Merge branch 'CloudPirates-io:main' into main

Author: ixxeL2097

charts/keycloak/Chart.lock

@@ -4,9 +4,9 @@ dependencies:
   version: 1.1.1
 - name: postgres
   repository: oci://registry-1.docker.io/cloudpirates
-  version: 0.6.1
+  version: 0.7.2
 - name: mariadb
   repository: oci://registry-1.docker.io/cloudpirates
-  version: 0.3.0
-digest: sha256:18c857c1e792fb60ef7577d542f549e8732fdcaf59caa47eb21bd75126ddc713
-generated: "2025-09-30T07:51:22.5152067+02:00"
+  version: 0.3.2
+digest: sha256:886649f9f78f7bf1f296dabcca5eb8cd0dbd9d0fdb540a327e6a299817fd4b53
+generated: "2025-10-07T21:13:04.453964+02:00"

charts/keycloak/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: keycloak
 description: Open Source Identity and Access Management Solution
 type: application
-version: 0.2.1
+version: 0.3.0
 appVersion: "26.3.4"
 keywords:
   - keycloak

charts/keycloak/README.md

@@ -114,15 +114,15 @@ The following table lists the configurable parameters of the Keycloak chart and
 
 ### Security
 
-| Parameter                                  | Description                                       | Default   |
-| ------------------------------------------ | ------------------------------------------------- | --------- |
-| `podSecurityContext.fsGroup`               | Group ID for the volumes of the pod               | `1001`    |
-| `securityContext.allowPrivilegeEscalation` | Enable container privilege escalation             | `false`   |
-| `securityContext.runAsNonRoot`             | Configure the container to run as a non-root user | `true`    |
-| `securityContext.runAsUser`                | User ID for the Keycloak container                | `1001`    |
-| `securityContext.runAsGroup`               | Group ID for the Keycloak container               | `1001`    |
-| `securityContext.readOnlyRootFilesystem`   | Mount container root filesystem as read-only      | `false`   |
-| `securityContext.capabilities.drop`        | Linux capabilities to be dropped                  | `["ALL"]` |
+| Parameter                                           | Description                                       | Default   |
+| --------------------------------------------------- | ------------------------------------------------- | --------- |
+| `podSecurityContext.fsGroup`                        | Group ID for the volumes of the pod               | `1001`    |
+| `containerSecurityContext.allowPrivilegeEscalation` | Enable container privilege escalation             | `false`   |
+| `containerSecurityContext.runAsNonRoot`             | Configure the container to run as a non-root user | `true`    |
+| `containerSecurityContext.runAsUser`                | User ID for the Keycloak container                | `1001`    |
+| `containerSecurityContext.runAsGroup`               | Group ID for the Keycloak container               | `1001`    |
+| `containerSecurityContext.readOnlyRootFilesystem`   | Mount container root filesystem as read-only      | `false`   |
+| `containerSecurityContext.capabilities.drop`        | Linux capabilities to be dropped                  | `["ALL"]` |
 
 ### Keycloak Configuration
 

charts/keycloak/templates/deployment.yaml

@@ -31,12 +31,10 @@ spec:
 {{- with (include "keycloak.imagePullSecrets" .) }}
 {{ . | nindent 6 }}
 {{- end }}
-      securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      securityContext: {{ include "common.renderPodSecurityContext" . | nindent 8 }}
       initContainers:
         - name: copy-quarkus-lib
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+          securityContext: {{ include "common.renderContainerSecurityContext" . | nindent 12 }}
           image: {{ include "keycloak.image" . }}
           imagePullPolicy: {{ .Values.image.imagePullPolicy }}
           command: ["sh", "-c", "cp -r /opt/keycloak/lib/quarkus/* /shared-quarkus/"]
@@ -45,10 +43,12 @@ spec:
               mountPath: /shared-quarkus
         {{- if .Values.postgres.enabled }}
         - name: wait-for-postgres
+          securityContext: {{ include "common.renderContainerSecurityContext" . | nindent 12 }}
           image: {{ .Values.initContainers.waitForPostgres.image }}
           command: ["sh", "-c", "until pg_isready -h {{ .Release.Name }}-postgres -p 5432 -U postgres; do echo waiting for database; sleep 2; done;"]
         {{- else if .Values.mariadb.enabled }}
         - name: wait-for-mariadb
+          securityContext: {{ include "common.renderContainerSecurityContext" . | nindent 12 }}
           image: {{ .Values.initContainers.waitForMariadb.image }}
           command: ["sh", "-c", "until mysqladmin ping -h {{ .Release.Name }}-mariadb -P 3306 --silent; do echo waiting for database; sleep 2; done;"]
         {{- end }}
@@ -57,8 +57,7 @@ spec:
         {{- end }}
       containers:
         - name: {{ .Chart.Name }}
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+          securityContext: {{ include "common.renderContainerSecurityContext" . | nindent 12 }}
           image: {{ include "keycloak.image" . }}
           imagePullPolicy: {{ .Values.image.imagePullPolicy }}
           command:

charts/keycloak/values.schema.json

@@ -103,7 +103,7 @@
         }
       }
     },
-    "securityContext": {
+    "containerSecurityContext": {
       "type": "object",
       "properties": {
         "allowPrivilegeEscalation": {

charts/keycloak/values.yaml

@@ -59,18 +59,18 @@ podSecurityContext:
   ## @param podSecurityContext.fsGroup Group ID for the volumes of the pod
   fsGroup: 1001
 
-securityContext:
-  ## @param securityContext.allowPrivilegeEscalation Enable container privilege escalation
+containerSecurityContext:
+  ## @param containerSecurityContext.allowPrivilegeEscalation Enable container privilege escalation
   allowPrivilegeEscalation: false
-  ## @param securityContext.runAsNonRoot Configure the container to run as a non-root user
+  ## @param containerSecurityContext.runAsNonRoot Configure the container to run as a non-root user
   runAsNonRoot: true
-  ## @param securityContext.runAsUser User ID for the Keycloak container
+  ## @param containerSecurityContext.runAsUser User ID for the Keycloak container
   runAsUser: 1001
-  ## @param securityContext.runAsGroup Group ID for the Keycloak container
+  ## @param containerSecurityContext.runAsGroup Group ID for the Keycloak container
   runAsGroup: 1001
-  ## @param securityContext.readOnlyRootFilesystem Mount container root filesystem as read-only
+  ## @param containerSecurityContext.readOnlyRootFilesystem Mount container root filesystem as read-only
   readOnlyRootFilesystem: false
-  ## @param securityContext.capabilities.drop Linux capabilities to be dropped
+  ## @param containerSecurityContext.capabilities.drop Linux capabilities to be dropped
   capabilities:
     drop:
       - ALL

charts/nginx/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: nginx
 description: Nginx is a high-performance HTTP server and reverse proxy.
 type: application
-version: 0.1.11
+version: 0.1.12
 appVersion: "1.29.1"
 keywords:
   - nginx

charts/nginx/README.md

@@ -306,6 +306,46 @@ readinessProbe:
 | `ingress.tls`         | TLS configuration for the Ingress                                             | `[]`                                                                                            |
 
 
+### Metrics Parameters
+
+| Parameter                       | Description                                                        | Default   |
+|----------------------------------|--------------------------------------------------------------------|-----------|
+| `metrics.enabled`                | Start a sidecar Prometheus exporter to expose Nginx metrics        | `false`   |
+| `metrics.image.registry`         | Nginx exporter image registry                                      | `docker.io` |
+| `metrics.image.repository`       | Nginx exporter image repository                                    | `nginx/nginx-prometheus-exporter` |
+| `metrics.image.tag`              | Nginx exporter image tag                                           | `"1.4@sha256:..."` |
+| `metrics.image.pullPolicy`       | Nginx exporter image pull policy                                   | `Always`  |
+| `metrics.resources.limits.memory`| Memory limit for metrics container                                 | `64Mi`    |
+| `metrics.resources.requests.cpu` | CPU request for metrics container                                  | `50m`     |
+| `metrics.resources.requests.memory`| Memory request for metrics container                              | `64Mi`    |
+| `metrics.extraArgs`              | Extra arguments for nginx exporter                                 | `[]`      |
+| `metrics.service.type`           | Metrics service type                                               | `ClusterIP` |
+| `metrics.service.port`           | Metrics service port                                               | `9113`    |
+| `metrics.service.annotations`    | Additional custom annotations for Metrics service                  | `{}`      |
+| `metrics.service.loadBalancerIP` | Load balancer IP if metrics service type is `LoadBalancer`         | `""`      |
+| `metrics.service.loadBalancerSourceRanges` | Allowed addresses for LoadBalancer metrics service         | `[]`      |
+| `metrics.service.clusterIP`      | Static clusterIP or None for headless metrics service              | `""`      |
+| `metrics.service.nodePort`       | NodePort value for LoadBalancer/NodePort metrics service types     | `""`      |
+| `metrics.serviceMonitor.enabled` | Create ServiceMonitor resource(s) for PrometheusOperator           | `false`   |
+| `metrics.serviceMonitor.namespace`| Namespace for ServiceMonitor resource(s)                          | `""`      |
+| `metrics.serviceMonitor.interval`| Interval for scraping metrics                                      | `30s`     |
+| `metrics.serviceMonitor.scrapeTimeout`| Timeout for scraping metrics                                 | `""`      |
+| `metrics.serviceMonitor.relabelings`| Additional relabeling of metrics                              | `[]`      |
+| `metrics.serviceMonitor.metricRelabelings`| Additional metric relabeling of metrics                    | `[]`      |
+| `metrics.serviceMonitor.honorLabels`| Honor metrics labels                                         | `false`   |
+| `metrics.serviceMonitor.selector`| Prometheus instance selector labels                               | `{}`      |
+| `metrics.serviceMonitor.annotations`| Additional annotations for ServiceMonitor                     | `{}`      |
+| `metrics.serviceMonitor.namespaceSelector`| Namespace selector for ServiceMonitor                      | `{}`      |
+
+**Note:**  
+To enable metrics, set `metrics.enabled: true` and ensure your Nginx configuration includes a stub status endpoint, e.g.:
+```nginx
+location /stub_status {
+  stub_status on;
+}
+```
+
+
 ### Extra Configuration Parameters
 
 | Parameter           | Description                                                                         | Default |

charts/nginx/templates/_helpers.tpl

@@ -97,4 +97,11 @@ Return the custom NGINX stream server config configmap.
 {{- else -}}
     {{- include "common.fullname" . -}}
 {{- end -}}
-{{- end -}}
+{{- end -}}
+
+{{/*
+Return the proper Nginx metrics image name
+*/}}
+{{- define "nginx.metrics.image" -}}
+{{- include "common.image" (dict "image" .Values.metrics.image "global" .Values.global) -}}
+{{- end }}

charts/nginx/templates/deployment.yaml

@@ -202,6 +202,49 @@ spec:
             {{- toYaml .Values.cloneStaticSiteFromGit.extraVolumeMounts | nindent 12 }}
             {{- end }}
         {{- end }}
+        {{- if .Values.metrics.enabled }}
+        - name: metrics
+          securityContext: {{ include "common.renderContainerSecurityContext" . | nindent 12 }}
+          image: {{ include "nginx.metrics.image" . | quote }}
+          imagePullPolicy: {{ include "common.imagePullPolicy" (dict "image" .Values.metrics.image) }}
+          command:
+            - nginx-prometheus-exporter
+            - --nginx.scrape-uri=http://localhost:8080/stub_status
+            {{- range .Values.metrics.extraArgs }}
+            - {{ . }}
+            {{- end }}
+          args:
+            {{- if .Values.metrics.extraArgs }}
+            {{- range .Values.metrics.extraArgs }}
+            {{- if not (hasPrefix "--" .) }}
+            - {{ . }}
+            {{- end }}
+            {{- end }}
+            {{- end }}
+          ports:
+            - name: metrics
+              containerPort: 9113
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: metrics
+            initialDelaySeconds: 15
+            periodSeconds: 15
+            timeoutSeconds: 5
+            failureThreshold: 3
+            successThreshold: 1
+          readinessProbe:
+            httpGet:
+              path: /
+              port: metrics
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            timeoutSeconds: 1
+            failureThreshold: 3
+            successThreshold: 1
+          resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
+        {{- end }}
       volumes:
         - name: emptydir
           emptyDir: {}