feat: Extra volume mounts in Helm (#1382)

This commit is contained in:
Fabian Reinold
2025-10-14 18:50:54 +02:00
committed by GitHub
parent e080d30b32
commit d8d4558b8e
4 changed files with 204 additions and 2 deletions

View File

@@ -15,7 +15,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 1.0.5
version: 1.1.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to

View File

@@ -109,3 +109,122 @@ If you want to host PLANKA for more than just playing around with, you might wan
- Specify a password for `postgresql.auth.password` as there have been issues with the postgresql chart generating new passwords locking you out of the data you've already stored. (see [this issue](https://github.com/bitnami/charts/issues/2061))
Any questions or concerns, [raise an issue](https://github.com/Chris-Greaves/planka-helm-chart/issues/new).
## Advanced Configuration
### Extra Volume Mounts
The Helm chart supports mounting arbitrary ConfigMaps, Secrets, and Volumes to the Planka deployment using the `extraMounts` configuration. This is especially useful for scenarios like:
- Mounting custom CA certificates for OIDC with self-hosted identity providers
- Adding custom configuration files
- Mounting TLS certificates from existing secrets
- Adding temporary or persistent storage volumes
**Note**: ConfigMaps and Secrets must be created separately before referencing them in `extraMounts`.
#### Basic Usage
Use the `extraMounts` section to mount any type of volume:
```yaml
extraMounts:
# Mount CA certificate from existing ConfigMap
- name: ca-certs
mountPath: /etc/ssl/certs/custom-ca.crt
subPath: ca.crt
readOnly: true
configMap:
name: ca-certificates # Must exist
# Mount TLS certificates from existing Secret
- name: tls-certs
mountPath: /etc/ssl/private
readOnly: true
secret:
secretName: planka-tls-secret # Must exist
items:
- key: tls.crt
path: server.crt
- key: tls.key
path: server.key
# Temporary storage
- name: temp-storage
mountPath: /tmp/planka-temp
readOnly: false
emptyDir:
sizeLimit: 1Gi
# Host path mount
- name: backup-storage
mountPath: /var/lib/planka-backups
readOnly: false
hostPath:
path: /var/lib/planka-backups
type: DirectoryOrCreate
# NFS mount
- name: nfs-storage
mountPath: /shared/data
readOnly: false
nfs:
server: nfs.example.com
path: /exports/planka
```
### OIDC with Self-Hosted Keycloak
A common use case is configuring OIDC with a self-hosted Keycloak instance that uses custom CA certificates.
First, create the CA certificate ConfigMap:
```bash
kubectl create configmap ca-certificates --from-file=ca.crt=/path/to/your/ca.crt
```
Then configure the chart:
```yaml
# Mount custom CA certificate from existing ConfigMap
extraMounts:
- name: keycloak-ca
mountPath: /etc/ssl/certs/keycloak-ca.crt
subPath: ca.crt
readOnly: true
configMap:
name: ca-certificates
# Configure Node.js to trust the custom CA
extraEnv:
- name: NODE_EXTRA_CA_CERTS
value: "/etc/ssl/certs/keycloak-ca.crt"
# Enable OIDC
oidc:
enabled: true
clientId: "planka-client"
clientSecret: "your-client-secret"
issuerUrl: "https://keycloak.example.com/realms/master"
admin:
roles:
- "planka-admin"
```
### Environment Variables from Secrets
You can reference values from existing secrets in environment variables:
```yaml
extraEnv:
- name: SMTP_PASSWORD
valueFrom:
secretName: smtp-credentials
key: password
- name: CUSTOM_API_KEY
valueFrom:
secretName: api-credentials
key: api-key
```
### Complete Example
See `values-example.yaml` for a comprehensive example that demonstrates all the advanced features including OIDC configuration with custom CA certificates.

View File

@@ -71,6 +71,19 @@ spec:
subPath: app-logs
name: emptydir
{{- end }}
{{- /* Extra volume mounts */}}
{{- range .Values.extraMounts }}
- name: {{ .name }}
mountPath: {{ .mountPath }}
{{- if .subPath }}
subPath: {{ .subPath }}
{{- end }}
{{- if hasKey . "readOnly" }}
readOnly: {{ .readOnly }}
{{- else }}
readOnly: true
{{- end }}
{{- end }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
env:
@@ -200,4 +213,31 @@ spec:
{{- if .Values.securityContext.readOnlyRootFilesystem }}
- name: emptydir
emptyDir: {}
{{- end }}
{{- end }}
{{- /* Extra volumes */}}
{{- range .Values.extraMounts }}
- name: {{ .name }}
{{- if .configMap }}
configMap:
{{- toYaml .configMap | nindent 12 }}
{{- else if .secret }}
secret:
{{- toYaml .secret | nindent 12 }}
{{- else if .emptyDir }}
emptyDir:
{{- toYaml .emptyDir | nindent 12 }}
{{- else if .hostPath }}
hostPath:
{{- toYaml .hostPath | nindent 12 }}
{{- else if .persistentVolumeClaim }}
persistentVolumeClaim:
{{- toYaml .persistentVolumeClaim | nindent 12 }}
{{- else if .nfs }}
nfs:
{{- toYaml .nfs | nindent 12 }}
{{- else }}
{{- /* Support any other volume type by removing known mount-specific keys */}}
{{- $volume := omit . "name" "mountPath" "subPath" "readOnly" }}
{{- toYaml $volume | nindent 10 }}
{{- end }}
{{- end }}

View File

@@ -238,3 +238,46 @@ extraEnv: []
## value: "your_password"
## - name: SMTP_FROM
## value: "your_email@example.com"
## Extra volume mounts configuration
## Mount ConfigMaps, Secrets, and arbitrary volumes to the Planka container
## This allows mounting any pre-existing ConfigMaps, Secrets, or other volume types
##
extraMounts: []
## Example extraMounts:
## extraMounts:
## - name: ca-certs
## mountPath: /etc/ssl/certs/ca-certificates.crt
## subPath: ca-bundle.crt
## readOnly: true
## configMap:
## name: ca-certificates
## - name: tls-certs
## mountPath: /etc/ssl/private
## readOnly: true
## secret:
## secretName: planka-tls
## items:
## - key: tls.crt
## path: server.crt
## - key: tls.key
## path: server.key
## - name: temp-storage
## mountPath: /tmp/planka-temp
## readOnly: false
## emptyDir:
## sizeLimit: 1Gi
## Example configuration for OIDC with self-hosted Keycloak using custom CA
## (Requires pre-existing ConfigMap "ca-certificates")
## extraMounts:
## - name: keycloak-ca
## mountPath: /etc/ssl/certs/keycloak-ca.crt
## subPath: ca.crt
## readOnly: true
## configMap:
## name: ca-certificates
##
## extraEnv:
## - name: NODE_EXTRA_CA_CERTS
## value: "/etc/ssl/certs/keycloak-ca.crt"