpha.kubernetes.io/aws-weight: "100" + external-dns.alpha.kubernetes.io/set-identifier: alfresco-content-services-alfresco-cs-share-hmpps-delius-alfrsco-poc-green + kubernetes.io/ingress.class: default + nginx.ingress.kubernetes.io/affinity: cookie + nginx.ingress.kubernetes.io/configuration-snippet: | + if ($request_uri = "/") { + return 301 /share/page/; + } + nginx.ingress.kubernetes.io/proxy-body-size: 5g + nginx.ingress.kubernetes.io/server-snippet: | + location ~ ^/.*/(wc)?s(ervice)?/api/solr/.*$ {return 403;} + location ~ ^/.*/proxy/.*/api/solr/.*$ {return 403;} + location ~ ^/.*/-default-/proxy/.*/api/.*$ {return 403;} + location ~ ^/.*/s/prometheus$ {return 403;} + nginx.ingress.kubernetes.io/session-cookie-expires: "604800" + nginx.ingress.kubernetes.io/session-cookie-max-age: "604800" + nginx.ingress.kubernetes.io/session-cookie-name: alfrescoShare + nginx.ingress.kubernetes.io/session-cookie-path: /share + nginx.ingress.kubernetes.io/whitelist-source-range: 35.176.126.163,35.178.162.73,52.56.195.113,35.178.209.113,3.8.51.207,35.177.252.54,35.176.93.186/32,35.177.125.252/32,35.177.137.160/32,81.134.202.29/32,51.149.250.0/24,51.149.251.0/24,213.121.161.112/28,217.33.148.210/32,13.43.9.198/32,13.42.163.245/32,18.132.208.127/32,51.149.249.0/29,51.149.249.32/29,194.33.192.0/25,194.33.193.0/25,194.33.196.0/25,194.33.197.0/25,195.59.75.0/24,194.33.248.0/29,194.33.249.0/29,62.25.106.209/32,195.92.40.49/32,62.25.109.197/32,195.92.38.16/28,212.137.36.230/32,78.33.10.50/31,78.33.10.52/30,78.33.10.56/30,78.33.10.60/32,78.33.32.99/32,78.33.32.100/30,78.33.32.104/30,78.33.32.108/32,83.98.63.176/29,194.75.210.216/29,217.138.45.109/32,217.138.45.110/32,34.241.149.106/32,52.210.79.20/32,54.228.134.38/32 + labels: + app: alfresco-content-services-alfresco-cs-share + chart: alfresco-content-services-6.0.2 + component: share + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-share +spec: + ingressClassName: default + rules: + - host: share.hmpps-delius-alfrsco-poc.apps.live.cloud-platform.service.justice.gov.uk + http: + paths: + - backend: + service: + name: alfresco-content-services-alfresco-cs-share + port: + number: 80 + path: / + pathType: Prefix + - backend: + service: + name: alfresco-content-services-alfresco-cs-share + port: + number: 80 + path: /share/page/ + pathType: Prefix + tls: + - hosts: + - share.hmpps-delius-alfrsco-poc.apps.live.cloud-platform.service.justice.gov.uk + secretName: share-ingress-cert diff --git a/kustomize/poc/patch-ingress-repository.yaml b/kustomize/poc/patch-ingress-repository.yaml index 5c5ca2a..42e71e5 100644 --- a/kustomize/poc/patch-ingress-repository.yaml +++ b/kustomize/poc/patch-ingress-repository.yaml @@ -1,9 +1,9 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: alfresco-content-services-alfresco-cs-repository + name: alfresco-content-services-alfresco-repository annotations: - external-dns.alpha.kubernetes.io/set-identifier: alfresco-content-services-alfresco-cs-repository-hmpps-delius-alfrsco-poc-green + external-dns.alpha.kubernetes.io/set-identifier: alfresco-content-services-alfresco-repository-hmpps-delius-alfrsco-poc-green nginx.ingress.kubernetes.io/whitelist-source-range: "placeholder" spec: rules: @@ -12,14 +12,14 @@ spec: paths: - backend: service: - name: alfresco-content-services-alfresco-cs-repository + name: alfresco-content-services-alfresco-repository port: number: 80 path: / pathType: Prefix - backend: service: - name: alfresco-content-services-alfresco-cs-repository + name: alfresco-content-services-alfresco-repository port: number: 80 path: /api-explorer diff --git a/kustomize/poc/patch-ingress-share.yaml b/kustomize/poc/patch-ingress-share.yaml index 653684b..234f667 100644 --- a/kustomize/poc/patch-ingress-share.yaml +++ b/kustomize/poc/patch-ingress-share.yaml @@ -1,9 +1,9 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: alfresco-content-services-alfresco-cs-share + name: alfresco-content-services-share annotations: - external-dns.alpha.kubernetes.io/set-identifier: alfresco-content-services-alfresco-cs-share-hmpps-delius-alfrsco-poc-green + external-dns.alpha.kubernetes.io/set-identifier: alfresco-content-services-share-hmpps-delius-alfrsco-poc-green nginx.ingress.kubernetes.io/whitelist-source-range: "placeholder" spec: rules: @@ -12,14 +12,14 @@ spec: paths: - backend: service: - name: alfresco-content-services-alfresco-cs-share + name: alfresco-content-services-share port: number: 80 path: / pathType: Prefix - backend: service: - name: alfresco-content-services-alfresco-cs-share + name: alfresco-content-services-share port: number: 80 path: /share/page/ diff --git a/kustomize/poc/values.yaml b/kustomize/poc/values.yaml index 81561c7..8209f3f 100644 --- a/kustomize/poc/values.yaml +++ b/kustomize/poc/values.yaml @@ -1,22 +1,35 @@ # this file overrides values defined in ./values.yaml -repository: - replicaCount: 1 +alfresco-repository: + replicaCount: 2 image: + repository: 754256621582.dkr.ecr.eu-west-2.amazonaws.com/hmpps-migration/alfresco-content-repository tag: release_7.3.2_elasticsearch-r5.0.2-content-latest + persistence: + # -- Persist repository data + enabled: true + baseSize: 100Gi + # -- Specify a storageClass for dynamic provisioning + accessModes: + - ReadWriteOnce share: replicaCount: 1 image: - tag: release_7.3.2_elasticsearch-r5.0.2-share-latest -filestore: - replicaCount: 1 -externalHost: hmpps-delius-alfrsco-poc.apps.live.cloud-platform.service.justice.gov.uk -externalProtocol: https -externalPort: 443 + repository: 754256621582.dkr.ecr.eu-west-2.amazonaws.com/hmpps-migration/alfresco-share + tag: release_7.3.2_elasticsearch-r5.0.2-chart-7.0.3-share-latest activemq: + nameOverride: activemq enabled: true -messageBroker: - existingSecretName: null - secretName: acs-alfresco-cs-brokersecret +alfresco-transform-service: + filestore: + enabled: true + replicaCount: 1 alfresco-search-enterprise: messageBroker: - existingSecretName: acs-alfresco-cs-brokersecret + existingSecret: + name: null + liveIndexing: +externalPort: 443 +global: + known_urls: + - https://hmpps-delius-alfrsco-poc.apps.live.cloud-platform.service.justice.gov.uk + - https://share.hmpps-delius-alfrsco-poc.apps.live.cloud-platform.service.justice.gov.uk diff --git a/kustomize/preprod/alf-prop-config-map.yaml b/kustomize/preprod/alf-prop-config-map.yaml new file mode 100644 index 0000000..4f19c13 --- /dev/null +++ b/kustomize/preprod/alf-prop-config-map.yaml @@ -0,0 +1,80 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: alf-prop-config-map +data: + alfresco-global.properties: | + deployment.method=HELM_CHART + alfresco.cluster.enabled=true + alfresco.host=hmpps-delius-alfresco-preprod.apps.live.cloud-platform.service.justice.gov.uk + alfresco.protocol=https + alfresco.port=443 + aos.baseUrlOverwrite=https://hmpps-delius-alfresco-preprod.apps.live.cloud-platform.service.justice.gov.uk/alfresco/aos + csrf.filter.origin=https://hmpps-delius-alfresco-preprod.apps.live.cloud-platform.service.justice.gov.uk + csrf.filter.referer=https://hmpps-delius-alfresco-preprod.apps.live.cloud-platform.service.justice.gov.uk/.* + share.protocol=https + share.host=hmpps-delius-alfresco-preprod.apps.live.cloud-platform.service.justice.gov.uk + share.port=443 + local.transform.service.enabled=true + transform.service.enabled=false + localTransform.core-aio.url= + localTransform.pdfrenderer.url=http://alfresco-content-services-pdfrenderer + localTransform.imagemagick.url=http://alfresco-content-services-imagemagick + localTransform.libreoffice.url=http://alfresco-content-services-libreoffice + localTransform.tika.url=http://alfresco-content-services-tika + localTransform.misc.url=http://alfresco-content-services-transform-misc + events.subsystem.autoStart=false + + #Zaizi additions + zaizi.noms.root.folder=NOMS + zaizi.noms.crn.pattern=([A-Z])([0-9]{3})([0-9]{3}) + zaizi.noms.invalidCharacters=\\/:*\"\"<>|?!$#%^& + + spg.ndelius.users=N00 + spg.crc.users=C01,C02,C03,C04,C05,C06,C07,C08,C09,C10,C11,C12,C13,C14,C15,C16,C17,C18,C19,C20,C21,C22,C23 + + # The User to Schema Cache + cache.spgUserToSchemaVersionCache.tx.maxItems=100 + cache.spgUserToSchemaVersionCache.tx.statsEnabled=${caches.tx.statsEnabled} + cache.spgUserToSchemaVersionCache.maxItems=500 + cache.spgUserToSchemaVersionCache.timeToLiveSeconds=0 + cache.spgUserToSchemaVersionCache.maxIdleSeconds=0 + cache.spgUserToSchemaVersionCache.cluster.type=local + cache.spgUserToSchemaVersionCache.backup-count=1 + cache.spgUserToSchemaVersionCache.eviction-policy=LRU + cache.spgUserToSchemaVersionCache.eviction-percentage=25 + cache.spgUserToSchemaVersionCache.merge-policy=hz.ADD_NEW_ENTRY + cache.spgUserToSchemaVersionCache.readBackupData=false + cache.spgUserToSchemaVersionCache.cluster.type=invalidating + + # Notify when a messaging to be sent to MPX taking morethan specified time. Value is in milliseconds. + message.mpx.log.messageSendingTakenMorethan=1000 + + zaizi.noms.mpx.schema.version=0-9-9 + zaizi.noms.mpx.schema.date=2016-09-05 + messaging.events.nspg.schema=classpath:SPG-XML_Message_Root-V0-9-9.xsd + + zaizi.noms.mpx.schema2.version=0-9-10 + zaizi.noms.mpx.schema2.date=2017-03-30 + messaging.events.nspg2.schema=classpath:SPG-XML_Message_Root-V0-9-10-2.xsd + + zaizi.noms.mpx.schema.911.version=0-9-11 + zaizi.noms.mpx.schema.911.date=2017-09-04 + messaging.events.nspg.911.schema=classpath:SPG-XML_Message_Root-V0-9-11.xsd + + zaizi.noms.mpx.schema.912.version=0-9-12 + zaizi.noms.mpx.schema.912.date=2017-12-05 + messaging.events.nspg.912.schema=classpath:SPG-XML_Message_Root-V0-9-12.xsd + + zaizi.noms.mpx.schema.913.version=0-9-13 + zaizi.noms.mpx.schema.913.date=2018-02-08 + messaging.events.nspg.913.schema=classpath:SPG-XML_Message_Root-V0-9-13.xsd + + zaizi.noms.mpx.schema.914.version=0-9-14 + zaizi.noms.mpx.schema.914.date=2019-10-21 + messaging.events.nspg.914.schema=classpath:SPG-XML_Message_Root-V0-9-14.xsd + + # NSPG Administration Groups Patch + patch.nspg.administration.deferred=false + patch.nspg.administration.roles.cronExpression=0 0 0 ? 1 1 2030 + patch.nspg.administration.roles.startDelay=0 diff --git a/kustomize/preprod/kustomization.yaml b/kustomize/preprod/kustomization.yaml index 757ef78..2630a5e 100644 --- a/kustomize/preprod/kustomization.yaml +++ b/kustomize/preprod/kustomization.yaml @@ -3,8 +3,10 @@ kind: Kustomization resources: - ../base + - alf-prop-config-map.yaml patches: - path: patch-ingress-repository.yaml - path: patch-ingress-share.yaml - - path: patch-filestore-pvc.yaml + - path: patch-infra-config-map.yaml + diff --git a/kustomize/preprod/patch-filestore-pvc.yaml b/kustomize/preprod/patch-filestore-pvc.yaml deleted file mode 100644 index 58bcc70..0000000 --- a/kustomize/preprod/patch-filestore-pvc.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: filestore-default-pvc -spec: - resources: - requests: - storage: 4000Gi diff --git a/kustomize/preprod/patch-infra-config-map.yaml b/kustomize/preprod/patch-infra-config-map.yaml new file mode 100644 index 0000000..1deb375 --- /dev/null +++ b/kustomize/preprod/patch-infra-config-map.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: alfresco-infrastructure +data: + SFS_URL: https://alf-sfs.preprod.delius-core.hmpps-preproduction.modernisation-platform.service.justice.gov.uk/ + SFS_URL_API: https://alf-sfs.preprod.delius-core.hmpps-preproduction.modernisation-platform.service.justice.gov.uk/alfresco/api/-default-/private/sfs/versions/1/file/ diff --git a/kustomize/preprod/patch-ingress-repository.yaml b/kustomize/preprod/patch-ingress-repository.yaml index 5d4911e..34b3ff0 100644 --- a/kustomize/preprod/patch-ingress-repository.yaml +++ b/kustomize/preprod/patch-ingress-repository.yaml @@ -1,9 +1,9 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: alfresco-content-services-alfresco-cs-repository + name: alfresco-content-services-alfresco-repository annotations: - external-dns.alpha.kubernetes.io/set-identifier: alfresco-content-services-alfresco-cs-repository-hmpps-delius-alfresco-preprod-green + external-dns.alpha.kubernetes.io/set-identifier: alfresco-content-services-alfresco-repository-hmpps-delius-alfresco-preprod-green nginx.ingress.kubernetes.io/whitelist-source-range: "placeholder" spec: rules: @@ -12,14 +12,14 @@ spec: paths: - backend: service: - name: alfresco-content-services-alfresco-cs-repository + name: alfresco-content-services-alfresco-repository port: number: 80 path: / pathType: Prefix - backend: service: - name: alfresco-content-services-alfresco-cs-repository + name: alfresco-content-services-alfresco-repository port: number: 80 path: /api-explorer diff --git a/kustomize/preprod/patch-ingress-share.yaml b/kustomize/preprod/patch-ingress-share.yaml index 4eb86e9..2f22313 100644 --- a/kustomize/preprod/patch-ingress-share.yaml +++ b/kustomize/preprod/patch-ingress-share.yaml @@ -1,9 +1,9 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: alfresco-content-services-alfresco-cs-share + name: alfresco-content-services-share annotations: - external-dns.alpha.kubernetes.io/set-identifier: alfresco-content-services-alfresco-cs-share-hmpps-delius-alfresco-preprod-green + external-dns.alpha.kubernetes.io/set-identifier: alfresco-content-services-share-hmpps-delius-alfresco-preprod-green nginx.ingress.kubernetes.io/whitelist-source-range: "placeholder" spec: rules: @@ -12,14 +12,14 @@ spec: paths: - backend: service: - name: alfresco-content-services-alfresco-cs-share + name: alfresco-content-services-share port: number: 80 path: / pathType: Prefix - backend: service: - name: alfresco-content-services-alfresco-cs-share + name: alfresco-content-services-share port: number: 80 path: /share/page/ diff --git a/kustomize/preprod/values.yaml b/kustomize/preprod/values.yaml index 2335747..34ade46 100644 --- a/kustomize/preprod/values.yaml +++ b/kustomize/preprod/values.yaml @@ -1,6 +1,6 @@ # this file overrides values defined in ./values.yaml -repository: - # -- The startup probe to cover the worse case startup time for slow clusters +alfresco-repository: + # -- The startup probe to cover the worse case startup time for slow clusters # startupProbe: # periodSeconds: 30 # failureThreshold: 40 @@ -16,6 +16,7 @@ repository: # failureThreshold: 40 replicaCount: 10 image: + repository: 754256621582.dkr.ecr.eu-west-2.amazonaws.com/hmpps-migration/alfresco-content-repository tag: release_7.3.2_elasticsearch-r5.0.2-content-latest resources: # requests and limits set closer together to ensure CP stability requests: @@ -24,35 +25,43 @@ repository: limits: cpu: 4 memory: 10Gi - persistence: - baseSize: 100Gi share: replicaCount: 1 image: - tag: release_7.3.2_elasticsearch-r5.0.2-share-latest -externalHost: hmpps-delius-alfresco-preprod.apps.live.cloud-platform.service.justice.gov.uk + repository: 754256621582.dkr.ecr.eu-west-2.amazonaws.com/hmpps-migration/alfresco-share + tag: release_7.3.2_elasticsearch-r5.0.2-chart-7.0.3-share-latest externalProtocol: https externalPort: 443 -tika: - replicaCount: 8 - resources: - limits: - cpu: 2 - memory: 4Gi -transformrouter: - replicaCount: 12 - resources: - requests: - cpu: "0.75" - memory: "300Mi" - limits: - cpu: "2" - memory: "756Mi" alfresco-search-enterprise: liveIndexing: + # set in value-versions yaml content: - replicaCount: 8 - mediation: replicaCount: 4 metadata: - replicaCount: 4 + replicaCount: 2 + mediation: + replicaCount: 2 +alfresco-transform-service: + tika: + replicaCount: 8 + resources: + requests: + cpu: "0.5" + memory: "2048Mi" + limits: + cpu: "2" + memory: 6Gi + transformrouter: + replicaCount: 8 + resources: + requests: + cpu: "0.75" + memory: "512Mi" + limits: + cpu: "2" + memory: 2Gi +global: + known_urls: + - https://hmpps-delius-alfresco-preprod.apps.live.cloud-platform.service.justice.gov.uk + - https://share.hmpps-delius-alfresco-preprod.apps.live.cloud-platform.service.justice.gov.uk + - https://alf-sfs.preprod.delius-core.hmpps-preproduction.modernisation-platform.service.justice.gov.uk diff --git a/kustomize/stage/alf-prop-config-map.yaml b/kustomize/stage/alf-prop-config-map.yaml new file mode 100644 index 0000000..d622319 --- /dev/null +++ b/kustomize/stage/alf-prop-config-map.yaml @@ -0,0 +1,80 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: alf-prop-config-map +data: + alfresco-global.properties: | + deployment.method=HELM_CHART + alfresco.cluster.enabled=true + alfresco.host=hmpps-delius-alfresco-stage.apps.live.cloud-platform.service.justice.gov.uk + alfresco.protocol=https + alfresco.port=443 + aos.baseUrlOverwrite=https://hmpps-delius-alfresco-stage.apps.live.cloud-platform.service.justice.gov.uk/alfresco/aos + csrf.filter.origin=https://hmpps-delius-alfresco-stage.apps.live.cloud-platform.service.justice.gov.uk + csrf.filter.referer=https://hmpps-delius-alfresco-stage.apps.live.cloud-platform.service.justice.gov.uk/.* + share.protocol=https + share.host=hmpps-delius-alfresco-stage.apps.live.cloud-platform.service.justice.gov.uk + share.port=443 + local.transform.service.enabled=true + transform.service.enabled=false + localTransform.core-aio.url= + localTransform.pdfrenderer.url=http://alfresco-content-services-pdfrenderer + localTransform.imagemagick.url=http://alfresco-content-services-imagemagick + localTransform.libreoffice.url=http://alfresco-content-services-libreoffice + localTransform.tika.url=http://alfresco-content-services-tika + localTransform.misc.url=http://alfresco-content-services-transform-misc + events.subsystem.autoStart=false + + #Zaizi additions + zaizi.noms.root.folder=NOMS + zaizi.noms.crn.pattern=([A-Z])([0-9]{3})([0-9]{3}) + zaizi.noms.invalidCharacters=\\/:*\"\"<>|?!$#%^& + + spg.ndelius.users=N00 + spg.crc.users=C01,C02,C03,C04,C05,C06,C07,C08,C09,C10,C11,C12,C13,C14,C15,C16,C17,C18,C19,C20,C21,C22,C23 + + # The User to Schema Cache + cache.spgUserToSchemaVersionCache.tx.maxItems=100 + cache.spgUserToSchemaVersionCache.tx.statsEnabled=${caches.tx.statsEnabled} + cache.spgUserToSchemaVersionCache.maxItems=500 + cache.spgUserToSchemaVersionCache.timeToLiveSeconds=0 + cache.spgUserToSchemaVersionCache.maxIdleSeconds=0 + cache.spgUserToSchemaVersionCache.cluster.type=local + cache.spgUserToSchemaVersionCache.backup-count=1 + cache.spgUserToSchemaVersionCache.eviction-policy=LRU + cache.spgUserToSchemaVersionCache.eviction-percentage=25 + cache.spgUserToSchemaVersionCache.merge-policy=hz.ADD_NEW_ENTRY + cache.spgUserToSchemaVersionCache.readBackupData=false + cache.spgUserToSchemaVersionCache.cluster.type=invalidating + + # Notify when a messaging to be sent to MPX taking morethan specified time. Value is in milliseconds. + message.mpx.log.messageSendingTakenMorethan=1000 + + zaizi.noms.mpx.schema.version=0-9-9 + zaizi.noms.mpx.schema.date=2016-09-05 + messaging.events.nspg.schema=classpath:SPG-XML_Message_Root-V0-9-9.xsd + + zaizi.noms.mpx.schema2.version=0-9-10 + zaizi.noms.mpx.schema2.date=2017-03-30 + messaging.events.nspg2.schema=classpath:SPG-XML_Message_Root-V0-9-10-2.xsd + + zaizi.noms.mpx.schema.911.version=0-9-11 + zaizi.noms.mpx.schema.911.date=2017-09-04 + messaging.events.nspg.911.schema=classpath:SPG-XML_Message_Root-V0-9-11.xsd + + zaizi.noms.mpx.schema.912.version=0-9-12 + zaizi.noms.mpx.schema.912.date=2017-12-05 + messaging.events.nspg.912.schema=classpath:SPG-XML_Message_Root-V0-9-12.xsd + + zaizi.noms.mpx.schema.913.version=0-9-13 + zaizi.noms.mpx.schema.913.date=2018-02-08 + messaging.events.nspg.913.schema=classpath:SPG-XML_Message_Root-V0-9-13.xsd + + zaizi.noms.mpx.schema.914.version=0-9-14 + zaizi.noms.mpx.schema.914.date=2019-10-21 + messaging.events.nspg.914.schema=classpath:SPG-XML_Message_Root-V0-9-14.xsd + + # NSPG Administration Groups Patch + patch.nspg.administration.deferred=false + patch.nspg.administration.roles.cronExpression=0 0 0 ? 1 1 2030 + patch.nspg.administration.roles.startDelay=0 diff --git a/kustomize/stage/kustomization.yaml b/kustomize/stage/kustomization.yaml index 757ef78..4ed2cda 100644 --- a/kustomize/stage/kustomization.yaml +++ b/kustomize/stage/kustomization.yaml @@ -3,8 +3,9 @@ kind: Kustomization resources: - ../base + - alf-prop-config-map.yaml patches: - path: patch-ingress-repository.yaml - path: patch-ingress-share.yaml - - path: patch-filestore-pvc.yaml + - path: patch-infra-config-map.yaml diff --git a/kustomize/stage/output.yaml b/kustomize/stage/output.yaml new file mode 100644 index 0000000..8efe1b0 --- /dev/null +++ b/kustomize/stage/output.yaml @@ -0,0 +1,1920 @@ +apiVersion: v1 +data: + FILE_STORE_URL: http://alfresco-content-services-alfresco-filestore:80/alfresco/api/-default-/private/sfs/versions/1/file + JAVA_OPTS: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 + livenessPercent: "150" + livenessTransformPeriodSeconds: "600" + maxTransformSeconds: "900" + maxTransforms: "10000" +kind: ConfigMap +metadata: + labels: + app: alfresco-content-services-alfresco-cs-imagemagick + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-imagemagick-configmap +--- +apiVersion: v1 +data: + FILE_STORE_URL: http://alfresco-content-services-alfresco-filestore:80/alfresco/api/-default-/private/sfs/versions/1/file + JAVA_OPTS: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 + livenessPercent: "250" + livenessTransformPeriodSeconds: "600" + maxTransformSeconds: "1800" + maxTransforms: "99999" +kind: ConfigMap +metadata: + labels: + app: alfresco-content-services-alfresco-cs-libreoffice + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-libreoffice-configmap +--- +apiVersion: v1 +data: + FILE_STORE_URL: http://alfresco-content-services-alfresco-filestore:80/alfresco/api/-default-/private/sfs/versions/1/file + JAVA_OPTS: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 + livenessPercent: "150" + livenessTransformPeriodSeconds: "600" + maxTransformSeconds: "1200" + maxTransforms: "10000" +kind: ConfigMap +metadata: + labels: + app: alfresco-content-services-alfresco-cs-pdfrenderer + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-pdfrenderer-configmap +--- +apiVersion: v1 +data: + ALFRESCO_OPTS: -Ddeployment.method=HELM_CHART -Dalfresco.cluster.enabled=true -Ddir.license.external=/usr/local/tomcat/shared/classes/alfresco/extension/license/ + -Dalfresco.host=hmpps-delius-alfresco-stage.apps.live.cloud-platform.service.justice.gov.uk + -Dalfresco.protocol=https -Dalfresco.port=443 -Daos.baseUrlOverwrite=https://hmpps-delius-alfresco-stage.apps.live.cloud-platform.service.justice.gov.uk/alfresco/aos + -Dcsrf.filter.origin=https://hmpps-delius-alfresco-stage.apps.live.cloud-platform.service.justice.gov.uk + -Dcsrf.filter.referer=https://hmpps-delius-alfresco-stage.apps.live.cloud-platform.service.justice.gov.uk/.* + -Dshare.protocol=https -Dshare.host=hmpps-delius-alfresco-stage.apps.live.cloud-platform.service.justice.gov.uk + -Dshare.port=443 -Delasticsearch.host=opensearch-proxy-service-cloud-platform-e1d78cac.hmpps-delius-alfresco-stage.svc.cluster.local + -Delasticsearch.port=8080 -Delasticsearch.user= -Delasticsearch.password= -Delasticsearch.createIndexIfNotExists=true + -Delasticsearch.indexName=alfresco -Dindex.subsystem.name=elasticsearch -Dtransform.service.url=http://alfresco-content-services-alfresco-router + -Dsfs.url=http://alfresco-content-services-alfresco-filestore:80 -DlocalTransform.core-aio.url= + -DlocalTransform.pdfrenderer.url=http://alfresco-content-services-alfresco-cs-pdfrenderer + -DlocalTransform.imagemagick.url=http://alfresco-content-services-alfresco-cs-imagemagick + -DlocalTransform.libreoffice.url=http://alfresco-content-services-alfresco-cs-libreoffice + -DlocalTransform.tika.url=http://alfresco-content-services-alfresco-cs-tika -DlocalTransform.misc.url=http://alfresco-content-services-alfresco-cs-transform-misc + -Dalfresco-pdf-renderer.url=http://alfresco-content-services-alfresco-cs-pdfrenderer + -Dimg.url=http://alfresco-content-services-alfresco-cs-imagemagick -Djodconverter.url=http://alfresco-content-services-alfresco-cs-libreoffice + -Dtika.url=http://alfresco-content-services-alfresco-cs-tika -Dtransform.misc.url=http://alfresco-content-services-alfresco-cs-transform-misc + -Ds3.bucketLocation=eu-west-2 -Ds3.bucketName=cloud-platform-ec9b74a5eca301ab5dc8b8461b99d5c2 + -Devents.subsystem.autoStart=false + CATALINA_OPTS: $ALFRESCO_OPTS -Ddb.driver=org.postgresql.Driver -Ddb.url=jdbc:postgresql://cloud-platform-43f547bdfa94ce12.cdwm328dlye6.eu-west-2.rds.amazonaws.com:5432/alfresco + -Ddb.username=$DATABASE_USERNAME -Ddb.password=$DATABASE_PASSWORD -Ds3.accessKey=$ACCESSKEY + -Ds3.secretKey=$SECRETKEY -Dmetadata-keystore.password=$METADATA_KEYSTORE_PASSWORD + -Dmetadata-keystore.metadata.password=$METADATA_KEY_PASSWORD -Dmessaging.broker.url=$BROKER_URL + -Dmessaging.broker.username=$BROKER_USERNAME -Dmessaging.broker.password=$BROKER_PASSWORD + -Dencryption.ssl.truststore.location=$JAVA_HOME/lib/security/cacerts -Dalfresco_user_store.adminpassword=$REPO_ADMIN_PASSWORD + JAVA_OPTS: -Dindex.subsystem.name=elasticsearch -Delasticsearch.indexName=alfresco + -Delasticsearch.createIndexIfNotExists=true -Dtransform.service.enabled=true -XX:MinRAMPercentage=50 + -XX:MaxRAMPercentage=80 -Dencryption.keystore.type=JCEKS -Dencryption.cipherAlgorithm=DESede/CBC/PKCS5Padding + -Dencryption.keyAlgorithm=DESede -Dencryption.keystore.location=/usr/local/tomcat/shared/classes/alfresco/extension/keystore/keystore + -Dmetadata-keystore.aliases=metadata -Dmetadata-keystore.metadata.algorithm=DESede + -Dsystem.workflow.engine.activiti.enabled=false -Dsystem.prop_table_cleaner.algorithm=V2 + -Dsystem.delete_not_exists.read_only=false -Dsystem.delete_not_exists.timeout_seconds=3600 + -Dfilecontentstore.subsystem.name=S3 -Ds3.flatRoot=false + RELEASE_NAME: alfresco-content-services +kind: ConfigMap +metadata: + labels: + app: alfresco-content-services-alfresco-cs-repository + chart: alfresco-content-services-6.0.2 + component: repository + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-repository-configmap +--- +apiVersion: v1 +data: + CATALINA_OPTS: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 + CSRF_FILTER_ORIGIN: https://hmpps-delius-alfresco-stage.apps.live.cloud-platform.service.justice.gov.uk + CSRF_FILTER_REFERER: https://hmpps-delius-alfresco-stage.apps.live.cloud-platform.service.justice.gov.uk/.* + JAVA_OPTS: -Dalfresco.proxy=https://hmpps-delius-alfresco-stage.apps.live.cloud-platform.service.justice.gov.uk + REPO_HOST: alfresco-content-services-alfresco-cs-repository + REPO_PORT: "80" +kind: ConfigMap +metadata: + labels: + app: alfresco-content-services-alfresco-cs-share + chart: alfresco-content-services-6.0.2 + component: share + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-share-configmap +--- +apiVersion: v1 +data: + FILE_STORE_URL: http://alfresco-content-services-alfresco-filestore:80/alfresco/api/-default-/private/sfs/versions/1/file + JAVA_OPTS: -Xms1024M -Xmx1638M + livenessPercent: "400" + livenessTransformPeriodSeconds: "600" + maxTransformSeconds: "1800" + maxTransforms: "10000" +kind: ConfigMap +metadata: + labels: + app: alfresco-content-services-alfresco-cs-tika + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-tika-configmap +--- +apiVersion: v1 +data: + FILE_STORE_URL: http://alfresco-content-services-alfresco-filestore:80/alfresco/api/-default-/private/sfs/versions/1/file + JAVA_OPTS: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 + livenessPercent: "400" + livenessTransformPeriodSeconds: "600" + maxTransformSeconds: "1800" + maxTransforms: "10000" +kind: ConfigMap +metadata: + labels: + app: alfresco-content-services-alfresco-cs-transform-misc + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-transform-misc-configmap +--- +apiVersion: v1 +data: + JAVA_OPTS: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 + livenessPercent: "150" + livenessSavePeriodSeconds: "600" + scheduler.cleanup.interval: "86400000" + scheduler.content.age.millis: "86400000" +kind: ConfigMap +metadata: + labels: + app: alfresco-content-services-alfresco-filestore + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-filestore-configmap +--- +apiVersion: v1 +data: + FILE_STORE_URL: http://alfresco-content-services-alfresco-filestore:80/alfresco/api/-default-/private/sfs/versions/1/file + IMAGEMAGICK_URL: http://alfresco-content-services-alfresco-cs-imagemagick:80 + JAVA_OPTS: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 + LIBREOFFICE_URL: http://alfresco-content-services-alfresco-cs-libreoffice:80 + MISC_URL: http://alfresco-content-services-alfresco-cs-transform-misc:80 + PDF_RENDERER_URL: http://alfresco-content-services-alfresco-cs-pdfrenderer:80 + TIKA_URL: http://alfresco-content-services-alfresco-cs-tika:80 +kind: ConfigMap +metadata: + labels: + app: alfresco-content-services-alfresco-router + chart: alfresco-content-services-6.0.2 + component: transformrouter + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-router-configmap +--- +apiVersion: v1 +data: + ALFRESCO_ACCEPTEDCONTENTMEDIATYPESCACHE_BASEURL: http://alfresco-content-services-alfresco-router/transform/config + ALFRESCO_ACCEPTEDCONTENTMEDIATYPESCACHE_ENABLED: "true" + ALFRESCO_ACCEPTEDCONTENTMEDIATYPESCACHE_REFRESHTIME: 0 0 * * * * + ALFRESCO_PATHINDEXINGCOMPONENT_ENABLED: "true" + ALFRESCO_SHAREDFILESTORE_BASEURL: http://alfresco-content-services-alfresco-filestore:80/alfresco/api/-default-/private/sfs/versions/1/file/ + ELASTICSEARCH_INDEXNAME: alfresco + SPRING_ELASTICSEARCH_REST_URIS: http://opensearch-proxy-service-cloud-platform-e1d78cac.hmpps-delius-alfresco-stage.svc.cluster.local:8080 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: alfresco-search-enterprise + app.kubernetes.io/version: 3.3.0 + helm.sh/chart: alfresco-search-enterprise-1.2.0 + name: alfresco-content-services-alfresco-search-enterprise-configmap +--- +apiVersion: v1 +data: + METADATA_KEY_PASSWORD: b0tJV3pWZEVkQQ== + METADATA_KEYSTORE_PASSWORD: bXA2eWMwVUQ5ZQ== +kind: Secret +metadata: + labels: + app: alfresco-content-services-alfresco-cs-repository + chart: alfresco-content-services-6.0.2 + component: repository + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-metadata-keystore-secret +type: Opaque +--- +apiVersion: v1 +data: + REPO_ADMIN_PASSWORD: MjA5YzYxNzRkYTQ5MGNhZWI0MjJmM2ZhNWE3YWU2MzQ= +kind: Secret +metadata: + labels: + app: alfresco-content-services-alfresco-cs-repository + chart: alfresco-content-services-6.0.2 + component: repository + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-repository-secret +type: Opaque +--- +apiVersion: v1 +data: + ELASTICSEARCH_PASSWORD: "" + ELASTICSEARCH_USERNAME: "" +kind: Secret +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: alfresco-search-enterprise + app.kubernetes.io/version: 3.3.0 + helm.sh/chart: alfresco-search-enterprise-1.2.0 + name: alfresco-content-services-alfresco-search-enterprise-elasticsearch-secret +type: Opaque +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: alfresco-content-services-alfresco-cs-imagemagick + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-imagemagick +spec: + ports: + - name: imagemagick + port: 80 + targetPort: 8090 + selector: + app: alfresco-content-services-alfresco-cs-imagemagick + component: transformers + release: alfresco-content-services + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: alfresco-content-services-alfresco-cs-libreoffice + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-libreoffice +spec: + ports: + - name: libreoffice + port: 80 + targetPort: 8090 + selector: + app: alfresco-content-services-alfresco-cs-libreoffice + component: transformers + release: alfresco-content-services + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: alfresco-content-services-alfresco-cs-pdfrenderer + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-pdfrenderer +spec: + ports: + - name: pdfrenderer + port: 80 + targetPort: 8090 + selector: + app: alfresco-content-services-alfresco-cs-pdfrenderer + component: transformers + release: alfresco-content-services + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: alfresco-content-services-alfresco-cs-repository + chart: alfresco-content-services-6.0.2 + component: repository + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-repository +spec: + ports: + - name: alfresco + port: 80 + targetPort: 8080 + selector: + app: alfresco-content-services-alfresco-cs-repository + component: repository + release: alfresco-content-services + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: alfresco-content-services-alfresco-cs-share + chart: alfresco-content-services-6.0.2 + component: share + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-share +spec: + ports: + - name: share + port: 80 + targetPort: 8080 + selector: + app: alfresco-content-services-alfresco-cs-share + component: share + release: alfresco-content-services + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: alfresco-content-services-alfresco-cs-tika + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-tika +spec: + ports: + - name: tika + port: 80 + targetPort: 8090 + selector: + app: alfresco-content-services-alfresco-cs-tika + component: transformers + release: alfresco-content-services + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: alfresco-content-services-alfresco-cs-transform-misc + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-transform-misc +spec: + ports: + - name: transformmisc + port: 80 + targetPort: 8090 + selector: + app: alfresco-content-services-alfresco-cs-transform-misc + component: transformers + release: alfresco-content-services + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: alfresco-content-services-alfresco-filestore + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-filestore +spec: + ports: + - name: filestore + port: 80 + targetPort: 8099 + selector: + app: alfresco-content-services-alfresco-filestore + component: transformers + release: alfresco-content-services + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: alfresco-content-services-alfresco-router + chart: alfresco-content-services-6.0.2 + component: transformrouter + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-router +spec: + ports: + - name: transform-router + port: 80 + protocol: TCP + targetPort: 8095 + selector: + app: alfresco-content-services-alfresco-router + component: transformrouter + release: alfresco-content-services + type: ClusterIP +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: filestore-default-pvc +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 4000Gi + volumeMode: Filesystem +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: alfresco-content-services-alfresco-cs-imagemagick + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-imagemagick +spec: + replicas: 1 + selector: + matchLabels: + app: alfresco-content-services-alfresco-cs-imagemagick + component: transformers + release: alfresco-content-services + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: + checksum/config: 77504232107df28e3fae1cd91fdc37518dfa5229d21f73e2058e526d7ad89c6b + labels: + app: alfresco-content-services-alfresco-cs-imagemagick + component: transformers + release: alfresco-content-services + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-alfresco-cs-imagemagick + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 10 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-alfresco-cs-imagemagick + topologyKey: kubernetes.io/hostname + weight: 5 + containers: + - env: + - name: ACTIVEMQ_URL + value: $(BROKER_URL) + - name: ACTIVEMQ_USER + value: $(BROKER_USERNAME) + - name: ACTIVEMQ_PASSWORD + value: $(BROKER_PASSWORD) + envFrom: + - configMapRef: + name: alfresco-content-services-alfresco-cs-imagemagick-configmap + - secretRef: + name: amazon-mq-broker-secret + image: alfresco/alfresco-imagemagick:3.0.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 1 + httpGet: + path: /live + port: 8090 + initialDelaySeconds: 10 + periodSeconds: 20 + timeoutSeconds: 10 + name: alfresco-content-services + ports: + - containerPort: 8090 + readinessProbe: + httpGet: + path: /ready + port: 8090 + initialDelaySeconds: 20 + periodSeconds: 60 + timeoutSeconds: 10 + resources: + limits: + cpu: "4" + memory: 1000Mi + requests: + cpu: "0.5" + memory: 300Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + imagePullSecrets: + - name: quay-registry-secret + securityContext: + runAsNonRoot: true + runAsUser: 33002 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: alfresco-content-services-alfresco-cs-libreoffice + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-libreoffice +spec: + replicas: 1 + selector: + matchLabels: + app: alfresco-content-services-alfresco-cs-libreoffice + component: transformers + release: alfresco-content-services + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: + checksum/config: c29b71fae340444799e63ddc2280c00de4c990a3dad047c0ebe70685ef7ab89c + labels: + app: alfresco-content-services-alfresco-cs-libreoffice + component: transformers + release: alfresco-content-services + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-alfresco-cs-libreoffice + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 10 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-alfresco-cs-libreoffice + topologyKey: kubernetes.io/hostname + weight: 5 + containers: + - env: + - name: ACTIVEMQ_URL + value: $(BROKER_URL) + - name: ACTIVEMQ_USER + value: $(BROKER_USERNAME) + - name: ACTIVEMQ_PASSWORD + value: $(BROKER_PASSWORD) + envFrom: + - configMapRef: + name: alfresco-content-services-alfresco-cs-libreoffice-configmap + - secretRef: + name: amazon-mq-broker-secret + image: alfresco/alfresco-libreoffice:3.0.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 1 + httpGet: + path: /live + port: 8090 + initialDelaySeconds: 10 + periodSeconds: 20 + timeoutSeconds: 10 + name: alfresco-content-services + ports: + - containerPort: 8090 + readinessProbe: + httpGet: + path: /ready + port: 8090 + initialDelaySeconds: 20 + periodSeconds: 60 + timeoutSeconds: 10 + resources: + limits: + cpu: "4" + memory: 1000Mi + requests: + cpu: "0.5" + memory: 400Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + imagePullSecrets: + - name: quay-registry-secret + securityContext: + runAsNonRoot: true + runAsUser: 33003 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: alfresco-content-services-alfresco-cs-pdfrenderer + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-pdfrenderer +spec: + replicas: 1 + selector: + matchLabels: + app: alfresco-content-services-alfresco-cs-pdfrenderer + component: transformers + release: alfresco-content-services + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: + checksum/config: e61eca295784c0d562e9f9e3fa9e70f707291420af8c0ac90b668d14b76b628f + labels: + app: alfresco-content-services-alfresco-cs-pdfrenderer + component: transformers + release: alfresco-content-services + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-alfresco-cs-pdfrenderer + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 10 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-alfresco-cs-pdfrenderer + topologyKey: kubernetes.io/hostname + weight: 5 + containers: + - env: + - name: ACTIVEMQ_URL + value: $(BROKER_URL) + - name: ACTIVEMQ_USER + value: $(BROKER_USERNAME) + - name: ACTIVEMQ_PASSWORD + value: $(BROKER_PASSWORD) + envFrom: + - configMapRef: + name: alfresco-content-services-alfresco-cs-pdfrenderer-configmap + - secretRef: + name: amazon-mq-broker-secret + image: alfresco/alfresco-pdf-renderer:3.0.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 1 + httpGet: + path: /live + port: 8090 + initialDelaySeconds: 10 + periodSeconds: 20 + timeoutSeconds: 10 + name: alfresco-content-services + ports: + - containerPort: 8090 + readinessProbe: + httpGet: + path: /ready + port: 8090 + initialDelaySeconds: 20 + periodSeconds: 60 + timeoutSeconds: 10 + resources: + limits: + cpu: "2" + memory: 1000Mi + requests: + cpu: "0.25" + memory: 300Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + imagePullSecrets: + - name: quay-registry-secret + securityContext: + runAsNonRoot: true + runAsUser: 33001 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: alfresco-content-services-alfresco-cs-repository + chart: alfresco-content-services-6.0.2 + component: repository + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-repository +spec: + replicas: 10 + selector: + matchLabels: + app: alfresco-content-services-alfresco-cs-repository + component: repository + release: alfresco-content-services + strategy: + type: Recreate + template: + metadata: + annotations: + checksum/config: 280f0005a6663065acc24fb8c05a72733405572f05069cda8a6e2f19abb978d3 + checksum/secretDatabase: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/secretS3: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + labels: + app: alfresco-content-services-alfresco-cs-repository + component: repository + release: alfresco-content-services + spec: + containers: + - envFrom: + - secretRef: + name: rds-instance-output + - secretRef: + name: s3-bucket-output + - secretRef: + name: alfresco-content-services-alfresco-cs-metadata-keystore-secret + - secretRef: + name: amazon-mq-broker-secret + - secretRef: + name: alfresco-content-services-alfresco-cs-repository-secret + - configMapRef: + name: alfresco-content-services-alfresco-cs-repository-configmap + image: 754256621582.dkr.ecr.eu-west-2.amazonaws.com/hmpps-migration/alfresco-content-repository:release_7.3.2_elasticsearch-r5.0.2-content-latest + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /bin/bash + - -c + - sleep 20 + livenessProbe: + failureThreshold: 1 + httpGet: + path: /alfresco/api/-default-/public/alfresco/versions/1/probes/-live- + port: 8080 + initialDelaySeconds: 130 + periodSeconds: 20 + timeoutSeconds: 15 + name: alfresco-content-services + ports: + - containerPort: 8080 + - containerPort: 5701 + readinessProbe: + failureThreshold: 6 + httpGet: + path: /alfresco/api/-default-/public/alfresco/versions/1/probes/-ready- + port: 8080 + initialDelaySeconds: 60 + periodSeconds: 20 + timeoutSeconds: 10 + resources: + limits: + cpu: 4 + memory: 10Gi + requests: + cpu: 1 + memory: 6Gi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 10 + httpGet: + path: /alfresco/api/-default-/public/alfresco/versions/1/probes/-ready- + port: 8080 + periodSeconds: 30 + volumeMounts: + - mountPath: /usr/local/tomcat/alf_data + name: data + subPath: alfresco-content-services/repository-data + - mountPath: /usr/local/tomcat/shared/classes/alfresco/extension/license/ + name: acs-license + imagePullSecrets: + - name: quay-registry-secret + initContainers: null + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 33000 + volumes: + - emptyDir: + sizeLimit: 100Gi + name: data + - name: acs-license + secret: + defaultMode: 256 + secretName: alfresco-license + - configMap: + name: custom-pipeline-config + optional: true + name: custom-pipeline-config-volume + - configMap: + name: custom-rendition-config + optional: true + name: custom-rendition-config-volume + - configMap: + name: custom-mimetype-config + optional: true + name: custom-mimetype-config-volume + - configMap: + name: custom-queryset-config + optional: true + name: custom-queryset-config-volume +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + checkov.io/skip1: CKV_K8S_23=Requires APPS-1832 first + checkov.io/skip2: CKV_K8S_40=Requires APPS-1832 first + labels: + app: alfresco-content-services-alfresco-cs-share + chart: alfresco-content-services-6.0.2 + component: share + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-share +spec: + replicas: 1 + selector: + matchLabels: + app: alfresco-content-services-alfresco-cs-share + component: share + release: alfresco-content-services + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: + checksum/config: 0209ab90e57cd3c2bff5d6dcc5c5268829ebebf38b0bbcea6bdc940002e4f00d + labels: + app: alfresco-content-services-alfresco-cs-share + component: share + release: alfresco-content-services + spec: + containers: + - envFrom: + - configMapRef: + name: alfresco-content-services-alfresco-cs-share-configmap + image: 754256621582.dkr.ecr.eu-west-2.amazonaws.com/hmpps-migration/alfresco-share:release_7.3.2_elasticsearch-r5.0.2-share-latest + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /bin/bash + - -c + - sleep 20 + livenessProbe: + failureThreshold: 1 + httpGet: + path: /share + port: 8080 + initialDelaySeconds: 200 + periodSeconds: 20 + timeoutSeconds: 10 + name: alfresco-content-services + ports: + - containerPort: 8080 + readinessProbe: + httpGet: + path: /share + port: 8080 + initialDelaySeconds: 60 + periodSeconds: 20 + timeoutSeconds: 15 + resources: + limits: + cpu: "4" + memory: 2000Mi + requests: + cpu: "1" + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + imagePullSecrets: + - name: quay-registry-secret + securityContext: + runAsNonRoot: true + runAsUser: 65534 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: alfresco-content-services-alfresco-cs-tika + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-tika +spec: + replicas: 8 + selector: + matchLabels: + app: alfresco-content-services-alfresco-cs-tika + component: transformers + release: alfresco-content-services + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: + checksum/config: 4ce771746eed38f9cac09952793879c40330a2f75a60d4008c84810fe870eb58 + labels: + app: alfresco-content-services-alfresco-cs-tika + component: transformers + release: alfresco-content-services + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-alfresco-cs-tika + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 10 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-alfresco-cs-tika + topologyKey: kubernetes.io/hostname + weight: 5 + containers: + - env: + - name: ACTIVEMQ_URL + value: $(BROKER_URL) + - name: ACTIVEMQ_USER + value: $(BROKER_USERNAME) + - name: ACTIVEMQ_PASSWORD + value: $(BROKER_PASSWORD) + envFrom: + - configMapRef: + name: alfresco-content-services-alfresco-cs-tika-configmap + - secretRef: + name: amazon-mq-broker-secret + image: alfresco/alfresco-tika:3.0.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 1 + httpGet: + path: /live + port: 8090 + initialDelaySeconds: 60 + periodSeconds: 20 + timeoutSeconds: 10 + name: alfresco-content-services + ports: + - containerPort: 8090 + readinessProbe: + httpGet: + path: /ready + port: 8090 + initialDelaySeconds: 60 + periodSeconds: 60 + timeoutSeconds: 10 + resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: "0.25" + memory: 600Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + imagePullSecrets: + - name: quay-registry-secret + securityContext: + runAsNonRoot: true + runAsUser: 33004 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: alfresco-content-services-alfresco-cs-transform-misc + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-transform-misc +spec: + replicas: 1 + selector: + matchLabels: + app: alfresco-content-services-alfresco-cs-transform-misc + component: transformers + release: alfresco-content-services + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: + checksum/config: c44dc1b790fba68833f95ffeecc6878f057f3dd629b3a44a44b2a8ad1a517119 + labels: + app: alfresco-content-services-alfresco-cs-transform-misc + component: transformers + release: alfresco-content-services + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-alfresco-cs-transform-misc + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 10 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-alfresco-cs-transform-misc + topologyKey: kubernetes.io/hostname + weight: 5 + containers: + - env: + - name: ACTIVEMQ_URL + value: $(BROKER_URL) + - name: ACTIVEMQ_USER + value: $(BROKER_USERNAME) + - name: ACTIVEMQ_PASSWORD + value: $(BROKER_PASSWORD) + envFrom: + - configMapRef: + name: alfresco-content-services-alfresco-cs-transform-misc-configmap + - secretRef: + name: amazon-mq-broker-secret + image: alfresco/alfresco-transform-misc:3.0.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 1 + httpGet: + path: /live + port: 8090 + initialDelaySeconds: 10 + periodSeconds: 20 + timeoutSeconds: 10 + name: alfresco-content-services + ports: + - containerPort: 8090 + readinessProbe: + httpGet: + path: /ready + port: 8090 + initialDelaySeconds: 20 + periodSeconds: 60 + timeoutSeconds: 10 + resources: + limits: + cpu: "2" + memory: 1000Mi + requests: + cpu: "0.25" + memory: 300Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + imagePullSecrets: + - name: quay-registry-secret + securityContext: + runAsNonRoot: true + runAsUser: 33006 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: alfresco-content-services-alfresco-filestore + chart: alfresco-content-services-6.0.2 + component: transformers + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-filestore +spec: + replicas: 1 + selector: + matchLabels: + app: alfresco-content-services-alfresco-filestore + component: transformers + release: alfresco-content-services + strategy: + type: Recreate + template: + metadata: + annotations: + checksum/config: 934e365b21db873604fd6ac49595dfd1b1f60f86622c70ed3203cc9c3b4ee0bd + labels: + app: alfresco-content-services-alfresco-filestore + component: transformers + release: alfresco-content-services + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-alfresco-filestore + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 10 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-alfresco-filestore + topologyKey: kubernetes.io/hostname + weight: 5 + containers: + - env: + - name: scheduler.content.age.millis + value: "518400000" + - name: scheduler.cleanup.interval + value: "259200000" + envFrom: + - configMapRef: + name: alfresco-content-services-alfresco-filestore-configmap + image: ghcr.io/ministryofjustice/hmpps-delius-alfresco-shared-file-store:2.1.2-4 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 1 + httpGet: + path: /live + port: 8099 + initialDelaySeconds: 10 + periodSeconds: 20 + timeoutSeconds: 10 + name: alfresco-content-services + ports: + - containerPort: 8099 + readinessProbe: + httpGet: + path: /ready + port: 8099 + initialDelaySeconds: 20 + periodSeconds: 60 + timeoutSeconds: 10 + resources: + limits: + cpu: "2" + memory: 2000Mi + requests: + cpu: "0.25" + memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /tmp/Alfresco + name: data + subPath: alfresco-content-services/filestore-data + imagePullSecrets: + - name: quay-registry-secret + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsUser: 33030 + volumes: + - name: data + persistentVolumeClaim: + claimName: filestore-default-pvc +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: alfresco-content-services-alfresco-router + chart: alfresco-content-services-6.0.2 + component: transformrouter + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-router +spec: + replicas: 12 + selector: + matchLabels: + app: alfresco-content-services-alfresco-router + component: transformrouter + release: alfresco-content-services + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: + checksum/config: fb79f6128a708bde1b33453f31a1256968707e33ada087e455905c133a62c1f1 + checksum/config-routes: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + labels: + app: alfresco-content-services-alfresco-router + component: transformrouter + release: alfresco-content-services + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-alfresco-router + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 10 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alfresco-content-services-alfresco-router + topologyKey: kubernetes.io/hostname + weight: 5 + containers: + - env: + - name: SPRING_ACTIVEMQ_POOL_ENABLED + value: "true" + - name: SPRING_ACTIVEMQ_POOL_MAXCONNECTIONS + value: "100" + - name: SPRING_ACTIVEMQ_POOL_IDLE_TIMEOUT + value: "30000" + - name: SPRING_ACTIVEMQ_POOL_EXPIRY_TIMEOUT + value: "60000" + - name: ACTIVEMQ_URL + value: $(BROKER_URL) + - name: ACTIVEMQ_USER + value: $(BROKER_USERNAME) + - name: ACTIVEMQ_PASSWORD + value: $(BROKER_PASSWORD) + envFrom: + - configMapRef: + name: alfresco-content-services-alfresco-router-configmap + - secretRef: + name: amazon-mq-broker-secret + image: quay.io/alfresco/alfresco-transform-router:2.0.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 1 + httpGet: + path: /actuator/health + port: 8095 + initialDelaySeconds: 140 + periodSeconds: 120 + timeoutSeconds: 60 + name: alfresco-content-services + ports: + - containerPort: 8095 + readinessProbe: + httpGet: + path: /actuator/health + port: 8095 + initialDelaySeconds: 140 + periodSeconds: 60 + timeoutSeconds: 10 + resources: + limits: + cpu: "2" + memory: 756Mi + requests: + cpu: "0.75" + memory: 300Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + imagePullSecrets: + - name: quay-registry-secret + securityContext: + runAsNonRoot: true + runAsUser: 33016 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: alfresco-search-enterprise + app.kubernetes.io/version: 3.3.0 + helm.sh/chart: alfresco-search-enterprise-1.2.0 + name: alfresco-content-services-alfresco-search-enterprise-content +spec: + replicas: 8 + selector: + matchLabels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: alfresco-search-enterprise + template: + metadata: + annotations: + checksum/secret-broker: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/secret-database: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/secret-elasticsearch: 33982b5f025a1ffd247c4b02293a24e8211a8efdf19d96514ead79c07c330c8d + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: alfresco-search-enterprise + spec: + containers: + - env: + - name: SPRING_ACTIVEMQ_POOL_ENABLED + value: "true" + - name: SPRING_ACTIVEMQ_POOL_MAXCONNECTIONS + value: "200" + - name: SPRING_ACTIVEMQ_POOL_IDLE_TIMEOUT + value: "30000" + - name: SPRING_ACTIVEMQ_POOL_EXPIRY_TIMEOUT + value: "60000" + - name: JAVA_OPTS + value: -Dspring.activemq.packages.trustAll=true + - name: SPRING_ACTIVEMQ_BROKERURL + value: $(BROKER_URL) + - name: SPRING_ACTIVEMQ_USER + value: $(BROKER_USERNAME) + - name: SPRING_ACTIVEMQ_PASSWORD + value: $(BROKER_PASSWORD) + - name: SPRING_ELASTICSEARCH_REST_USERNAME + valueFrom: + secretKeyRef: + key: ELASTICSEARCH_USERNAME + name: alfresco-content-services-alfresco-search-enterprise-elasticsearch-secret + - name: SPRING_ELASTICSEARCH_REST_PASSWORD + valueFrom: + secretKeyRef: + key: ELASTICSEARCH_PASSWORD + name: alfresco-content-services-alfresco-search-enterprise-elasticsearch-secret + envFrom: + - configMapRef: + name: alfresco-content-services-alfresco-search-enterprise-configmap + - secretRef: + name: amazon-mq-broker-secret + image: quay.io/alfresco/alfresco-elasticsearch-live-indexing-content:3.2.1 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /actuator/health + port: http + initialDelaySeconds: 300 + timeoutSeconds: 60 + name: alfresco-search-enterprise-content + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + httpGet: + path: /actuator/health + port: http + initialDelaySeconds: 60 + timeoutSeconds: 60 + resources: + limits: + cpu: "2" + memory: 2048Mi + requests: + cpu: "0.5" + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + - ALL + runAsNonRoot: true + imagePullSecrets: + - name: quay-registry-secret + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsNonRoot: true + runAsUser: 33099 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: alfresco-search-enterprise + app.kubernetes.io/version: 3.3.0 + helm.sh/chart: alfresco-search-enterprise-1.2.0 + name: alfresco-content-services-alfresco-search-enterprise-mediation +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: alfresco-search-enterprise + template: + metadata: + annotations: + checksum/secret-broker: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/secret-database: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/secret-elasticsearch: 33982b5f025a1ffd247c4b02293a24e8211a8efdf19d96514ead79c07c330c8d + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: alfresco-search-enterprise + spec: + containers: + - env: + - name: SPRING_ACTIVEMQ_POOL_ENABLED + value: "true" + - name: SPRING_ACTIVEMQ_POOL_MAXCONNECTIONS + value: "100" + - name: SPRING_ACTIVEMQ_POOL_IDLE_TIMEOUT + value: "30000" + - name: SPRING_ACTIVEMQ_POOL_EXPIRY_TIMEOUT + value: "60000" + - name: JAVA_OPTS + value: -Dspring.activemq.packages.trustAll=true + - name: SPRING_ACTIVEMQ_BROKERURL + value: $(BROKER_URL) + - name: SPRING_ACTIVEMQ_USER + value: $(BROKER_USERNAME) + - name: SPRING_ACTIVEMQ_PASSWORD + value: $(BROKER_PASSWORD) + - name: SPRING_ELASTICSEARCH_REST_USERNAME + valueFrom: + secretKeyRef: + key: ELASTICSEARCH_USERNAME + name: alfresco-content-services-alfresco-search-enterprise-elasticsearch-secret + - name: SPRING_ELASTICSEARCH_REST_PASSWORD + valueFrom: + secretKeyRef: + key: ELASTICSEARCH_PASSWORD + name: alfresco-content-services-alfresco-search-enterprise-elasticsearch-secret + envFrom: + - configMapRef: + name: alfresco-content-services-alfresco-search-enterprise-configmap + - secretRef: + name: amazon-mq-broker-secret + image: quay.io/alfresco/alfresco-elasticsearch-live-indexing-mediation:3.2.1 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /actuator/health + port: http + initialDelaySeconds: 300 + timeoutSeconds: 60 + name: alfresco-search-enterprise-mediation + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + httpGet: + path: /actuator/health + port: http + initialDelaySeconds: 60 + timeoutSeconds: 60 + resources: + limits: + cpu: "2" + memory: 2048Mi + requests: + cpu: "0.5" + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + - ALL + runAsNonRoot: true + imagePullSecrets: + - name: quay-registry-secret + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsNonRoot: true + runAsUser: 33099 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: alfresco-search-enterprise + app.kubernetes.io/version: 3.3.0 + helm.sh/chart: alfresco-search-enterprise-1.2.0 + name: alfresco-content-services-alfresco-search-enterprise-metadata +spec: + replicas: 4 + selector: + matchLabels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: alfresco-search-enterprise + template: + metadata: + annotations: + checksum/secret-broker: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/secret-database: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/secret-elasticsearch: 33982b5f025a1ffd247c4b02293a24e8211a8efdf19d96514ead79c07c330c8d + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: alfresco-search-enterprise + spec: + containers: + - env: + - name: SPRING_ACTIVEMQ_POOL_ENABLED + value: "true" + - name: SPRING_ACTIVEMQ_POOL_MAXCONNECTIONS + value: "100" + - name: SPRING_ACTIVEMQ_POOL_IDLE_TIMEOUT + value: "30000" + - name: SPRING_ACTIVEMQ_POOL_EXPIRY_TIMEOUT + value: "60000" + - name: JAVA_OPTS + value: -Dspring.activemq.packages.trustAll=true + - name: SPRING_ACTIVEMQ_BROKERURL + value: $(BROKER_URL) + - name: SPRING_ACTIVEMQ_USER + value: $(BROKER_USERNAME) + - name: SPRING_ACTIVEMQ_PASSWORD + value: $(BROKER_PASSWORD) + - name: SPRING_ELASTICSEARCH_REST_USERNAME + valueFrom: + secretKeyRef: + key: ELASTICSEARCH_USERNAME + name: alfresco-content-services-alfresco-search-enterprise-elasticsearch-secret + - name: SPRING_ELASTICSEARCH_REST_PASSWORD + valueFrom: + secretKeyRef: + key: ELASTICSEARCH_PASSWORD + name: alfresco-content-services-alfresco-search-enterprise-elasticsearch-secret + envFrom: + - configMapRef: + name: alfresco-content-services-alfresco-search-enterprise-configmap + - secretRef: + name: amazon-mq-broker-secret + image: quay.io/alfresco/alfresco-elasticsearch-live-indexing-metadata:3.2.1 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /actuator/health + port: http + initialDelaySeconds: 300 + timeoutSeconds: 60 + name: alfresco-search-enterprise-metadata + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + httpGet: + path: /actuator/health + port: http + initialDelaySeconds: 60 + timeoutSeconds: 60 + resources: + limits: + cpu: "2" + memory: 2048Mi + requests: + cpu: "0.5" + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + - ALL + runAsNonRoot: true + imagePullSecrets: + - name: quay-registry-secret + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsNonRoot: true + runAsUser: 33099 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: alfresco-search-enterprise + app.kubernetes.io/version: 3.3.0 + helm.sh/chart: alfresco-search-enterprise-1.2.0 + name: alfresco-content-services-alfresco-search-enterprise-path +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: alfresco-search-enterprise + template: + metadata: + annotations: + checksum/secret-broker: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/secret-database: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/secret-elasticsearch: 33982b5f025a1ffd247c4b02293a24e8211a8efdf19d96514ead79c07c330c8d + labels: + app.kubernetes.io/instance: alfresco-content-services + app.kubernetes.io/name: alfresco-search-enterprise + spec: + containers: + - env: + - name: JAVA_OPTS + value: -Dspring.activemq.packages.trustAll=true + - name: SPRING_ACTIVEMQ_BROKERURL + value: $(BROKER_URL) + - name: SPRING_ACTIVEMQ_USER + value: $(BROKER_USERNAME) + - name: SPRING_ACTIVEMQ_PASSWORD + value: $(BROKER_PASSWORD) + - name: SPRING_ELASTICSEARCH_REST_USERNAME + valueFrom: + secretKeyRef: + key: ELASTICSEARCH_USERNAME + name: alfresco-content-services-alfresco-search-enterprise-elasticsearch-secret + - name: SPRING_ELASTICSEARCH_REST_PASSWORD + valueFrom: + secretKeyRef: + key: ELASTICSEARCH_PASSWORD + name: alfresco-content-services-alfresco-search-enterprise-elasticsearch-secret + envFrom: + - configMapRef: + name: alfresco-content-services-alfresco-search-enterprise-configmap + - secretRef: + name: amazon-mq-broker-secret + image: quay.io/alfresco/alfresco-elasticsearch-live-indexing-path:3.2.1 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /actuator/health + port: http + initialDelaySeconds: 300 + timeoutSeconds: 60 + name: alfresco-search-enterprise-path + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + httpGet: + path: /actuator/health + port: http + initialDelaySeconds: 60 + timeoutSeconds: 60 + resources: + limits: + cpu: "2" + memory: 2048Mi + requests: + cpu: "0.5" + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + - ALL + runAsNonRoot: true + imagePullSecrets: + - name: quay-registry-secret + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsNonRoot: true + runAsUser: 33099 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + external-dns.alpha.kubernetes.io/aws-weight: "100" + external-dns.alpha.kubernetes.io/set-identifier: alfresco-content-services-alfresco-cs-repository-hmpps-delius-alfresco-stage-green + kubernetes.io/ingress.class: default + nginx.ingress.kubernetes.io/affinity: cookie + nginx.ingress.kubernetes.io/proxy-body-size: 5g + nginx.ingress.kubernetes.io/proxy-read-timeout: "200" + nginx.ingress.kubernetes.io/proxy-send-timeout: "200" + nginx.ingress.kubernetes.io/server-snippet: | + location ~ ^/.*/(wc)?s(ervice)?/api/solr/.*$ {return 403;} + location ~ ^/.*/proxy/.*/api/solr/.*$ {return 403;} + location ~ ^/.*/-default-/proxy/.*/api/.*$ {return 403;} + location ~ ^/.*/s/prometheus$ {return 403;} + nginx.ingress.kubernetes.io/session-cookie-hash: sha1 + nginx.ingress.kubernetes.io/session-cookie-name: alf_affinity_route + nginx.ingress.kubernetes.io/whitelist-source-range: 3.10.104.193,3.11.26.150,18.130.189.137,35.178.209.113,3.8.51.207,35.177.252.54,35.176.93.186/32,35.177.125.252/32,35.177.137.160/32,81.134.202.29/32,51.149.250.0/24,51.149.251.0/24,213.121.161.112/28,217.33.148.210/32,13.43.9.198/32,13.42.163.245/32,18.132.208.127/32,51.149.249.0/29,51.149.249.32/29,194.33.192.0/25,194.33.193.0/25,194.33.196.0/25,194.33.197.0/25,195.59.75.0/24,194.33.248.0/29,194.33.249.0/29,62.25.106.209/32,195.92.40.49/32,62.25.109.197/32,195.92.38.16/28,212.137.36.230/32,78.33.10.50/31,78.33.10.52/30,78.33.10.56/30,78.33.10.60/32,78.33.32.99/32,78.33.32.100/30,78.33.32.104/30,78.33.32.108/32,83.98.63.176/29,194.75.210.216/29,217.138.45.109/32,217.138.45.110/32 + labels: + app: alfresco-content-services-alfresco-cs-repository + chart: alfresco-content-services-6.0.2 + component: repository + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-repository +spec: + ingressClassName: default + rules: + - host: hmpps-delius-alfresco-stage.apps.live.cloud-platform.service.justice.gov.uk + http: + paths: + - backend: + service: + name: alfresco-content-services-alfresco-cs-repository + port: + number: 80 + path: / + pathType: Prefix + - backend: + service: + name: alfresco-content-services-alfresco-cs-repository + port: + number: 80 + path: /api-explorer + pathType: Prefix + tls: + - hosts: + - hmpps-delius-alfresco-stage.apps.live.cloud-platform.service.justice.gov.uk +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + external-dns.alpha.kubernetes.io/aws-weight: "100" + external-dns.alpha.kubernetes.io/set-identifier: alfresco-content-services-alfresco-cs-share-hmpps-delius-alfresco-stage-green + kubernetes.io/ingress.class: default + nginx.ingress.kubernetes.io/affinity: cookie + nginx.ingress.kubernetes.io/configuration-snippet: | + if ($request_uri = "/") { + return 301 /share/page/; + } + nginx.ingress.kubernetes.io/proxy-body-size: 5g + nginx.ingress.kubernetes.io/server-snippet: | + location ~ ^/.*/(wc)?s(ervice)?/api/solr/.*$ {return 403;} + location ~ ^/.*/proxy/.*/api/solr/.*$ {return 403;} + location ~ ^/.*/-default-/proxy/.*/api/.*$ {return 403;} + location ~ ^/.*/s/prometheus$ {return 403;} + nginx.ingress.kubernetes.io/session-cookie-expires: "604800" + nginx.ingress.kubernetes.io/session-cookie-max-age: "604800" + nginx.ingress.kubernetes.io/session-cookie-name: alfrescoShare + nginx.ingress.kubernetes.io/session-cookie-path: /share + nginx.ingress.kubernetes.io/whitelist-source-range: 3.10.104.193,3.11.26.150,18.130.189.137,35.178.209.113,3.8.51.207,35.177.252.54,35.176.93.186/32,35.177.125.252/32,35.177.137.160/32,81.134.202.29/32,51.149.250.0/24,51.149.251.0/24,213.121.161.112/28,217.33.148.210/32,13.43.9.198/32,13.42.163.245/32,18.132.208.127/32,51.149.249.0/29,51.149.249.32/29,194.33.192.0/25,194.33.193.0/25,194.33.196.0/25,194.33.197.0/25,195.59.75.0/24,194.33.248.0/29,194.33.249.0/29,62.25.106.209/32,195.92.40.49/32,62.25.109.197/32,195.92.38.16/28,212.137.36.230/32,78.33.10.50/31,78.33.10.52/30,78.33.10.56/30,78.33.10.60/32,78.33.32.99/32,78.33.32.100/30,78.33.32.104/30,78.33.32.108/32,83.98.63.176/29,194.75.210.216/29,217.138.45.109/32,217.138.45.110/32 + labels: + app: alfresco-content-services-alfresco-cs-share + chart: alfresco-content-services-6.0.2 + component: share + heritage: Helm + release: alfresco-content-services + name: alfresco-content-services-alfresco-cs-share +spec: + ingressClassName: default + rules: + - host: share.hmpps-delius-alfresco-stage.apps.live.cloud-platform.service.justice.gov.uk + http: + paths: + - backend: + service: + name: alfresco-content-services-alfresco-cs-share + port: + number: 80 + path: / + pathType: Prefix + - backend: + service: + name: alfresco-content-services-alfresco-cs-share + port: + number: 80 + path: /share/page/ + pathType: Prefix + tls: + - hosts: + - share.hmpps-delius-alfresco-stage.apps.live.cloud-platform.service.justice.gov.uk + secretName: share-ingress-cert diff --git a/kustomize/stage/patch-infra-config-map.yaml b/kustomize/stage/patch-infra-config-map.yaml new file mode 100644 index 0000000..2be0442 --- /dev/null +++ b/kustomize/stage/patch-infra-config-map.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: alfresco-infrastructure +data: + SFS_URL: https://alf-sfs.stage.delius-core.hmpps-preproduction.modernisation-platform.service.justice.gov.uk/ + SFS_URL_API: https://alf-sfs.stage.delius-core.hmpps-preproduction.modernisation-platform.service.justice.gov.uk/alfresco/api/-default-/private/sfs/versions/1/file/ diff --git a/kustomize/stage/patch-ingress-repository.yaml b/kustomize/stage/patch-ingress-repository.yaml index 72bf8fd..bae48d0 100644 --- a/kustomize/stage/patch-ingress-repository.yaml +++ b/kustomize/stage/patch-ingress-repository.yaml @@ -1,9 +1,9 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: alfresco-content-services-alfresco-cs-repository + name: alfresco-content-services-alfresco-repository annotations: - external-dns.alpha.kubernetes.io/set-identifier: alfresco-content-services-alfresco-cs-repository-hmpps-delius-alfresco-stage-green + external-dns.alpha.kubernetes.io/set-identifier: alfresco-content-services-alfresco-repository-hmpps-delius-alfresco-stage-green nginx.ingress.kubernetes.io/whitelist-source-range: "placeholder" spec: rules: @@ -12,14 +12,14 @@ spec: paths: - backend: service: - name: alfresco-content-services-alfresco-cs-repository + name: alfresco-content-services-alfresco-repository port: number: 80 path: / pathType: Prefix - backend: service: - name: alfresco-content-services-alfresco-cs-repository + name: alfresco-content-services-alfresco-repository port: number: 80 path: /api-explorer diff --git a/kustomize/stage/patch-ingress-share.yaml b/kustomize/stage/patch-ingress-share.yaml index 052ebae..7a555e3 100644 --- a/kustomize/stage/patch-ingress-share.yaml +++ b/kustomize/stage/patch-ingress-share.yaml @@ -1,9 +1,9 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: alfresco-content-services-alfresco-cs-share + name: alfresco-content-services-share annotations: - external-dns.alpha.kubernetes.io/set-identifier: alfresco-content-services-alfresco-cs-share-hmpps-delius-alfresco-stage-green + external-dns.alpha.kubernetes.io/set-identifier: alfresco-content-services-share-hmpps-delius-alfresco-stage-green nginx.ingress.kubernetes.io/whitelist-source-range: "placeholder" spec: rules: @@ -12,14 +12,14 @@ spec: paths: - backend: service: - name: alfresco-content-services-alfresco-cs-share + name: alfresco-content-service-share port: number: 80 path: / pathType: Prefix - backend: service: - name: alfresco-content-services-alfresco-cs-share + name: alfresco-content-services-share port: number: 80 path: /share/page/ diff --git a/kustomize/stage/values.yaml b/kustomize/stage/values.yaml index cb84319..9938eef 100644 --- a/kustomize/stage/values.yaml +++ b/kustomize/stage/values.yaml @@ -1,21 +1,7 @@ -# this file overrides values defined in ./values.yaml -repository: - # -- The startup probe to cover the worse case startup time for slow clusters - # startupProbe: - # periodSeconds: 30 - # failureThreshold: 40 - # readinessProbe: - # initialDelaySeconds: 60 - # periodSeconds: 30 - # timeoutSeconds: 15 - # failureThreshold: 40 # Increased from 6 to 12 - # livenessProbe: - # initialDelaySeconds: 260 # Increased from 130 to 260 - # periodSeconds: 20 - # timeoutSeconds: 15 - # failureThreshold: 40 +alfresco-repository: replicaCount: 10 image: + repository: 754256621582.dkr.ecr.eu-west-2.amazonaws.com/hmpps-migration/alfresco-content-repository tag: release_7.3.2_elasticsearch-r5.0.2-content-latest resources: # requests and limits set closer together to ensure CP stability requests: @@ -24,35 +10,43 @@ repository: limits: cpu: 4 memory: 10Gi - persistence: - baseSize: 100Gi share: replicaCount: 1 image: - tag: release_7.3.2_elasticsearch-r5.0.2-share-latest -externalHost: hmpps-delius-alfresco-stage.apps.live.cloud-platform.service.justice.gov.uk + repository: 754256621582.dkr.ecr.eu-west-2.amazonaws.com/hmpps-migration/alfresco-share + tag: release_7.3.2_elasticsearch-r5.0.2-chart-7.0.3-share-latest externalProtocol: https externalPort: 443 -tika: - replicaCount: 8 - resources: - limits: - cpu: 2 - memory: 4Gi -transformrouter: - replicaCount: 12 - resources: - requests: - cpu: "0.75" - memory: "300Mi" - limits: - cpu: "2" - memory: "756Mi" alfresco-search-enterprise: liveIndexing: + # set in value-versions yaml content: - replicaCount: 8 - mediation: replicaCount: 4 metadata: - replicaCount: 4 + replicaCount: 2 + mediation: + replicaCount: 2 +alfresco-transform-service: + tika: + replicaCount: 8 + resources: + requests: + cpu: "0.5" + memory: "2048Mi" + limits: + cpu: "2" + memory: 6Gi + transformrouter: + replicaCount: 8 + resources: + requests: + cpu: "0.75" + memory: "512Mi" + limits: + cpu: "2" + memory: 2Gi +global: + known_urls: + - https://hmpps-delius-alfresco-stage.apps.live.cloud-platform.service.justice.gov.uk + - https://share.hmpps-delius-alfresco-stage.apps.live.cloud-platform.service.justice.gov.uk + - https://alf-sfs.stage.delius-core.hmpps-preproduction.modernisation-platform.service.justice.gov.uk diff --git a/kustomize/test/alf-prop-config-map.yaml b/kustomize/test/alf-prop-config-map.yaml new file mode 100644 index 0000000..d622319 --- /dev/null +++ b/kustomize/test/alf-prop-config-map.yaml @@ -0,0 +1,80 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: alf-prop-config-map +data: + alfresco-global.properties: | + deployment.method=HELM_CHART + alfresco.cluster.enabled=true + alfresco.host=hmpps-delius-alfresco-stage.apps.live.cloud-platform.service.justice.gov.uk + alfresco.protocol=https + alfresco.port=443 + aos.baseUrlOverwrite=https://hmpps-delius-alfresco-stage.apps.live.cloud-platform.service.justice.gov.uk/alfresco/aos + csrf.filter.origin=https://hmpps-delius-alfresco-stage.apps.live.cloud-platform.service.justice.gov.uk + csrf.filter.referer=https://hmpps-delius-alfresco-stage.apps.live.cloud-platform.service.justice.gov.uk/.* + share.protocol=https + share.host=hmpps-delius-alfresco-stage.apps.live.cloud-platform.service.justice.gov.uk + share.port=443 + local.transform.service.enabled=true + transform.service.enabled=false + localTransform.core-aio.url= + localTransform.pdfrenderer.url=http://alfresco-content-services-pdfrenderer + localTransform.imagemagick.url=http://alfresco-content-services-imagemagick + localTransform.libreoffice.url=http://alfresco-content-services-libreoffice + localTransform.tika.url=http://alfresco-content-services-tika + localTransform.misc.url=http://alfresco-content-services-transform-misc + events.subsystem.autoStart=false + + #Zaizi additions + zaizi.noms.root.folder=NOMS + zaizi.noms.crn.pattern=([A-Z])([0-9]{3})([0-9]{3}) + zaizi.noms.invalidCharacters=\\/:*\"\"<>|?!$#%^& + + spg.ndelius.users=N00 + spg.crc.users=C01,C02,C03,C04,C05,C06,C07,C08,C09,C10,C11,C12,C13,C14,C15,C16,C17,C18,C19,C20,C21,C22,C23 + + # The User to Schema Cache + cache.spgUserToSchemaVersionCache.tx.maxItems=100 + cache.spgUserToSchemaVersionCache.tx.statsEnabled=${caches.tx.statsEnabled} + cache.spgUserToSchemaVersionCache.maxItems=500 + cache.spgUserToSchemaVersionCache.timeToLiveSeconds=0 + cache.spgUserToSchemaVersionCache.maxIdleSeconds=0 + cache.spgUserToSchemaVersionCache.cluster.type=local + cache.spgUserToSchemaVersionCache.backup-count=1 + cache.spgUserToSchemaVersionCache.eviction-policy=LRU + cache.spgUserToSchemaVersionCache.eviction-percentage=25 + cache.spgUserToSchemaVersionCache.merge-policy=hz.ADD_NEW_ENTRY + cache.spgUserToSchemaVersionCache.readBackupData=false + cache.spgUserToSchemaVersionCache.cluster.type=invalidating + + # Notify when a messaging to be sent to MPX taking morethan specified time. Value is in milliseconds. + message.mpx.log.messageSendingTakenMorethan=1000 + + zaizi.noms.mpx.schema.version=0-9-9 + zaizi.noms.mpx.schema.date=2016-09-05 + messaging.events.nspg.schema=classpath:SPG-XML_Message_Root-V0-9-9.xsd + + zaizi.noms.mpx.schema2.version=0-9-10 + zaizi.noms.mpx.schema2.date=2017-03-30 + messaging.events.nspg2.schema=classpath:SPG-XML_Message_Root-V0-9-10-2.xsd + + zaizi.noms.mpx.schema.911.version=0-9-11 + zaizi.noms.mpx.schema.911.date=2017-09-04 + messaging.events.nspg.911.schema=classpath:SPG-XML_Message_Root-V0-9-11.xsd + + zaizi.noms.mpx.schema.912.version=0-9-12 + zaizi.noms.mpx.schema.912.date=2017-12-05 + messaging.events.nspg.912.schema=classpath:SPG-XML_Message_Root-V0-9-12.xsd + + zaizi.noms.mpx.schema.913.version=0-9-13 + zaizi.noms.mpx.schema.913.date=2018-02-08 + messaging.events.nspg.913.schema=classpath:SPG-XML_Message_Root-V0-9-13.xsd + + zaizi.noms.mpx.schema.914.version=0-9-14 + zaizi.noms.mpx.schema.914.date=2019-10-21 + messaging.events.nspg.914.schema=classpath:SPG-XML_Message_Root-V0-9-14.xsd + + # NSPG Administration Groups Patch + patch.nspg.administration.deferred=false + patch.nspg.administration.roles.cronExpression=0 0 0 ? 1 1 2030 + patch.nspg.administration.roles.startDelay=0 diff --git a/kustomize/test/kustomization.yaml b/kustomize/test/kustomization.yaml index eaf31f0..4ed2cda 100644 --- a/kustomize/test/kustomization.yaml +++ b/kustomize/test/kustomization.yaml @@ -3,7 +3,9 @@ kind: Kustomization resources: - ../base + - alf-prop-config-map.yaml patches: - path: patch-ingress-repository.yaml - path: patch-ingress-share.yaml + - path: patch-infra-config-map.yaml diff --git a/kustomize/test/patch-infra-config-map.yaml b/kustomize/test/patch-infra-config-map.yaml new file mode 100644 index 0000000..efa622e --- /dev/null +++ b/kustomize/test/patch-infra-config-map.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: alfresco-infrastructure +data: + SFS_URL: https://alf-sfs.test.delius-core.hmpps-test.modernisation-platform.service.justice.gov.uk/ + SFS_URL_API: https://alf-sfs.test.delius-core.hmpps-test.modernisation-platform.service.justice.gov.uk/alfresco/api/-default-/private/sfs/versions/1/file/ diff --git a/kustomize/test/patch-ingress-repository.yaml b/kustomize/test/patch-ingress-repository.yaml index 8af3ed6..f3aceb7 100644 --- a/kustomize/test/patch-ingress-repository.yaml +++ b/kustomize/test/patch-ingress-repository.yaml @@ -1,9 +1,9 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: alfresco-content-services-alfresco-cs-repository + name: alfresco-content-services-alfresco-repository annotations: - external-dns.alpha.kubernetes.io/set-identifier: alfresco-content-services-alfresco-cs-repository-hmpps-delius-alfresco-test-green + external-dns.alpha.kubernetes.io/set-identifier: alfresco-content-services-alfresco-repository-hmpps-delius-alfresco-test-green nginx.ingress.kubernetes.io/whitelist-source-range: "placeholder" spec: rules: @@ -12,14 +12,14 @@ spec: paths: - backend: service: - name: alfresco-content-services-alfresco-cs-repository + name: alfresco-content-services-alfresco-repository port: number: 80 path: / pathType: Prefix - backend: service: - name: alfresco-content-services-alfresco-cs-repository + name: alfresco-content-services-alfresco-repository port: number: 80 path: /api-explorer diff --git a/kustomize/test/patch-ingress-share.yaml b/kustomize/test/patch-ingress-share.yaml index 7d36bd7..226170e 100644 --- a/kustomize/test/patch-ingress-share.yaml +++ b/kustomize/test/patch-ingress-share.yaml @@ -1,9 +1,9 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: alfresco-content-services-alfresco-cs-share + name: alfresco-content-services-share annotations: - external-dns.alpha.kubernetes.io/set-identifier: alfresco-content-services-alfresco-cs-share-hmpps-delius-alfresco-test-green + external-dns.alpha.kubernetes.io/set-identifier: alfresco-content-services-share-hmpps-delius-alfresco-test-green nginx.ingress.kubernetes.io/whitelist-source-range: "placeholder" spec: rules: @@ -12,14 +12,14 @@ spec: paths: - backend: service: - name: alfresco-content-services-alfresco-cs-share + name: alfresco-content-service-share port: number: 80 path: / pathType: Prefix - backend: service: - name: alfresco-content-services-alfresco-cs-share + name: alfresco-content-services-share port: number: 80 path: /share/page/ diff --git a/kustomize/test/values.yaml b/kustomize/test/values.yaml index fe51b9c..5ffcddc 100644 --- a/kustomize/test/values.yaml +++ b/kustomize/test/values.yaml @@ -1,27 +1,53 @@ # this file overrides values defined in ./values.yaml -repository: +alfresco-repository: + # -- The startup probe to cover the worse case startup time for slow clusters + # startupProbe: + # periodSeconds: 30 + # failureThreshold: 40 + # readinessProbe: + # initialDelaySeconds: 60 + # periodSeconds: 30 + # timeoutSeconds: 15 + # failureThreshold: 40 # Increased from 6 to 12 + # livenessProbe: + # initialDelaySeconds: 260 # Increased from 130 to 260 + # periodSeconds: 20 + # timeoutSeconds: 15 + # failureThreshold: 40 replicaCount: 2 image: - tag: release_7.3.2_elasticsearch-r5.0.1-content-latest + repository: 754256621582.dkr.ecr.eu-west-2.amazonaws.com/hmpps-migration/alfresco-content-repository + tag: release_7.3.2_elasticsearch-r5.0.2-content-latest resources: # requests and limits set closer together to ensure CP stability requests: cpu: 1 memory: 2Gi limits: - cpu: 3 + cpu: 2 memory: 4Gi - persistence: - baseSize: 100Gi share: replicaCount: 1 image: - tag: release_7.3.2_elasticsearch-r5.0.1-share-latest -externalHost: hmpps-delius-alfresco-dev.apps.live.cloud-platform.service.justice.gov.uk + repository: 754256621582.dkr.ecr.eu-west-2.amazonaws.com/hmpps-migration/alfresco-share + tag: release_7.3.2_elasticsearch-r5.0.2-chart-7.0.3-share-latest externalProtocol: https externalPort: 443 -tika: - replicaCount: 2 - resources: - limits: - cpu: 2 - memory: 2Gi +alfresco-search-enterprise: + liveIndexing: + # set in value-versions yaml + content: + replicaCount: 4 + metadata: + replicaCount: 2 + mediation: + replicaCount: 2 +alfresco-transform-service: + tika: + replicaCount: 2 + transformrouter: + replicaCount: 2 +global: + known_urls: + - https://hmpps-delius-alfresco-test.apps.live.cloud-platform.service.justice.gov.uk + - https://share.hmpps-delius-alfresco-test.apps.live.cloud-platform.service.justice.gov.uk + - https://alf-sfs.test.delius-core.hmpps-testuction.modernisation-platform.service.justice.gov.uk diff --git a/rules.yaml b/rules.yaml new file mode 100644 index 0000000..4214da9 --- /dev/null +++ b/rules.yaml @@ -0,0 +1,219 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + creationTimestamp: "2025-01-07T20:24:38Z" + generation: 1 + labels: + role: alert-rules + name: prometheus-custom-rules-alfresco + namespace: hmpps-delius-alfresco-stage + resourceVersion: "2806395382" + uid: ab91b16a-80f3-4ccb-932c-f8e0346e83a2 +spec: + groups: + - name: application-rules + rules: + - alert: repositoryDeploymentOver75PctCpuUsage + annotations: + message: repository Deployment CPU usage is over 75% + expr: + sum(rate(container_cpu_usage_seconds_total{namespace="hmpps-delius-alfresco-stage", + pod=~"alfresco-content-services-alfresco-cs-repository.*"}[5m])) / sum(cluster:namespace:pod_cpu:active:kube_pod_container_resource_limits{namespace="hmpps-delius-alfresco-stage", + pod=~"alfresco-content-services-alfresco-cs-repository.*"}) > 0.75 + for: 5m + labels: + severity: hmpps-delius-alfresco-stage + - alert: repositoryDeploymentOver75PctMemUsage + annotations: + message: repository Deployment Memory usage is over 75% + expr: + sum(rate(container_memory_working_set_bytes{namespace="hmpps-delius-alfresco-stage", + pod=~"alfresco-content-services-alfresco-cs-repository.*"}[5m])) / sum(cluster:namespace:pod_mem:active:kube_pod_container_resource_limits{namespace="hmpps-delius-alfresco-stage", + pod=~"alfresco-content-services-alfresco-cs-repository.*"}) > 0.75 + for: 5m + labels: + severity: hmpps-delius-alfresco-stage + - alert: repositoryDeploymentAvailableReplicasLessThan5 + annotations: + message: repository Deployment available replicas is less than 5 + expr: + kube_deployment_status_replicas_available{namespace="hmpps-delius-alfresco-stage", + deployment=~"alfresco-content-services-alfresco-cs-repository"} < 5 + for: 5m + labels: + severity: hmpps-delius-alfresco-stage + - alert: tikaDeploymentOver75PctCpuUsage + annotations: + message: tika Deployment CPU usage is over 75% + expr: + sum(rate(container_cpu_usage_seconds_total{namespace="hmpps-delius-alfresco-stage", + pod=~"alfresco-content-services-alfresco-cs-tika.*"}[5m])) / sum(cluster:namespace:pod_cpu:active:kube_pod_container_resource_limits{namespace="hmpps-delius-alfresco-stage", + pod=~"alfresco-content-services-alfresco-cs-tika.*"}) > 0.75 + for: 5m + labels: + severity: hmpps-delius-alfresco-stage + - alert: tikaDeploymentOver75PctMemUsage + annotations: + message: tika Deployment Memory usage is over 75% + expr: + sum(rate(container_memory_working_set_bytes{namespace="hmpps-delius-alfresco-stage", + pod=~"alfresco-content-services-alfresco-cs-tika.*"}[5m])) / sum(cluster:namespace:pod_mem:active:kube_pod_container_resource_limits{namespace="hmpps-delius-alfresco-stage", + pod=~"alfresco-content-services-alfresco-cs-tika.*"}) > 0.75 + for: 5m + labels: + severity: hmpps-delius-alfresco-stage + - alert: tikaDeploymentAvailableReplicasLessThan2 + annotations: + message: tika Deployment available replicas is less than 2 + expr: + kube_deployment_status_replicas_available{namespace="hmpps-delius-alfresco-stage", + deployment=~"alfresco-content-services-alfresco-cs-tika"} < 2 + for: 5m + labels: + severity: hmpps-delius-alfresco-stage + - alert: filestoreDeploymentOver75PctCpuUsage + annotations: + message: filestore Deployment CPU usage is over 75% + expr: + sum(rate(container_cpu_usage_seconds_total{namespace="hmpps-delius-alfresco-stage", + pod=~"alfresco-content-services-alfresco-filestore.*"}[5m])) / sum(cluster:namespace:pod_cpu:active:kube_pod_container_resource_limits{namespace="hmpps-delius-alfresco-stage", + pod=~"alfresco-content-services-alfresco-filestore.*"}) > 0.75 + for: 5m + labels: + severity: hmpps-delius-alfresco-stage + - alert: filestoreDeploymentOver75PctMemUsage + annotations: + message: filestore Deployment Memory usage is over 75% + expr: + sum(rate(container_memory_working_set_bytes{namespace="hmpps-delius-alfresco-stage", + pod=~"alfresco-content-services-alfresco-filestore.*"}[5m])) / sum(cluster:namespace:pod_mem:active:kube_pod_container_resource_limits{namespace="hmpps-delius-alfresco-stage", + pod=~"alfresco-content-services-alfresco-filestore.*"}) > 0.75 + for: 5m + labels: + severity: hmpps-delius-alfresco-stage + - alert: filestoreDeploymentAvailableReplicasLessThan1 + annotations: + message: filestore Deployment available replicas is less than 1 + expr: + kube_deployment_status_replicas_available{namespace="hmpps-delius-alfresco-stage", + deployment=~"alfresco-content-services-alfresco-filestore"} < 1 + for: 5m + labels: + severity: hmpps-delius-alfresco-stage + - alert: routerDeploymentOver75PctCpuUsage + annotations: + message: router Deployment CPU usage is over 75% + expr: + sum(rate(container_cpu_usage_seconds_total{namespace="hmpps-delius-alfresco-stage", + pod=~"alfresco-content-services-alfresco-router.*"}[5m])) / sum(cluster:namespace:pod_cpu:active:kube_pod_container_resource_limits{namespace="hmpps-delius-alfresco-stage", + pod=~"alfresco-content-services-alfresco-router.*"}) > 0.75 + for: 5m + labels: + severity: hmpps-delius-alfresco-stage + - alert: routerDeploymentOver75PctMemUsage + annotations: + message: router Deployment Memory usage is over 75% + expr: + sum(rate(container_memory_working_set_bytes{namespace="hmpps-delius-alfresco-stage", + pod=~"alfresco-content-services-alfresco-router.*"}[5m])) / sum(cluster:namespace:pod_mem:active:kube_pod_container_resource_limits{namespace="hmpps-delius-alfresco-stage", + pod=~"alfresco-content-services-alfresco-router.*"}) > 0.75 + for: 5m + labels: + severity: hmpps-delius-alfresco-stage + - alert: routerDeploymentAvailableReplicasLessThan5 + annotations: + message: router Deployment available replicas is less than 5 + expr: + kube_deployment_status_replicas_available{namespace="hmpps-delius-alfresco-stage", + deployment=~"alfresco-content-services-alfresco-router"} < 5 + for: 5m + labels: + severity: hmpps-delius-alfresco-stage + - alert: RDSLowStorage + annotations: + message: "[{{ environment|upper }}] RDS free storage space is less than 10GB" + expr: + aws_rds_free_storage_space_average{dbinstance_identifier="cloud-platform-43f547bdfa94ce12"} + offset 10m < 10000000000 + for: 5m + labels: + severity: hmpps-delius-alfresco-stage + - alert: RDSHighCPUUtilization + annotations: + message: + "[{{ environment|upper }}] RDS CPU Utilization is over 75% for more + than 5 minutes" + expr: aws_rds_cpuutilization_average{dbinstance_identifier="cloud-platform-43f547bdfa94ce12"} > 75 + for: 5m + labels: + severity: hmpps-delius-alfresco-stage + - alert: RDSHighMemoryUtilization + annotations: + message: + "[{{ environment|upper }}] RDS freeable memory is less than 5GB for + more than 5 minutes" + expr: + aws_rds_freeable_memory_average{dbinstance_identifier="cloud-platform-43f547bdfa94ce12"} + < 5000000000 + for: 5m + labels: + severity: hmpps-delius-alfresco-stage + - alert: RDSHighConnections + annotations: + message: + "[{{ environment|upper }}] RDS database connections are over 100 + for more than 5 minutes" + expr: + aws_rds_database_connections_average{dbinstance_identifier="cloud-platform-43f547bdfa94ce12"} + > 100 + for: 5m + labels: + severity: hmpps-delius-alfresco-stage + - alert: RDSHighReadLatency + annotations: + message: + "[{{ environment|upper }}] RDS read latency is over 0.1s for more + than 5 minutes" + expr: + aws_rds_read_latency_average{dbinstance_identifier="cloud-platform-43f547bdfa94ce12"} + > 0.05 + for: 5m + labels: + severity: hmpps-delius-alfresco-stage + - alert: IngressLongRequestTime95thPercentile + annotations: + message: + "[{{ environment|upper }}] 95th percentile of request duration for + Ingress is over 0.5s for more than 5 minutes" + expr: + histogram_quantile(0.95, sum(rate(nginx_ingress_controller_request_duration_seconds_bucket{namespace="hmpps-delius-alfresco-stage", + ingress="alfresco-content-services-alfresco-cs-repository"}[5m])) by (le)) + > 0.75 + for: 5m + labels: + severity: hmpps-delius-alfresco-stage + - alert: IngressLongResponseTime95thPercentile + annotations: + message: + "[{{ environment|upper }}] 95th percentile of response duration for + Ingress is over 0.5s for more than 5 minutes" + expr: + histogram_quantile(0.95, sum(rate(nginx_ingress_controller_response_duration_seconds_bucket{exported_namespace="hmpps-delius-alfresco-stage", + ingress="alfresco-content-services-alfresco-cs-repository"}[5m])) by (le, exported_namespace, ingress)) + > 0.75 + for: 5m + labels: + severity: hmpps-delius-alfresco-stage + - alert: IngressHighErrorRate + annotations: + message: + "[{{ environment|upper }}] Error rate for Ingress is over 1% for + more than 5 minutes" + expr: + sum(rate(nginx_ingress_controller_requests{exported_namespace="hmpps-delius-alfresco-stage", + ingress="alfresco-content-services-alfresco-cs-repository",status=~"5.*"}[5m])) + / sum(rate(nginx_ingress_controller_requests{exported_namespace="hmpps-delius-alfresco-stage", + ingress="alfresco-content-services-alfresco-cs-repository"}[5m])) > 0.01 + for: 5m + labels: + severity: hmpps-delius-alfresco-stage diff --git a/tools/scripts/amq-connect-single.sh b/tools/scripts/amq-connect-single.sh new file mode 100755 index 0000000..7570ccf --- /dev/null +++ b/tools/scripts/amq-connect-single.sh @@ -0,0 +1,65 @@ +#!/usr/bin/env bash + +# trap ctrl-c and call ctrl_c() +trap ctrl_c INT +# trap fail and call fail() +trap fail ERR + +main() { + env=$1 + if [ "$env" == "poc" ]; then + namespace="hmpps-delius-alfrsco-${env}" + else + namespace="hmpps-delius-alfresco-${env}" + fi + echo "Connecting to AMQ Console in namespace $namespace" + + # get amq connection url + URL=$(kubectl get secrets amazon-mq-broker-secret --namespace ${namespace} -o json | jq -r ".data.BROKER_CONSOLE_URL | @base64d") + LOCAL_PORT=8161 + + # extract host and port + HOST=$(echo $URL | cut -d '/' -f 3 | cut -d ':' -f 1) + # extract protocol + PROTOCOL=$(echo $URL | awk -F'://' '{print $1}') + # extract remote port + REMOTE_PORT=$(echo $URL | cut -d '/' -f 3 | cut -d ':' -f 2) + + # generate random hex string + RANDOM_HEX=$(openssl rand -hex 4) + # start port forwarding + kubectl run port-forward-pod-${RANDOM_HEX} --image=ghcr.io/ministryofjustice/hmpps-delius-alfresco-port-forward-pod:latest --port ${LOCAL_PORT} --env="REMOTE_HOST=$HOST" --env="LOCAL_PORT=$LOCAL_PORT" --env="REMOTE_PORT=$REMOTE_PORT" --namespace ${namespace}; + # wait for pod to start + kubectl wait --for=condition=ready pod/port-forward-pod-${RANDOM_HEX} --timeout=60s --namespace ${namespace} + + printf "\nPort forwarding started, connecting to $HOST:$REMOTE_PORT \n" + printf "\n****************************************************\n" + printf "Connect to ${PROTOCOL}://localhost:$LOCAL_PORT locally\n" + printf "Press Ctrl+C to stop port forwarding \n" + printf "****************************************************\n\n" + # start the local port forwarding session + kubectl port-forward --namespace ${namespace} port-forward-pod-${RANDOM_HEX} $LOCAL_PORT:$LOCAL_PORT & + PORT_FORWARD_PID=$! +} + +fail() { + printf "\n\nPort forwarding failed" + kill $PORT_FORWARD_PID || true + kubectl delete pod port-forward-pod-${RANDOM_HEX} --force --grace-period=0 --namespace ${namespace} + exit 1 +} +ctrl_c() { + printf "\n\nStopping port forwarding" + kill $PORT_FORWARD_PID_0 || true + kill $PORT_FORWARD_PID_1 || true + kill $PORT_FORWARD_PID_2 || true + kubectl delete pod port-forward-pod-${RANDOM_HEX} --force --grace-period=0 --namespace ${namespace} + exit 0 +} + +if [ -z "$1" ]; then + echo "env not provided" + echo "Usage: amq-connect.sh " + exit 1 +fi +main $1 $2