diff --git a/charts/planka/Chart.yaml b/charts/planka/Chart.yaml index f53d247f..40e697ee 100644 --- a/charts/planka/Chart.yaml +++ b/charts/planka/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.0.5 +version: 1.1.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/planka/README.md b/charts/planka/README.md index cb11a3f4..81833b71 100644 --- a/charts/planka/README.md +++ b/charts/planka/README.md @@ -109,3 +109,122 @@ If you want to host PLANKA for more than just playing around with, you might wan - Specify a password for `postgresql.auth.password` as there have been issues with the postgresql chart generating new passwords locking you out of the data you've already stored. (see [this issue](https://github.com/bitnami/charts/issues/2061)) Any questions or concerns, [raise an issue](https://github.com/Chris-Greaves/planka-helm-chart/issues/new). + +## Advanced Configuration + +### Extra Volume Mounts + +The Helm chart supports mounting arbitrary ConfigMaps, Secrets, and Volumes to the Planka deployment using the `extraMounts` configuration. This is especially useful for scenarios like: + +- Mounting custom CA certificates for OIDC with self-hosted identity providers +- Adding custom configuration files +- Mounting TLS certificates from existing secrets +- Adding temporary or persistent storage volumes + +**Note**: ConfigMaps and Secrets must be created separately before referencing them in `extraMounts`. + +#### Basic Usage + +Use the `extraMounts` section to mount any type of volume: + +```yaml +extraMounts: + # Mount CA certificate from existing ConfigMap + - name: ca-certs + mountPath: /etc/ssl/certs/custom-ca.crt + subPath: ca.crt + readOnly: true + configMap: + name: ca-certificates # Must exist + + # Mount TLS certificates from existing Secret + - name: tls-certs + mountPath: /etc/ssl/private + readOnly: true + secret: + secretName: planka-tls-secret # Must exist + items: + - key: tls.crt + path: server.crt + - key: tls.key + path: server.key + + # Temporary storage + - name: temp-storage + mountPath: /tmp/planka-temp + readOnly: false + emptyDir: + sizeLimit: 1Gi + + # Host path mount + - name: backup-storage + mountPath: /var/lib/planka-backups + readOnly: false + hostPath: + path: /var/lib/planka-backups + type: DirectoryOrCreate + + # NFS mount + - name: nfs-storage + mountPath: /shared/data + readOnly: false + nfs: + server: nfs.example.com + path: /exports/planka +``` + +### OIDC with Self-Hosted Keycloak + +A common use case is configuring OIDC with a self-hosted Keycloak instance that uses custom CA certificates. + +First, create the CA certificate ConfigMap: +```bash +kubectl create configmap ca-certificates --from-file=ca.crt=/path/to/your/ca.crt +``` + +Then configure the chart: +```yaml +# Mount custom CA certificate from existing ConfigMap +extraMounts: + - name: keycloak-ca + mountPath: /etc/ssl/certs/keycloak-ca.crt + subPath: ca.crt + readOnly: true + configMap: + name: ca-certificates + +# Configure Node.js to trust the custom CA +extraEnv: + - name: NODE_EXTRA_CA_CERTS + value: "/etc/ssl/certs/keycloak-ca.crt" + +# Enable OIDC +oidc: + enabled: true + clientId: "planka-client" + clientSecret: "your-client-secret" + issuerUrl: "https://keycloak.example.com/realms/master" + admin: + roles: + - "planka-admin" +``` + +### Environment Variables from Secrets + +You can reference values from existing secrets in environment variables: + +```yaml +extraEnv: + - name: SMTP_PASSWORD + valueFrom: + secretName: smtp-credentials + key: password + - name: CUSTOM_API_KEY + valueFrom: + secretName: api-credentials + key: api-key +``` + +### Complete Example + +See `values-example.yaml` for a comprehensive example that demonstrates all the advanced features including OIDC configuration with custom CA certificates. diff --git a/charts/planka/templates/deployment.yaml b/charts/planka/templates/deployment.yaml index c2747b00..e642e3ce 100644 --- a/charts/planka/templates/deployment.yaml +++ b/charts/planka/templates/deployment.yaml @@ -71,6 +71,19 @@ spec: subPath: app-logs name: emptydir {{- end }} + {{- /* Extra volume mounts */}} + {{- range .Values.extraMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + {{- if .subPath }} + subPath: {{ .subPath }} + {{- end }} + {{- if hasKey . "readOnly" }} + readOnly: {{ .readOnly }} + {{- else }} + readOnly: true + {{- end }} + {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} env: @@ -200,4 +213,31 @@ spec: {{- if .Values.securityContext.readOnlyRootFilesystem }} - name: emptydir emptyDir: {} - {{- end }} + {{- end }} + {{- /* Extra volumes */}} + {{- range .Values.extraMounts }} + - name: {{ .name }} + {{- if .configMap }} + configMap: + {{- toYaml .configMap | nindent 12 }} + {{- else if .secret }} + secret: + {{- toYaml .secret | nindent 12 }} + {{- else if .emptyDir }} + emptyDir: + {{- toYaml .emptyDir | nindent 12 }} + {{- else if .hostPath }} + hostPath: + {{- toYaml .hostPath | nindent 12 }} + {{- else if .persistentVolumeClaim }} + persistentVolumeClaim: + {{- toYaml .persistentVolumeClaim | nindent 12 }} + {{- else if .nfs }} + nfs: + {{- toYaml .nfs | nindent 12 }} + {{- else }} + {{- /* Support any other volume type by removing known mount-specific keys */}} + {{- $volume := omit . "name" "mountPath" "subPath" "readOnly" }} + {{- toYaml $volume | nindent 10 }} + {{- end }} + {{- end }} diff --git a/charts/planka/values.yaml b/charts/planka/values.yaml index 515f670f..54b882b2 100644 --- a/charts/planka/values.yaml +++ b/charts/planka/values.yaml @@ -238,3 +238,46 @@ extraEnv: [] ## value: "your_password" ## - name: SMTP_FROM ## value: "your_email@example.com" + +## Extra volume mounts configuration +## Mount ConfigMaps, Secrets, and arbitrary volumes to the Planka container +## This allows mounting any pre-existing ConfigMaps, Secrets, or other volume types +## +extraMounts: [] +## Example extraMounts: +## extraMounts: +## - name: ca-certs +## mountPath: /etc/ssl/certs/ca-certificates.crt +## subPath: ca-bundle.crt +## readOnly: true +## configMap: +## name: ca-certificates +## - name: tls-certs +## mountPath: /etc/ssl/private +## readOnly: true +## secret: +## secretName: planka-tls +## items: +## - key: tls.crt +## path: server.crt +## - key: tls.key +## path: server.key +## - name: temp-storage +## mountPath: /tmp/planka-temp +## readOnly: false +## emptyDir: +## sizeLimit: 1Gi + +## Example configuration for OIDC with self-hosted Keycloak using custom CA +## (Requires pre-existing ConfigMap "ca-certificates") +## extraMounts: +## - name: keycloak-ca +## mountPath: /etc/ssl/certs/keycloak-ca.crt +## subPath: ca.crt +## readOnly: true +## configMap: +## name: ca-certificates +## +## extraEnv: +## - name: NODE_EXTRA_CA_CERTS +## value: "/etc/ssl/certs/keycloak-ca.crt"