Gabriel Radureau
c0d5f2e144
The Dolibarr before-start step `chart/scripts/update_ownership.sql` (embedded
into a ConfigMap by `chart/templates/scripts-config.yaml`) hardcoded the
Postgres owner role `erp_role`. It reassigns ownership of all public-schema
objects to that role after install. For any non-prod environment the owner
role differs — by the multi-env elision rule (ADR-0002/0003) it is snake-case
`<app>_role` for prod and `<app>_<env>_role` for non-prod, so the sandbox owner
role is `erp_sandbox_role`. With the literal `erp_role`, installing Dolibarr in
`erp-sandbox` would reassign sandbox tables to prod's `erp_role`, which (a)
breaks the sandbox runtime (its dynamic DB creds are a member of
`erp_sandbox_role`, not `erp_role`) and (b) breaks the ADR-0003 reset
(`DROP OWNED BY erp_sandbox_role`).
Fix: make the owner role env-aware via a new chart value `db.ownerRole`.
- values.yaml: default `ownerRole: erp_role` (prod).
- values-sandbox.yaml: override `ownerRole: erp_sandbox_role`.
- update_ownership.sql: all `'erp_role'` literals → `'{{ .Values.db.ownerRole }}'`.
- scripts-config.yaml: render that one SQL file through `tpl` so the value is
substituted (the other script has no template vars and stays on `.Files.Get`).
The SQL's `$$`, `%I`, `format(...)`, `RAISE NOTICE` are not Go-template syntax,
so `tpl` only substitutes the added `{{ .Values.db.ownerRole }}`.
Verified: the prod ConfigMap render (values.yaml only) is byte-identical to
origin/main (empty diff, still `erp_role`); the sandbox render
(-f values.yaml -f values-sandbox.yaml) now contains `erp_sandbox_role` and no
bare `erp_role`; `helm lint` passes (no worse than origin/main).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
135 lines
4.0 KiB
YAML
135 lines
4.0 KiB
YAML
# Default values for erp.
|
|
# This is a YAML-formatted file.
|
|
# Declare variables to be passed into your templates.
|
|
|
|
# ----------------------------------------------------------------------------
|
|
# Multi-environment coordinates (default = prod, elision rule applies).
|
|
# Override in values-<env>.yaml for any non-prod instance — see SKILL.md
|
|
# of the factory runbook (doc/runbooks/new-web-app/conventions.md).
|
|
# By the elision rule, env=prod produces names identical to single-env apps;
|
|
# env=sandbox produces "<app>-sandbox" everywhere except the Postgres owner
|
|
# role which uses snake-case "<app>_sandbox_role".
|
|
# ----------------------------------------------------------------------------
|
|
env: prod
|
|
instance: erp # derived id: env=prod → erp, else <app>-<env>
|
|
host: erp.arcodange.lab # internal hostname for this instance
|
|
|
|
db:
|
|
name: erp # PostgreSQL database name (matches factory tfvars)
|
|
ownerRole: erp_role # Postgres owner role; snake-case <app>_role for prod / <app>_<env>_role for non-prod (matches factory/postgres/iac)
|
|
|
|
vault:
|
|
k8sRole: erp # VaultAuth role (postgres/iac issues this per instance)
|
|
dynamicPath: creds/erp # path under postgres/ mount for short-lived DB creds
|
|
staticPath: erp/config # path under kvv2/ mount for the static admin config
|
|
|
|
replicaCount: 1
|
|
|
|
image:
|
|
repository: dolibarr/dolibarr
|
|
pullPolicy: IfNotPresent
|
|
# Overrides the image tag whose default is the chart appVersion.
|
|
tag: ""
|
|
|
|
imagePullSecrets: []
|
|
nameOverride: ""
|
|
fullnameOverride: ""
|
|
|
|
serviceAccount:
|
|
# Specifies whether a service account should be created
|
|
create: true
|
|
# Automatically mount a ServiceAccount's API credentials?
|
|
automount: true
|
|
# Annotations to add to the service account
|
|
annotations: {}
|
|
# The name of the service account to use.
|
|
# If not set and create is true, a name is generated using the fullname template
|
|
name: ""
|
|
|
|
podAnnotations: {}
|
|
podLabels: {}
|
|
|
|
podSecurityContext: {}
|
|
# fsGroup: 2000
|
|
|
|
securityContext: {}
|
|
# capabilities:
|
|
# drop:
|
|
# - ALL
|
|
# readOnlyRootFilesystem: true
|
|
# runAsNonRoot: true
|
|
# runAsUser: 1000
|
|
|
|
service:
|
|
type: ClusterIP
|
|
port: 80
|
|
|
|
ingress:
|
|
enabled: true
|
|
className: ""
|
|
annotations:
|
|
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
|
traefik.ingress.kubernetes.io/router.tls: "true"
|
|
traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt
|
|
traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.lab
|
|
traefik.ingress.kubernetes.io/router.tls.domains.0.sans: erp.arcodange.lab
|
|
traefik.ingress.kubernetes.io/router.middlewares: localIp@file
|
|
hosts:
|
|
- host: erp.arcodange.lab
|
|
paths:
|
|
- path: /
|
|
pathType: Prefix
|
|
tls: []
|
|
# - secretName: chart-example-tls
|
|
# hosts:
|
|
# - chart-example.local
|
|
|
|
resources: {}
|
|
# We usually recommend not to specify default resources and to leave this as a conscious
|
|
# choice for the user. This also increases chances charts run on environments with little
|
|
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
|
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
|
# limits:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
# requests:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
|
|
# livenessProbe:
|
|
# exec:
|
|
# command: [timeout, '10', ls, /var/www/]
|
|
# initialDelaySeconds: 5
|
|
# periodSeconds: 5
|
|
|
|
# readinessProbe:
|
|
# httpGet:
|
|
# path: /
|
|
# port: http
|
|
|
|
autoscaling:
|
|
enabled: false
|
|
minReplicas: 1
|
|
maxReplicas: 100
|
|
targetCPUUtilizationPercentage: 80
|
|
# targetMemoryUtilizationPercentage: 80
|
|
|
|
# Additional volumes on the output Deployment definition.
|
|
volumes: []
|
|
# - name: foo
|
|
# secret:
|
|
# secretName: mysecret
|
|
# optional: false
|
|
|
|
# Additional volumeMounts on the output Deployment definition.
|
|
volumeMounts: []
|
|
# - name: foo
|
|
# mountPath: "/etc/foo"
|
|
# readOnly: true
|
|
|
|
nodeSelector: {}
|
|
|
|
tolerations: []
|
|
|
|
affinity: {}
|