diff --git a/charts/mealie/Chart.yaml b/charts/mealie/Chart.yaml new file mode 100644 index 0000000..ee8d6c3 --- /dev/null +++ b/charts/mealie/Chart.yaml @@ -0,0 +1,17 @@ +apiVersion: v2 +name: mealie +description: Mealie helm chart for Kubernetes - Recipe management and meal planning +type: application +version: 0.0.1 +appVersion: "v3.1.1" +maintainers: + - name: Richard Tomik + email: no@m.com +keywords: + - recipe-management + - meal-planning + - cooking + - mealie +home: https://github.com/rtomik/helm-charts +sources: + - https://github.com/mealie-recipes/mealie \ No newline at end of file diff --git a/charts/mealie/NOTES.txt b/charts/mealie/NOTES.txt new file mode 100644 index 0000000..074def8 --- /dev/null +++ b/charts/mealie/NOTES.txt @@ -0,0 +1,84 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "mealie.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "mealie.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "mealie.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "mealie.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} + +2. Mealie application is configured with: + - Database: {{ .Values.env.DB_ENGINE }} + - User signup: {{ if eq .Values.env.ALLOW_SIGNUP "true" }}enabled{{ else }}disabled{{ end }} + - API port: {{ .Values.env.API_PORT }} + +{{- if .Values.persistence.enabled }} +3. Data is persisted using PVC: {{ include "mealie.fullname" . }}-data +{{- else }} +3. WARNING: No persistence enabled. Data will be lost when pods are restarted. +{{- end }} + +{{- if .Values.postgresql.external.enabled }} +4. Using external PostgreSQL database: + - Host: {{ .Values.postgresql.external.host }} + - Database: {{ .Values.postgresql.external.database }} +{{- end }} + +{{- if or .Values.email.enabled .Values.ldap.enabled .Values.oidc.enabled .Values.openai.enabled }} +5. Additional features enabled: +{{- if .Values.email.enabled }} + - SMTP Email notifications configured +{{- end }} +{{- if .Values.ldap.enabled }} + - LDAP authentication enabled +{{- end }} +{{- if .Values.oidc.enabled }} + - OpenID Connect (OIDC) authentication enabled +{{- end }} +{{- if .Values.openai.enabled }} + - OpenAI integration enabled for AI features +{{- end }} +{{- end }} + +{{- if or .Values.postgresql.external.existingSecret .Values.email.existingSecret .Values.ldap.existingSecret .Values.oidc.existingSecret .Values.openai.existingSecret .Values.tls.existingSecret }} + +6. Using external secrets for sensitive information: +{{- if .Values.postgresql.external.existingSecret }} + - Database credentials from: {{ .Values.postgresql.external.existingSecret }} +{{- end }} +{{- if .Values.email.existingSecret }} + - SMTP credentials from: {{ .Values.email.existingSecret }} +{{- end }} +{{- if .Values.ldap.existingSecret }} + - LDAP credentials from: {{ .Values.ldap.existingSecret }} +{{- end }} +{{- if .Values.oidc.existingSecret }} + - OIDC credentials from: {{ .Values.oidc.existingSecret }} +{{- end }} +{{- if .Values.openai.existingSecret }} + - OpenAI API key from: {{ .Values.openai.existingSecret }} +{{- end }} +{{- if .Values.tls.existingSecret }} + - TLS certificates from: {{ .Values.tls.existingSecret }} +{{- end }} +{{- else }} + +6. SECURITY NOTE: For production use, it's recommended to store sensitive data in Kubernetes Secrets. + Consider using existingSecret options for database, email, LDAP, OIDC, and OpenAI configurations. +{{- end }} + +For more information about using this Helm chart, please refer to the readme.md file. \ No newline at end of file diff --git a/charts/mealie/readme.md b/charts/mealie/readme.md new file mode 100644 index 0000000..cffcd02 --- /dev/null +++ b/charts/mealie/readme.md @@ -0,0 +1,352 @@ +# Mealie Helm Chart + +A Helm chart for deploying Mealie recipe management and meal planning application on Kubernetes. + +## Introduction + +This chart deploys [Mealie](https://github.com/mealie-recipes/mealie) on a Kubernetes cluster using the Helm package manager. Mealie is a self-hosted recipe manager and meal planner with a RestAPI backend and a reactive frontend application built in Vue for a pleasant user experience for the whole family. + +Source code can be found here: +- https://github.com/rtomik/helm-charts/tree/main/charts/mealie + +## Prerequisites + +- Kubernetes 1.19+ +- Helm 3.0+ +- PV provisioner support in the underlying infrastructure (if persistence is needed) +- External Postgresql DB like https://cloudnative-pg.io/ + +## Installing the Chart + +To install the chart with the release name `mealie`: + +```bash +$ helm repo add mealie-chart https://rtomik.github.io/helm-charts +$ helm install mealie mealie-chart/mealie +``` + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `mealie` deployment: + +```bash +$ helm uninstall mealie +``` + +## Parameters + +### Global parameters + +| Name | Description | Value | +|------------------------|------------------------------------------------|-------| +| `nameOverride` | String to partially override the release name | `""` | +| `fullnameOverride` | String to fully override the release name | `""` | + +### Image parameters + +| Name | Description | Value | +|-------------------------|-----------------------------------|-----------------------------------| +| `image.repository` | Mealie image repository | `ghcr.io/mealie-recipes/mealie` | +| `image.tag` | Mealie image tag | `v3.1.1` | +| `image.pullPolicy` | Mealie image pull policy | `IfNotPresent` | + +### Deployment parameters + +| Name | Description | Value | +|--------------------------------------|-----------------------------------------------|-----------| +| `replicaCount` | Number of Mealie replicas | `1` | +| `revisionHistoryLimit` | Number of revisions to retain for rollback | `3` | +| `podSecurityContext.runAsNonRoot` | Run containers as non-root user | `false` | +| `podSecurityContext.runAsUser` | User ID for the container | `911` | +| `podSecurityContext.fsGroup` | Group ID for the container filesystem | `911` | +| `containerSecurityContext` | Security context for the container | See values.yaml | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `tolerations` | Tolerations for pod assignment | `[]` | +| `affinity` | Affinity for pod assignment | `{}` | + +### Service parameters + +| Name | Description | Value | +|----------------|-----------------------|-------------| +| `service.type` | Kubernetes Service type | `ClusterIP` | +| `service.port` | Service HTTP port | `9000` | + +### Ingress parameters + +| Name | Description | Value | +|-------------------------|-------------------------------------------|-----------------| +| `ingress.enabled` | Enable ingress record generation | `false` | +| `ingress.className` | IngressClass name | `""` | +| `ingress.annotations` | Additional annotations for the Ingress | See values.yaml | +| `ingress.hosts` | Array of host and path objects | See values.yaml | +| `ingress.tls` | TLS configuration | See values.yaml | + +### Persistence parameters + +| Name | Description | Value | +|-------------------------------|----------------------------------|-----------------| +| `persistence.enabled` | Enable persistence using PVC | `true` | +| `persistence.storageClass` | PVC Storage Class | `""` | +| `persistence.accessMode` | PVC Access Mode | `ReadWriteOnce` | +| `persistence.size` | PVC Size | `5Gi` | +| `persistence.annotations` | Annotations for PVC | `{}` | + +### Environment variables + +| Name | Description | Value | +|---------------------------------------|-----------------------------------------------|-----------------| +| `env.PUID` | UserID permissions between host OS and container | `911` | +| `env.PGID` | GroupID permissions between host OS and container | `911` | +| `env.DEFAULT_GROUP` | The default group for users | `Home` | +| `env.DEFAULT_HOUSEHOLD` | The default household for users in each group | `Family` | +| `env.BASE_URL` | Used for Notifications | `http://localhost:9000` | +| `env.TOKEN_TIME` | The time in hours that a login/auth token is valid | `48` | +| `env.API_PORT` | The port exposed by backend API | `9000` | +| `env.API_DOCS` | Turns on/off access to the API documentation | `true` | +| `env.TZ` | Must be set to get correct date/time on the server | `UTC` | +| `env.ALLOW_SIGNUP` | Allow user sign-up without token | `false` | +| `env.ALLOW_PASSWORD_LOGIN` | Whether or not to display username+password input fields | `true` | +| `env.LOG_LEVEL` | Logging level | `info` | +| `env.DAILY_SCHEDULE_TIME` | Time to run daily server tasks (HH:MM) | `23:45` | + +### PostgreSQL configuration + +| Name | Description | Value | +|----------------------------------------|-----------------------------------------------|-----------| +| `postgresql.enabled` | Enable PostgreSQL support | `false` | +| `postgresql.external.enabled` | Use external PostgreSQL database | `false` | +| `postgresql.external.host` | PostgreSQL host | `""` | +| `postgresql.external.port` | PostgreSQL port | `5432` | +| `postgresql.external.database` | PostgreSQL database name | `mealie` | +| `postgresql.external.user` | PostgreSQL username | `mealie` | +| `postgresql.external.password` | PostgreSQL password | `""` | +| `postgresql.external.existingSecret` | Name of existing secret with PostgreSQL credentials | `""` | +| `postgresql.external.userKey` | Key in the secret for username | `username` | +| `postgresql.external.passwordKey` | Key in the secret for password | `password` | + +### Email (SMTP) configuration + +| Name | Description | Value | +|--------------------------|--------------------------------------|-----------| +| `email.enabled` | Enable SMTP email support | `false` | +| `email.host` | SMTP host | `""` | +| `email.port` | SMTP port | `587` | +| `email.fromName` | From name for emails | `Mealie` | +| `email.authStrategy` | SMTP auth strategy (TLS, SSL, NONE) | `TLS` | +| `email.fromEmail` | From email address | `""` | +| `email.user` | SMTP username | `""` | +| `email.password` | SMTP password | `""` | +| `email.existingSecret` | Name of existing secret with SMTP credentials | `""` | +| `email.userKey` | Key in the secret for SMTP username | `smtp-user` | +| `email.passwordKey` | Key in the secret for SMTP password | `smtp-password` | + +### LDAP Authentication + +| Name | Description | Value | +|--------------------------|--------------------------------------|-----------| +| `ldap.enabled` | Enable LDAP authentication | `false` | +| `ldap.serverUrl` | LDAP server URL | `""` | +| `ldap.tlsInsecure` | Do not verify server certificate | `false` | +| `ldap.tlsCaCertFile` | Path to CA certificate file | `""` | +| `ldap.enableStartTls` | Use STARTTLS to connect to server | `false` | +| `ldap.baseDn` | Starting point for user authentication | `""` | +| `ldap.queryBind` | Optional bind user for LDAP searches | `""` | +| `ldap.queryPassword` | Password for the bind user | `""` | +| `ldap.userFilter` | LDAP filter to narrow down eligible users | `""` | +| `ldap.adminFilter` | LDAP filter for admin users | `""` | +| `ldap.idAttribute` | LDAP attribute for user ID | `uid` | +| `ldap.nameAttribute` | LDAP attribute for user name | `name` | +| `ldap.mailAttribute` | LDAP attribute for user email | `mail` | + +### OpenID Connect (OIDC) + +| Name | Description | Value | +|------------------------------|------------------------------------------|-----------| +| `oidc.enabled` | Enable OIDC authentication | `false` | +| `oidc.signupEnabled` | Allow new users via OIDC | `true` | +| `oidc.configurationUrl` | URL to OIDC configuration | `""` | +| `oidc.clientId` | OIDC client ID | `""` | +| `oidc.clientSecret` | OIDC client secret | `""` | +| `oidc.userGroup` | Required OIDC user group | `""` | +| `oidc.adminGroup` | OIDC admin group | `""` | +| `oidc.autoRedirect` | Bypass login page and redirect to IdP | `false` | +| `oidc.providerName` | Provider name shown in login button | `OAuth` | +| `oidc.rememberMe` | Extend session as if "Remember Me" was checked | `false` | +| `oidc.signingAlgorithm` | Algorithm used to sign the id token | `RS256` | +| `oidc.userClaim` | Claim to look up existing user by | `email` | +| `oidc.nameClaim` | Claim for user's full name | `name` | +| `oidc.groupsClaim` | Claim for user groups | `groups` | + +### OpenAI Integration + +| Name | Description | Value | +|------------------------------------|------------------------------------------|-----------| +| `openai.enabled` | Enable OpenAI integration | `false` | +| `openai.baseUrl` | Base URL for OpenAI API | `""` | +| `openai.apiKey` | OpenAI API key | `""` | +| `openai.model` | OpenAI model to use | `gpt-4o` | +| `openai.customHeaders` | Custom HTTP headers for OpenAI requests | `""` | +| `openai.customParams` | Custom HTTP query params for OpenAI requests | `""` | +| `openai.enableImageServices` | Enable OpenAI image services | `true` | +| `openai.workers` | Number of OpenAI workers per request | `2` | +| `openai.sendDatabaseData` | Send Mealie data to OpenAI to improve accuracy | `true` | +| `openai.requestTimeout` | Timeout for OpenAI requests in seconds | `60` | + +### TLS Configuration + +| Name | Description | Value | +|--------------------------|--------------------------------------|-----------| +| `tls.enabled` | Enable TLS configuration | `false` | +| `tls.certificatePath` | Path to TLS certificate file | `""` | +| `tls.privateKeyPath` | Path to TLS private key file | `""` | +| `tls.existingSecret` | Name of existing secret with TLS certificates | `""` | +| `tls.certificateKey` | Key in the secret for TLS certificate | `tls.crt` | +| `tls.privateKeyKey` | Key in the secret for TLS private key | `tls.key` | + +### Theme Configuration + +| Name | Description | Value | +|-------------------------------|--------------------------------|-----------| +| `theme.light.primary` | Light theme primary color | `#E58325` | +| `theme.light.accent` | Light theme accent color | `#007A99` | +| `theme.light.secondary` | Light theme secondary color | `#973542` | +| `theme.light.success` | Light theme success color | `#43A047` | +| `theme.light.info` | Light theme info color | `#1976D2` | +| `theme.light.warning` | Light theme warning color | `#FF6D00` | +| `theme.light.error` | Light theme error color | `#EF5350` | +| `theme.dark.primary` | Dark theme primary color | `#E58325` | +| `theme.dark.accent` | Dark theme accent color | `#007A99` | +| `theme.dark.secondary` | Dark theme secondary color | `#973542` | +| `theme.dark.success` | Dark theme success color | `#43A047` | +| `theme.dark.info` | Dark theme info color | `#1976D2` | +| `theme.dark.warning` | Dark theme warning color | `#FF6D00` | +| `theme.dark.error` | Dark theme error color | `#EF5350` | + +### Resource Configuration + +| Name | Description | Value | +|-------------|--------------------------------------|-------| +| `resources` | Resource limits and requests | `{}` | + +### Health Checks + +| Name | Description | Value | +|-------------------------------------------|------------------------------------------|-------| +| `probes.liveness.enabled` | Enable liveness probe | `true` | +| `probes.liveness.initialDelaySeconds` | Initial delay for liveness probe | `60` | +| `probes.liveness.periodSeconds` | Period for liveness probe | `30` | +| `probes.liveness.timeoutSeconds` | Timeout for liveness probe | `10` | +| `probes.liveness.failureThreshold` | Failure threshold for liveness probe | `3` | +| `probes.liveness.successThreshold` | Success threshold for liveness probe | `1` | +| `probes.liveness.path` | Path for liveness probe | `/` | +| `probes.readiness.enabled` | Enable readiness probe | `true` | +| `probes.readiness.initialDelaySeconds` | Initial delay for readiness probe | `30` | +| `probes.readiness.periodSeconds` | Period for readiness probe | `10` | +| `probes.readiness.timeoutSeconds` | Timeout for readiness probe | `5` | +| `probes.readiness.failureThreshold` | Failure threshold for readiness probe | `3` | +| `probes.readiness.successThreshold` | Success threshold for readiness probe | `1` | +| `probes.readiness.path` | Path for readiness probe | `/` | + +### Autoscaling + +| Name | Description | Value | +|---------------------------------------------|------------------------------------------|---------| +| `autoscaling.enabled` | Enable horizontal pod autoscaling | `false` | +| `autoscaling.minReplicas` | Minimum number of replicas | `1` | +| `autoscaling.maxReplicas` | Maximum number of replicas | `3` | +| `autoscaling.targetCPUUtilizationPercentage`| Target CPU utilization percentage | `80` | +| `autoscaling.targetMemoryUtilizationPercentage`| Target memory utilization percentage | `80` | + +## Configuration Examples + +### Basic Installation with Persistence + +```yaml +persistence: + enabled: true + size: 10Gi + storageClass: "fast-ssd" + +ingress: + enabled: true + hosts: + - host: mealie.example.com + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - mealie.example.com + secretName: mealie-tls +``` + +### PostgreSQL Database Configuration + +```yaml +postgresql: + external: + enabled: true + host: "postgresql.example.com" + port: 5432 + database: "mealie" + user: "mealie" + existingSecret: "mealie-postgresql-secret" + userKey: "username" + passwordKey: "password" + +env: + DB_ENGINE: "postgres" +``` + +### OIDC Authentication Setup + +```yaml +oidc: + enabled: true + configurationUrl: "https://auth.example.com/.well-known/openid-configuration" + clientId: "mealie-client" + existingSecret: "mealie-oidc-secret" + clientIdKey: "client-id" + clientSecretKey: "client-secret" + autoRedirect: true + providerName: "CompanySSO" +``` + +### OpenAI Integration + +```yaml +openai: + enabled: true + baseUrl: "https://api.openai.com/v1" + existingSecret: "mealie-openai-secret" + apiKeyKey: "api-key" + model: "gpt-4" + enableImageServices: true +``` + +## Security Considerations + +For production deployments, it's recommended to: + +1. Use external secrets for sensitive information +2. Enable TLS/SSL for all communications +3. Configure proper RBAC and network policies +4. Use a dedicated database with proper access controls +5. Enable authentication (LDAP/OIDC) and disable public signup + +## Troubleshooting + +Common issues and solutions: + +1. **Database connection issues**: Verify database credentials and network connectivity +2. **Persistence issues**: Check StorageClass and PVC configuration +3. **Authentication problems**: Verify LDAP/OIDC configuration and network access +4. **Performance issues**: Adjust resource limits and consider using external database + +For more detailed troubleshooting, check the application logs: + +```bash +kubectl logs -f deployment/mealie +``` \ No newline at end of file diff --git a/charts/mealie/templates/_helpers.tpl b/charts/mealie/templates/_helpers.tpl new file mode 100644 index 0000000..9706e7e --- /dev/null +++ b/charts/mealie/templates/_helpers.tpl @@ -0,0 +1,45 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "mealie.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +*/}} +{{- define "mealie.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- printf "%s" $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "mealie.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "mealie.labels" -}} +helm.sh/chart: {{ include "mealie.chart" . }} +{{ include "mealie.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "mealie.selectorLabels" -}} +app.kubernetes.io/name: {{ include "mealie.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} \ No newline at end of file diff --git a/charts/mealie/templates/deployment.yaml b/charts/mealie/templates/deployment.yaml new file mode 100644 index 0000000..5328063 --- /dev/null +++ b/charts/mealie/templates/deployment.yaml @@ -0,0 +1,337 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "mealie.fullname" . }} + labels: + {{- include "mealie.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + selector: + matchLabels: + {{- include "mealie.selectorLabels" . | nindent 6 }} + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + maxSurge: 1 + template: + metadata: + labels: + {{- include "mealie.selectorLabels" . | nindent 8 }} + annotations: + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 9000 + protocol: TCP + {{- if .Values.probes.liveness.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.probes.liveness.path }} + port: http + initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.probes.liveness.periodSeconds }} + timeoutSeconds: {{ .Values.probes.liveness.timeoutSeconds }} + failureThreshold: {{ .Values.probes.liveness.failureThreshold }} + successThreshold: {{ .Values.probes.liveness.successThreshold }} + {{- end }} + {{- if .Values.probes.readiness.enabled }} + readinessProbe: + httpGet: + path: {{ .Values.probes.readiness.path }} + port: http + initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.probes.readiness.periodSeconds }} + timeoutSeconds: {{ .Values.probes.readiness.timeoutSeconds }} + failureThreshold: {{ .Values.probes.readiness.failureThreshold }} + successThreshold: {{ .Values.probes.readiness.successThreshold }} + {{- end }} + env: + {{- range $key, $value := .Values.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} + {{- if .Values.postgresql.external.enabled }} + - name: DB_ENGINE + value: "postgres" + - name: POSTGRES_SERVER + value: {{ .Values.postgresql.external.host | quote }} + - name: POSTGRES_PORT + value: {{ .Values.postgresql.external.port | quote }} + - name: POSTGRES_DB + value: {{ .Values.postgresql.external.database | quote }} + - name: POSTGRES_USER + {{- if .Values.postgresql.external.existingSecret }} + valueFrom: + secretKeyRef: + name: {{ .Values.postgresql.external.existingSecret }} + key: {{ .Values.postgresql.external.userKey }} + {{- else }} + value: {{ .Values.postgresql.external.user | quote }} + {{- end }} + - name: POSTGRES_PASSWORD + {{- if .Values.postgresql.external.existingSecret }} + valueFrom: + secretKeyRef: + name: {{ .Values.postgresql.external.existingSecret }} + key: {{ .Values.postgresql.external.passwordKey }} + {{- else }} + value: {{ .Values.postgresql.external.password | quote }} + {{- end }} + {{- end }} + {{- if .Values.email.enabled }} + - name: SMTP_HOST + {{- if .Values.email.existingSecret }} + valueFrom: + secretKeyRef: + name: {{ .Values.email.existingSecret }} + key: "smtp-host" + {{- else }} + value: {{ .Values.email.host | quote }} + {{- end }} + - name: SMTP_PORT + value: {{ .Values.email.port | quote }} + - name: SMTP_FROM_NAME + value: {{ .Values.email.fromName | quote }} + - name: SMTP_AUTH_STRATEGY + value: {{ .Values.email.authStrategy | quote }} + - name: SMTP_FROM_EMAIL + value: {{ .Values.email.fromEmail | quote }} + {{- if and .Values.email.user (or (eq .Values.email.authStrategy "TLS") (eq .Values.email.authStrategy "SSL")) }} + - name: SMTP_USER + {{- if .Values.email.existingSecret }} + valueFrom: + secretKeyRef: + name: {{ .Values.email.existingSecret }} + key: {{ .Values.email.userKey }} + {{- else }} + value: {{ .Values.email.user | quote }} + {{- end }} + {{- end }} + {{- if and .Values.email.password (or (eq .Values.email.authStrategy "TLS") (eq .Values.email.authStrategy "SSL")) }} + - name: SMTP_PASSWORD + {{- if .Values.email.existingSecret }} + valueFrom: + secretKeyRef: + name: {{ .Values.email.existingSecret }} + key: {{ .Values.email.passwordKey }} + {{- else }} + value: {{ .Values.email.password | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.ldap.enabled }} + - name: LDAP_AUTH_ENABLED + value: "true" + - name: LDAP_SERVER_URL + value: {{ .Values.ldap.serverUrl | quote }} + - name: LDAP_TLS_INSECURE + value: {{ .Values.ldap.tlsInsecure | quote }} + {{- if .Values.ldap.tlsCaCertFile }} + - name: LDAP_TLS_CACERTFILE + value: {{ .Values.ldap.tlsCaCertFile | quote }} + {{- end }} + - name: LDAP_ENABLE_STARTTLS + value: {{ .Values.ldap.enableStartTls | quote }} + - name: LDAP_BASE_DN + value: {{ .Values.ldap.baseDn | quote }} + {{- if .Values.ldap.queryBind }} + - name: LDAP_QUERY_BIND + value: {{ .Values.ldap.queryBind | quote }} + {{- end }} + {{- if .Values.ldap.queryPassword }} + - name: LDAP_QUERY_PASSWORD + {{- if .Values.ldap.existingSecret }} + valueFrom: + secretKeyRef: + name: {{ .Values.ldap.existingSecret }} + key: {{ .Values.ldap.passwordKey }} + {{- else }} + value: {{ .Values.ldap.queryPassword | quote }} + {{- end }} + {{- end }} + {{- if .Values.ldap.userFilter }} + - name: LDAP_USER_FILTER + value: {{ .Values.ldap.userFilter | quote }} + {{- end }} + {{- if .Values.ldap.adminFilter }} + - name: LDAP_ADMIN_FILTER + value: {{ .Values.ldap.adminFilter | quote }} + {{- end }} + - name: LDAP_ID_ATTRIBUTE + value: {{ .Values.ldap.idAttribute | quote }} + - name: LDAP_NAME_ATTRIBUTE + value: {{ .Values.ldap.nameAttribute | quote }} + - name: LDAP_MAIL_ATTRIBUTE + value: {{ .Values.ldap.mailAttribute | quote }} + {{- end }} + {{- if .Values.oidc.enabled }} + - name: OIDC_AUTH_ENABLED + value: "true" + - name: OIDC_SIGNUP_ENABLED + value: {{ .Values.oidc.signupEnabled | quote }} + - name: OIDC_CONFIGURATION_URL + value: {{ .Values.oidc.configurationUrl | quote }} + - name: OIDC_CLIENT_ID + {{- if .Values.oidc.existingSecret }} + valueFrom: + secretKeyRef: + name: {{ .Values.oidc.existingSecret }} + key: {{ .Values.oidc.clientIdKey }} + {{- else }} + value: {{ .Values.oidc.clientId | quote }} + {{- end }} + - name: OIDC_CLIENT_SECRET + {{- if .Values.oidc.existingSecret }} + valueFrom: + secretKeyRef: + name: {{ .Values.oidc.existingSecret }} + key: {{ .Values.oidc.clientSecretKey }} + {{- else }} + value: {{ .Values.oidc.clientSecret | quote }} + {{- end }} + {{- if .Values.oidc.userGroup }} + - name: OIDC_USER_GROUP + value: {{ .Values.oidc.userGroup | quote }} + {{- end }} + {{- if .Values.oidc.adminGroup }} + - name: OIDC_ADMIN_GROUP + value: {{ .Values.oidc.adminGroup | quote }} + {{- end }} + - name: OIDC_AUTO_REDIRECT + value: {{ .Values.oidc.autoRedirect | quote }} + - name: OIDC_PROVIDER_NAME + value: {{ .Values.oidc.providerName | quote }} + - name: OIDC_REMEMBER_ME + value: {{ .Values.oidc.rememberMe | quote }} + - name: OIDC_SIGNING_ALGORITHM + value: {{ .Values.oidc.signingAlgorithm | quote }} + - name: OIDC_USER_CLAIM + value: {{ .Values.oidc.userClaim | quote }} + - name: OIDC_NAME_CLAIM + value: {{ .Values.oidc.nameClaim | quote }} + - name: OIDC_GROUPS_CLAIM + value: {{ .Values.oidc.groupsClaim | quote }} + {{- if .Values.oidc.scopesOverride }} + - name: OIDC_SCOPES_OVERRIDE + value: {{ .Values.oidc.scopesOverride | quote }} + {{- end }} + {{- if .Values.oidc.tlsCaCertFile }} + - name: OIDC_TLS_CACERTFILE + value: {{ .Values.oidc.tlsCaCertFile | quote }} + {{- end }} + {{- end }} + {{- if .Values.openai.enabled }} + {{- if .Values.openai.baseUrl }} + - name: OPENAI_BASE_URL + value: {{ .Values.openai.baseUrl | quote }} + {{- end }} + - name: OPENAI_API_KEY + {{- if .Values.openai.existingSecret }} + valueFrom: + secretKeyRef: + name: {{ .Values.openai.existingSecret }} + key: {{ .Values.openai.apiKeyKey }} + {{- else }} + value: {{ .Values.openai.apiKey | quote }} + {{- end }} + - name: OPENAI_MODEL + value: {{ .Values.openai.model | quote }} + {{- if .Values.openai.customHeaders }} + - name: OPENAI_CUSTOM_HEADERS + value: {{ .Values.openai.customHeaders | quote }} + {{- end }} + {{- if .Values.openai.customParams }} + - name: OPENAI_CUSTOM_PARAMS + value: {{ .Values.openai.customParams | quote }} + {{- end }} + - name: OPENAI_ENABLE_IMAGE_SERVICES + value: {{ .Values.openai.enableImageServices | quote }} + - name: OPENAI_WORKERS + value: {{ .Values.openai.workers | quote }} + - name: OPENAI_SEND_DATABASE_DATA + value: {{ .Values.openai.sendDatabaseData | quote }} + - name: OPENAI_REQUEST_TIMEOUT + value: {{ .Values.openai.requestTimeout | quote }} + {{- end }} + {{- if .Values.tls.enabled }} + {{- if .Values.tls.existingSecret }} + - name: TLS_CERTIFICATE_PATH + value: "/app/certs/{{ .Values.tls.certificateKey }}" + - name: TLS_PRIVATE_KEY_PATH + value: "/app/certs/{{ .Values.tls.privateKeyKey }}" + {{- else }} + - name: TLS_CERTIFICATE_PATH + value: {{ .Values.tls.certificatePath | quote }} + - name: TLS_PRIVATE_KEY_PATH + value: {{ .Values.tls.privateKeyPath | quote }} + {{- end }} + {{- end }} + {{- range $key, $value := .Values.theme.light }} + - name: THEME_LIGHT_{{ $key | upper }} + value: {{ $value | quote }} + {{- end }} + {{- range $key, $value := .Values.theme.dark }} + - name: THEME_DARK_{{ $key | upper }} + value: {{ $value | quote }} + {{- end }} + {{- with .Values.extraEnv }} + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - name: data + mountPath: /app/data + {{- if and .Values.tls.enabled .Values.tls.existingSecret }} + - name: tls-certs + mountPath: /app/certs + readOnly: true + {{- end }} + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumes: + - name: data + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ include "mealie.fullname" . }}-data + {{- else }} + emptyDir: {} + {{- end }} + {{- if and .Values.tls.enabled .Values.tls.existingSecret }} + - name: tls-certs + secret: + secretName: {{ .Values.tls.existingSecret }} + {{- end }} + {{- with .Values.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} \ No newline at end of file diff --git a/charts/mealie/templates/ingress.yaml b/charts/mealie/templates/ingress.yaml new file mode 100644 index 0000000..6068503 --- /dev/null +++ b/charts/mealie/templates/ingress.yaml @@ -0,0 +1,43 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ include "mealie.fullname" . }} + labels: + {{- include "mealie.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.ingress.className }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + {{- if .secretName }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + pathType: {{ .pathType }} + backend: + service: + name: {{ include "mealie.fullname" $ }} + port: + number: {{ $.Values.service.port }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/mealie/templates/pvc.yaml b/charts/mealie/templates/pvc.yaml new file mode 100644 index 0000000..b214d9f --- /dev/null +++ b/charts/mealie/templates/pvc.yaml @@ -0,0 +1,21 @@ +{{- if .Values.persistence.enabled }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "mealie.fullname" . }}-data + labels: + {{- include "mealie.labels" . | nindent 4 }} + {{- with .Values.persistence.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + accessModes: + - {{ .Values.persistence.accessMode | quote }} + {{- if .Values.persistence.storageClass }} + storageClassName: {{ .Values.persistence.storageClass | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} +{{- end }} \ No newline at end of file diff --git a/charts/mealie/templates/service.yaml b/charts/mealie/templates/service.yaml new file mode 100644 index 0000000..cc0f66c --- /dev/null +++ b/charts/mealie/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "mealie.fullname" . }} + labels: + {{- include "mealie.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "mealie.selectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/charts/mealie/values.yaml b/charts/mealie/values.yaml new file mode 100644 index 0000000..fd27247 --- /dev/null +++ b/charts/mealie/values.yaml @@ -0,0 +1,259 @@ +## Global settings +nameOverride: "" +fullnameOverride: "" + +## Image settings +image: + repository: ghcr.io/mealie-recipes/mealie + tag: "v3.1.1" + pullPolicy: IfNotPresent + +## Deployment settings +replicaCount: 1 +revisionHistoryLimit: 3 + +# Pod security settings +podSecurityContext: + runAsNonRoot: false + runAsUser: 911 + fsGroup: 911 + +containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + capabilities: + drop: + - ALL + +## Pod scheduling +nodeSelector: {} +tolerations: [] +affinity: {} + +## Service settings +service: + type: ClusterIP + port: 9000 + +## Ingress settings +ingress: + enabled: false + className: "" + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + hosts: + - host: mealie.domain.com + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - mealie.domain.com + +## Persistence settings +persistence: + enabled: false + storageClass: "" + accessMode: ReadWriteOnce + size: 5Gi + annotations: {} + +## Resource limits and requests +# resources: +# limits: +# cpu: 1000m +# memory: 1000Mi +# requests: +# cpu: 100m +# memory: 256Mi + +## Application health checks +probes: + liveness: + enabled: true + initialDelaySeconds: 60 + periodSeconds: 30 + timeoutSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + path: / + readiness: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 + successThreshold: 1 + path: / + +## Autoscaling configuration +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: 80 + +## Environment variables +env: + # General Settings + PUID: "911" + PGID: "911" + DEFAULT_GROUP: "Home" + DEFAULT_HOUSEHOLD: "Family" + BASE_URL: "http://localhost:9000" + TOKEN_TIME: "48" + API_PORT: "9000" + API_DOCS: "true" + TZ: "UTC" + ALLOW_SIGNUP: "false" + ALLOW_PASSWORD_LOGIN: "true" + LOG_LEVEL: "info" + DAILY_SCHEDULE_TIME: "23:45" + + # Security + SECURITY_MAX_LOGIN_ATTEMPTS: "5" + SECURITY_USER_LOCKOUT_TIME: "24" + + # Database + DB_ENGINE: "postgres" # postgres or sqlite + + # Webworker + UVICORN_WORKERS: "1" + +# Extra environment variables (for advanced use cases) +extraEnv: [] + # - name: POSTGRES_USER + # value: "mealie" + # - name: POSTGRES_PASSWORD + # value: "mealie" + # - name: POSTGRES_SERVER + # value: "postgres" + # - name: POSTGRES_PORT + # value: "5432" + # - name: POSTGRES_DB + # value: "mealie" + +# Extra volume mounts +extraVolumeMounts: [] + +# Extra volumes +extraVolumes: [] + +## PostgreSQL configuration (when using external database) +postgresql: + enabled: false + # External PostgreSQL settings + external: + enabled: false + host: "" + port: 5432 + database: "mealie" + user: "mealie" + password: "" + # Use existing secret for database credentials + existingSecret: "" + userKey: "username" + passwordKey: "password" + +## SMTP Email configuration +email: + enabled: false + host: "" + port: 587 + fromName: "Mealie" + authStrategy: "TLS" # TLS, SSL, NONE + fromEmail: "" + user: "" + password: "" + # Use existing secret for SMTP credentials + existingSecret: "" + userKey: "smtp-user" + passwordKey: "smtp-password" + +## LDAP Authentication +ldap: + enabled: false + serverUrl: "" + tlsInsecure: false + tlsCaCertFile: "" + enableStartTls: false + baseDn: "" + queryBind: "" + queryPassword: "" + userFilter: "" + adminFilter: "" + idAttribute: "uid" + nameAttribute: "name" + mailAttribute: "mail" + # Use existing secret for LDAP credentials + existingSecret: "" + passwordKey: "ldap-password" + +## OpenID Connect (OIDC) +oidc: + enabled: false + signupEnabled: true + configurationUrl: "" + clientId: "" + clientSecret: "" + userGroup: "" + adminGroup: "" + autoRedirect: false + providerName: "OAuth" + rememberMe: false + signingAlgorithm: "RS256" + userClaim: "email" + nameClaim: "name" + groupsClaim: "groups" + scopesOverride: "" + tlsCaCertFile: "" + # Use existing secret for OIDC credentials + existingSecret: "" + clientIdKey: "oidc-client-id" + clientSecretKey: "oidc-client-secret" + +## OpenAI Integration +openai: + enabled: false + baseUrl: "" + apiKey: "" + model: "gpt-4o" + customHeaders: "" + customParams: "" + enableImageServices: true + workers: 2 + sendDatabaseData: true + requestTimeout: 60 + # Use existing secret for OpenAI API key + existingSecret: "" + apiKeyKey: "openai-api-key" + +## TLS Configuration +tls: + enabled: false + certificatePath: "" + privateKeyPath: "" + # Use existing secret for TLS certificates + existingSecret: "" + certificateKey: "tls.crt" + privateKeyKey: "tls.key" + +## Theming +theme: + light: + primary: "#E58325" + accent: "#007A99" + secondary: "#973542" + success: "#43A047" + info: "#1976D2" + warning: "#FF6D00" + error: "#EF5350" + dark: + primary: "#E58325" + accent: "#007A99" + secondary: "#973542" + success: "#43A047" + info: "#1976D2" + warning: "#FF6D00" + error: "#EF5350" \ No newline at end of file diff --git a/values.yaml b/values.yaml new file mode 100644 index 0000000..d607763 --- /dev/null +++ b/values.yaml @@ -0,0 +1,57 @@ +ingress: + enabled: true + className: "traefik" + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + hosts: + - host: mealie.tomik.lat + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - mealie.tomik.lat + +persistence: + enabled: true + storageClass: "longhorn" + accessMode: ReadWriteOnce + size: 3Gi + +postgresql: + enabled: true + # External PostgreSQL settings + external: + enabled: true + host: "postgres-cluster-pooler.dbs.svc.cluster.local" + port: 5432 + database: "mealie" + user: "mealie_user" + password: "7OemzeEtwYF1y7FyqRi6" + +## Environment variables +env: + # General Settings + PUID: "911" + PGID: "911" + DEFAULT_GROUP: "Home" + DEFAULT_HOUSEHOLD: "Family" + BASE_URL: "http://localhost:9000" + TOKEN_TIME: "48" + API_PORT: "9000" + API_DOCS: "true" + TZ: "UTC" + ALLOW_SIGNUP: "false" + ALLOW_PASSWORD_LOGIN: "true" + LOG_LEVEL: "info" + DAILY_SCHEDULE_TIME: "23:45" + + # Security + SECURITY_MAX_LOGIN_ATTEMPTS: "5" + SECURITY_USER_LOCKOUT_TIME: "24" + + # Database + DB_ENGINE: "postgres" + + # Webworker + UVICORN_WORKERS: "1" \ No newline at end of file