Move the MySQL DB into its own chart
The gerrit-master and gerrit-slave charts could be used to install
a MySQL database as a dependency to provide a relational database to
contain the ReviewDB. For Gerrit 2.16 a H2-database is usually
sufficient to store values remaining in the schema of the ReviewDB,
since they do not change during runtime. In the upcoming Gerrit releases
the ReviewDB will be completely discontinued. Since most people won't
start to use this charts with an older version of Gerrit, it didn't
make sense to unnecessarily inflate the charts to support old
Gerrit versions.
This change removes the MySQL-database related parts from the
gerrit-master and gerrit-slave charts. To still allow an easy
installation of older Gerrit-versions, the MySQL-related parts were
moved into their own chart, called 'reviewdb', which can be installed
separately, and which works otherwise as before.
Change-Id: I9b4a1955dd645fe72c1d03bf3ecd9407622c0b1d
diff --git a/helm-charts/gerrit-master/.helmignore b/helm-charts/gerrit-master/.helmignore
index 4a00615..4f4562f 100644
--- a/helm-charts/gerrit-master/.helmignore
+++ b/helm-charts/gerrit-master/.helmignore
@@ -1,4 +1,3 @@
-
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
@@ -22,4 +21,4 @@
*.tmproj
docs/
-supplements/
\ No newline at end of file
+supplements/
diff --git a/helm-charts/gerrit-master/README.md b/helm-charts/gerrit-master/README.md
index 79b84e1..e32e209 100644
--- a/helm-charts/gerrit-master/README.md
+++ b/helm-charts/gerrit-master/README.md
@@ -2,8 +2,7 @@
Gerrit is a web-based code review tool, which acts as a Git server. This helm
chart provides a Gerrit setup that can be deployed on Kubernetes.
-The chart can deploy its own database (Currently on MySQL databases are supported)
-and provides a CronJob to perform Git garbage collection.
+In addition, the chart provides a CronJob to perform Git garbage collection.
## Prerequisites
@@ -31,6 +30,11 @@
A [Java keystore](https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#httpd.sslKeyStore)
to be used by Gerrit.
+- (Optional: Required, for Gerrit versions lower than 2.16)
+ A relational database to contain the ReviewDB, e.g. as provided by the
+ [reviewdb chart](/helm-charts/reviewdb). With Gerrit 2.16 an embedded H2-
+ database is usually enough, since the data is not changed during runtime.
+
## Installing the Chart
***note
@@ -44,7 +48,6 @@
```sh
cd $(git rev-parse --show-toplevel)/helm-charts
helm install ./gerrit-master \
- --dep-up \
-n gerrit-master \
-f <path-to-custom-values>.yaml
```
@@ -65,7 +68,6 @@
```sh
cd $(git rev-parse --show-toplevel)/helm-charts
helm install ./gerrit-master \
- --dep-up \
-n gerrit-master \
--set=gitRepositoryStorage.size=100Gi
```
@@ -119,28 +121,6 @@
| `gitGC.logging.persistence.enabled` | Whether to persist logs | `true` |
| `gitGC.logging.persistence.size` | Storage size for persisted logs | `1Gi` |
-### Database
-
-Gerrit requires a database containing the user data. Currently, this chart provides
-the possibility to install a MySQL database for this purpose or to use a H2 database.
-Other databases may be installed manually, if wanted.
-
-H2 does not require special configuration. It just has to be configured
-in the `gerrit.config`. Also persistence for the database-directory should be
-enabled.
-
-***note
-In general, H2-databases should not be used in production with Gerrit versions <=
-2.15. With Gerrit 2.16 the data stored in the database does not change at runtime,
-thus a H2 database can be safely used.
-***
-
-Since the configuration of the other databases is different depending on the database
-provider used, the configuration is described in separate documents (other
-databases may be added in future):
-
-- [MySQL](/helm-charts/gerrit-master/docs/mysql.md)
-
### Gerrit
***note
@@ -211,10 +191,8 @@
- `database.*`
- The default settings are configured to use the MySQL-database installed as a
- dependency and if the chart is installed with the release name set to
- `gerrit-master`. Only change this, if you decide to use a different database or
- changed the default settings for the mysql-chart.
+ If the database is installed in the same Kubernetes cluster, the name of the
+ service exposing the database deployment may be used as a hostname.
With newer versions of the MySQL-driver used by Gerrit, using SSL-encrypted
communication with the database is enforced by default. This can be deactivated
diff --git a/helm-charts/gerrit-master/docs/mysql.md b/helm-charts/gerrit-master/docs/mysql.md
deleted file mode 100644
index 5c244db..0000000
--- a/helm-charts/gerrit-master/docs/mysql.md
+++ /dev/null
@@ -1,112 +0,0 @@
-# Configuring the MySQL-database
-
-To install a MySQL database with the gerrit-master chart, set `mysql.enabled`to
-true in the `values.yaml`. This will then install the
-[mysql chart](https://github.com/helm/charts/tree/master/stable/mysql)
-onto the Kubernetes cluster as a dependency.
-
-## Create certificates for SSL-encrypted communication
-
-For SSL-encrypted communication, a set of certificates is needed. Use the
-following commands to create them after adjusting the subject strings:
-
-```sh
-openssl genrsa -out ./ca.key.pem 4096
-
-openssl req \
- -key ./ca.key.pem \
- -new \
- -x509 \
- -days 7300 \
- -sha256 \
- -out ./ca.cert.pem \
- -subj "/C=DE/O=Gerrit/CN=gerrit-db-master" \
- -nodes
-
-openssl genrsa -out ./master.key.pem 4096
-
-openssl req \
- -key ./master.key.pem \
- -new \
- -sha256 \
- -out ./master.csr.pem \
- -subj "/C=DE/O=Gerrit/CN=gerrit-db-master" \
- -nodes
-
-openssl x509 \
- -req \
- -CA ./ca.cert.pem \
- -CAkey ./ca.key.pem \
- -CAcreateserial \
- -in ./master.csr.pem \
- -out ./master.cert.pem
-```
-
-## Configuration
-
-### mysql-chart
-
-The configuration of the database is done in the `values.yaml`of the gerrit-master
-chart under the `mysql`-key. The complete list of options for the mysql-chart can
-be viewed in the chart's [documentation](https://github.com/helm/charts/blob/master/stable/mysql/README.md).
-The options referenced in the gerrit-master chart's `values.yaml` are listed here:
-
-| Parameter | Description | Default |
-|--------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------|
-| `mysql.enabled` | Whether to install the MySQL database | `true` |
-| `mysql.image` | Which container image containing MySQL to use | `mysql` |
-| `mysql.imageTag` | Tag of container image (usually the database version) | `5.5.61` |
-| `mysql.mysqlRootPassword` | Password of the database `root` user | `big_secret` |
-| `mysql.mysqlUser` | Database user (The technical user used by Gerrit) | `gerrit` |
-| `mysql.mysqlPassword` | Password of the database user | `secret` |
-| `mysql.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | `30` |
-| `mysql.livenessProbe.periodSeconds` | How often to perform the probe | `10` |
-| `mysql.livenessProbe.timeoutSeconds` | When the probe times out | `5` |
-| `mysql.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | `1` |
-| `mysql.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `3` |
-| `mysql.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | `5` |
-| `mysql.readinessProbe.periodSeconds` | How often to perform the probe | `10` |
-| `mysql.readinessProbe.timeoutSeconds` | When the probe times out | `1` |
-| `mysql.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | `1` |
-| `mysql.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `3` |
-| `mysql.persistence.enabled` | Create a volume to store data | `true` |
-| `mysql.persistence.size` | Size of persistent volume claim | `8Gi` |
-| `mysql.persistence.storageClass` | Type of persistent volume claim | `default` |
-| `mysql.persistence.accessMode` | ReadWriteOnce or ReadOnly | `ReadWriteOnce` |
-| `mysql.resources` | Configure the amount of resources the pod requests/is allowed | `requests.cpu: 250m` |
-| | | `requests.memory: 1Gi` |
-| | | `limits.cpu: 250m` |
-| | | `limits.memory: 1Gi` |
-| `mysql.configurationFiles` | Add configuration files for MySQL | `mysql.cnf` (check the [mysql.cnf-section](#mysql.cnf) for configuration options) |
-| `mysql.initializationFiles` | Add scripts that are executed, when the database is started the first time | `initialize_reviewdb.sql` (Should not be changed) |
-| `mysql.service.type` | Type of the Service used to expose the database | `NodePort` |
-| `mysql.service.port` | The port used to expose the database | `3306` |
-| `ssl.enabled` | Setup and use SSL for MySQL connections | `false` |
-| `ssl.secret` | Name of the secret containing the SSL certificates | master-ssl-certs |
-| `ssl.certificates[0].name` | Name of the secret containing the SSL certificates | master-ssl-certs |
-| `ssl.certificates[0].ca` | CA certificate (if using replication use the CA created [peviously](#Create-certificates-for-SSL-encrypted-communication)) | `-----BEGIN CERTIFICATE-----` |
-| `ssl.certificates[0].cert` | Server certificate (public key) (if using replication use the certificate created [peviously](#Create-certificates-for-SSL-encrypted-communication)) | `-----BEGIN CERTIFICATE-----` |
-| `ssl.certificates[0].key` | Server key (private key) (if using replication use the key created [peviously](#Create-certificates-for-SSL-encrypted-communication)) | `-----BEGIN RSA PRIVATE KEY-----` |
-
-### mysql.cnf
-
-The configuration file for the MySQL-server is provided under the key
-`mysql.configurationsFiles.mysql.cnf`. The provided values provide necessary
-configuration to receive replicated databases from the master database.
-
-Some options should be adapted to the respective setup:
-
-| Parameter | Description | Default |
-|-----------------|----------------------------------------------------------|-------------|
-| `log_bin` | Name of transaction logs (used for database replication) | `mysql-bin` |
-| `binlog_format` | Format of the binlogs (Has to be the same as on master) | `row` |
-| `server-id` | ID unique in the MySQL setup | `42` |
-
-In addition, if using SSL for MySQL-requests the following options have to be made
-available by uncommenting them. The values must not be changed, when using the chart:
-
-```sh
-ssl-ca=/ssl/ca.pem
-ssl-cert=/ssl/server-cert.pem
-ssl-key=/ssl/server-key.pem
-```
diff --git a/helm-charts/gerrit-master/requirements.yaml b/helm-charts/gerrit-master/requirements.yaml
deleted file mode 100644
index c0b68f3..0000000
--- a/helm-charts/gerrit-master/requirements.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-dependencies:
-- name: mysql
- version: 0.10.1
- repository: https://kubernetes-charts.storage.googleapis.com/
- condition: mysql.enabled
\ No newline at end of file
diff --git a/helm-charts/gerrit-master/values.yaml b/helm-charts/gerrit-master/values.yaml
index 1940dd0..a3265a0 100644
--- a/helm-charts/gerrit-master/values.yaml
+++ b/helm-charts/gerrit-master/values.yaml
@@ -132,14 +132,15 @@
disableReverseDnsLookup = true
[database]
type = mysql
- # 'gerrit-master-mysql' is the reference to the service that manages
- # the traffic to the mysql database, if the mysql-database is installed
- # via the gerrit-master chart
- hostname = gerrit-master-mysql
+ # The name of a Kubernetes service managing the connection to a pod
+ # running the database can be used as a hostname. E.g. if the reviewdb-
+ # chart is used and installed with the name 'db-master', the service
+ # will be named db-master-mysql.
+ hostname = db-master-mysql
port = 3306
database = reviewdb
- # To switch of enforced SSL-encrypted communication uncomment:
- # url = jdbc:mysql://gerrit-slave-mysql:3306/reviewdb?nullNamePatternMatchesAll=true&useSSL=false
+ # To switch off enforced SSL-encrypted communication uncomment:
+ # url = jdbc:mysql://db-master-mysql:3306/reviewdb?nullNamePatternMatchesAll=true&useSSL=false
[index]
type = LUCENE
[auth]
@@ -193,98 +194,3 @@
# url = http://gerrit-slave.example.com/git/${name}.git
# replicationDelay = 0
# timeout = 30
-
-
-mysql:
- # Enabling the installation of the MySQL database will only make sense, if
- # `mysql` is chosen as a provider under `database.provider`.
- enabled: true
-
- image: mysql
- # The major.minor version of mysql should be the same as for the master database
- imageTag: 5.5.61
-
- mysqlRootPassword: big_secret
- mysqlUser: gerrit
- mysqlPassword: secret
-
- livenessProbe:
- initialDelaySeconds: 30
- periodSeconds: 10
- timeoutSeconds: 5
- successThreshold: 1
- failureThreshold: 3
-
- readinessProbe:
- initialDelaySeconds: 5
- periodSeconds: 10
- timeoutSeconds: 1
- successThreshold: 1
- failureThreshold: 3
-
- persistence:
- enabled: true
- storageClass: default
- accessMode: ReadWriteOnce
- size: 8Gi
-
- resources:
- requests:
- cpu: 250m
- memory: 1Gi
- limits:
- cpu: 250m
- memory: 1Gi
-
- configurationFiles:
- mysql.cnf: |-
- [mysqld]
-
- # Adapt the following changes to your setup
- ###########################################
-
- # Name of transaction logs (used for database replication)
- log_bin=mysql-bin
-
- # Adapt to the binlog format of the Gerrit master's database
- binlog_format=row
-
- # Has to be different for each database in the replication setup.
- server-id=1
-
- # Add the following options to the config, if using SSL (`mysql.ssl.enabled: true`)
- # But do not change the values.
- # ssl-ca=/ssl/ca.pem
- # ssl-cert=/ssl/server-cert.pem
- # ssl-key=/ssl/server-key.pem
-
- initializationFiles:
- # Do not change or remove this script.
- initialize_reviewdb.sql: |-
- CREATE DATABASE reviewdb DEFAULT CHARACTER SET 'utf8';
- GRANT ALL ON reviewdb.* TO 'gerrit';
- FLUSH PRIVILEGES;
-
- service:
- type: NodePort
- port: 3306
-
- ssl:
- # If enabled, add the required lines to the configuration as described in
- # `mysql.configurationFiles.mysql.cnf`
- enabled: false
- secret: master-ssl-certs
- certificates:
- - name: master-ssl-certs
- ca: |-
- -----BEGIN CERTIFICATE-----
-
- -----END CERTIFICATE-----
- cert: |-
- -----BEGIN CERTIFICATE-----
-
- -----END CERTIFICATE-----
- key: |-
- -----BEGIN RSA PRIVATE KEY-----
-
- -----END RSA PRIVATE KEY-----
diff --git a/helm-charts/gerrit-slave/.helmignore b/helm-charts/gerrit-slave/.helmignore
index 4a00615..4f4562f 100644
--- a/helm-charts/gerrit-slave/.helmignore
+++ b/helm-charts/gerrit-slave/.helmignore
@@ -1,4 +1,3 @@
-
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
@@ -22,4 +21,4 @@
*.tmproj
docs/
-supplements/
\ No newline at end of file
+supplements/
diff --git a/helm-charts/gerrit-slave/README.md b/helm-charts/gerrit-slave/README.md
index 5c70746..72e0cdb 100644
--- a/helm-charts/gerrit-slave/README.md
+++ b/helm-charts/gerrit-slave/README.md
@@ -8,9 +8,7 @@
This helm chart provides a Gerrit slave setup that can be deployed on Kubernetes.
The Gerrit slave is capable of receiving replicated git repositories from a
-Gerrit master. The slave can deploy its own database, that replicates the data
-from the Gerrit master's database (Currently only MySQL databases are supported).
-The Gerrit slave can then serve authenticated read-only requests.
+Gerrit master. The Gerrit slave can then serve authenticated read-only requests.
## Prerequisites
@@ -38,6 +36,11 @@
A [Java keystore](https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#httpd.sslKeyStore)
to be used by Gerrit.
+- (Optional: Required, for Gerrit versions lower than 2.16)
+ A relational database to contain the ReviewDB, e.g. as provided by the
+ [reviewdb chart](/helm-charts/reviewdb). With Gerrit 2.16 an embedded H2-
+ database is usually enough, since the data is not changed during runtime.
+
## Installing the Chart
***note
@@ -51,7 +54,6 @@
```sh
cd $(git rev-parse --show-toplevel)/helm-charts
helm install ./gerrit-slave \
- --dep-up \
-n gerrit-slave \
-f <path-to-custom-values>.yaml
```
@@ -72,7 +74,6 @@
```sh
cd $(git rev-parse --show-toplevel)/helm-charts
helm install ./gerrit-slave \
- --dep-up \
-n gerrit-slave \
--set=gitRepositoryStorage.size=100Gi,gitBackend.replicas=2
```
@@ -157,42 +158,6 @@
| `gitGC.logging.persistence.enabled` | Whether to persist logs | `true` |
| `gitGC.logging.persistence.size` | Storage size for persisted logs | `1Gi` |
-### Database
-
-The Gerrit slave requires a database containing the user data associated with the
-replicated Git repositories, which is implemented as a database slave containing
-the replicated data of the master database.
-
-***note
-Future implementations will provide the possibility to bring custom databases
-from different providers, but so far the setup expects to setup its own MySQL or
-H2 database.
-***
-
-| Parameter | Description | Default |
-|--------------------------------|-------------------------------------------------------------------------------|---------|
-| `database.provider` | Database type/provider to be used (Available: mysql, h2) | `mysql` |
-| `database.replication.enabled` | Whether to initialize replication from master database (not available for h2) | `true` |
-
-H2 databases do not require special configuration. It just has to be configured
-in the `gerrit.config`. Also persistence for the database-directory should be
-enabled.
-
-***note
-In general, H2-databases should not be used in production with Gerrit versions <=
-2.15. This chart does not provide replication for H2 databases, thus changes
-to the database at runtime will not be replicated. With Gerrit 2.16 the data
-stored in the database does not change at runtime, thus a H2 database can be
-safely used.
-***
-
-The usual way to provide a database other than H2 is meant to deploy it as a
-dependency of this chart. Since the configuration of the database is different
-depending on the database provider used, the configuration is described in
-separate documents:
-
-- [MySQL](/helm-charts/gerrit-slave/docs/mysql.md)
-
### Gerrit slave
***note
@@ -262,10 +227,8 @@
- `database.*`
- The default settings are configured to use the MySQL-database installed as a
- dependency and if the chart is installed with the release name set to
- `gerrit-slave`. Only change this, if you decide to use a different database or
- changed the default settings for the mysql-chart.
+ If the database is installed in the same Kubernetes cluster, the name of the
+ service exposing the database deployment may be used as a hostname.
With newer versions of the MySQL-driver used by Gerrit, using SSL-encrypted
communication with the database is enforced by default. This can be deactivated
diff --git a/helm-charts/gerrit-slave/templates/NOTES.txt b/helm-charts/gerrit-slave/templates/NOTES.txt
index 56da857..c128fb8 100644
--- a/helm-charts/gerrit-slave/templates/NOTES.txt
+++ b/helm-charts/gerrit-slave/templates/NOTES.txt
@@ -23,26 +23,6 @@
https://gerrit.googlesource.com/plugins/replication/+doc/master/src/main/resources/Documentation/config.md
-
-{{ if .Values.mysql.enabled -}}
-A mysql database has been deployed and configured to work with the Gerrit slave.
-Note, that the database is not yet initialized with the scheme expected by Gerrit.
-Either use database replication or run the Gerrit-slave in test-mode to create
-the expected schemas.
-{{- end }}
-
-{{ if .Values.database.replication.enabled -}}
-The components to initialize database replication have been deployed. To start
-initialization the Job needs a database dump containing the master's data. Use
-the following command to make the database dump available to the job:
-
- JOB_POD=$(kubectl get pod -l app=replication-init -o jsonpath="{.items[0].metadata.name}")
- kubectl cp <PATH_TO_DUMP> ${JOB_POD}:{{ .Values.database.replication.mysql.dbDumpAcceptPath }}
-
-Depending on the size of the database the initialization will take a while. When
-finished the job will shut down.
-{{- end }}
-
The Gerrit slave is starting up.
{{ if .Values.gerritSlave.initializeTestSite.enabled -}}
diff --git a/helm-charts/gerrit-slave/values.yaml b/helm-charts/gerrit-slave/values.yaml
index 54f13c0..96f3d93 100644
--- a/helm-charts/gerrit-slave/values.yaml
+++ b/helm-charts/gerrit-slave/values.yaml
@@ -46,26 +46,6 @@
size: 5Gi
-database:
- provider: mysql
-
- # Only applies to databases set up by this chart (currently available: MySQL)
- replication:
- enabled: false
- image: k8sgerrit/mysql-replication-init
-
- # The following section is specific for replication of MySQL databases
- mysql:
- config:
- masterHost: mysql.example.com
- masterPort: 3306
- masterUser: repl
- masterPassword: password
- masterLogFile: mysql-bin.000001
- masterLogPos: 111
- dbDumpAcceptPath: /var/data/db/master_dump.sql
-
-
gitBackend:
image: k8sgerrit/apache-git-http-backend
@@ -222,14 +202,15 @@
disableReverseDnsLookup = true
[database]
type = mysql
- # 'gerrit-slave-mysql' is the reference to the service that managaes
- # the traffic to the mysql database, if the mysql-database is installed
- # via the gerrit-slave chart
- hostname = gerrit-slave-mysql
+ # The name of a Kubernetes service managing the connection to a pod
+ # running the database can be used as a hostname. E.g. if the reviewdb-
+ # chart is used and installed with the name 'db-slave', the service
+ # will be named db-slave-mysql.
+ hostname = db-slave-mysql
port = 3306
database = reviewdb
- # To switch of enforced SSL-encrypted communication uncomment:
- # url = jdbc:mysql://gerrit-slave-mysql:3306/reviewdb?nullNamePatternMatchesAll=true&useSSL=false
+ # To switch off enforced SSL-encrypted communication uncomment:
+ # url = jdbc:mysql://db-slave-mysql:3306/reviewdb?nullNamePatternMatchesAll=true&useSSL=false
[index]
type = LUCENE
[auth]
@@ -268,120 +249,3 @@
# Only needed, if SSL is enabled.
#[httpd]
# sslKeyPassword = gerrit
-
-
-mysql:
- # Enabling the installation of the MySQL database will only make sense, if
- # `mysql` is chosen as a provider under `database.provider`.
- enabled: true
-
- image: mysql
- # The major.minor version of mysql should be the same as for the master database
- imageTag: 5.5.61
-
- mysqlRootPassword: big_secret
- mysqlUser: gerrit
- mysqlPassword: secret
-
- livenessProbe:
- initialDelaySeconds: 30
- periodSeconds: 10
- timeoutSeconds: 5
- successThreshold: 1
- failureThreshold: 3
-
- readinessProbe:
- initialDelaySeconds: 5
- periodSeconds: 10
- timeoutSeconds: 1
- successThreshold: 1
- failureThreshold: 3
-
- persistence:
- enabled: true
- storageClass: default
- accessMode: ReadWriteOnce
- size: 8Gi
-
- resources:
- requests:
- cpu: 250m
- memory: 1Gi
- limits:
- cpu: 250m
- memory: 1Gi
-
- configurationFiles:
- mysql.cnf: |-
- [mysqld]
-
- # The following options should not be changed
- #############################################
-
- log-bin=/var/lib/mysql/bin.log
- log-bin-index=/var/lib/mysql/log-bin.index
- log-error=/var/lib/mysql/error.log
-
- relay-log=/var/lib/mysql/relay.log
- relay-log-info-file=/var/lib/mysql/relay-log.info
- relay-log-index=/var/lib/mysql/relay-log.index
-
- log-error=/var/lib/mysql/error.log
- log_slave_updates = 1
-
- sql_mode="ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"
-
- # Adapt the following changes to your setup
- ###########################################
-
- # Should usually set to '1', when running in production. When running the
- # Gerrit slave in test mode, it has to be set to '0' to be able to initialize
- # the reviewDB
- read_only=0
-
- # The mysql database should not be replicated to avoid to overwrite user data
- # of the database
- replicate-ignore-db=mysql
-
- # Adapt to the binlog format of the Gerrit master's database
- binlog_format=row
-
- # Has to be different for each database in the replication setup.
- server-id=42
-
- # Add the following options to the config, if using SSL (`mysql.ssl.enabled: true`)
- # But do not change the values.
- # ssl-ca=/ssl/ca.pem
- # ssl-cert=/ssl/server-cert.pem
- # ssl-key=/ssl/server-key.pem
-
- initializationFiles:
- # Do not change or remove this script.
- initialize_reviewdb.sql: |-
- CREATE DATABASE reviewdb DEFAULT CHARACTER SET 'utf8';
- GRANT ALL ON reviewdb.* TO 'gerrit';
- FLUSH PRIVILEGES;
-
- service:
- type: NodePort
- port: 3306
-
- ssl:
- # If enabled, add the required lines to the configuration as described in
- # `mysql.configurationFiles.mysql.cnf`
- enabled: false
- secret: slave-ssl-certs
- certificates:
- - name: slave-ssl-certs
- ca: |-
- -----BEGIN CERTIFICATE-----
-
- -----END CERTIFICATE-----
- cert: |-
- -----BEGIN CERTIFICATE-----
-
- -----END CERTIFICATE-----
- key: |-
- -----BEGIN RSA PRIVATE KEY-----
-
- -----END RSA PRIVATE KEY-----
diff --git a/helm-charts/reviewdb/.helmignore b/helm-charts/reviewdb/.helmignore
new file mode 100644
index 0000000..4f4562f
--- /dev/null
+++ b/helm-charts/reviewdb/.helmignore
@@ -0,0 +1,24 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+
+docs/
+supplements/
diff --git a/helm-charts/reviewdb/Chart.yaml b/helm-charts/reviewdb/Chart.yaml
new file mode 100644
index 0000000..34eb33f
--- /dev/null
+++ b/helm-charts/reviewdb/Chart.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+appVersion: 2.16
+description: |-
+ This chart provisions a database to be used with a Gerrit master or Gerrit
+ slave setup, if the Gerrit version is lower than 2.16. This database is
+ needed to store userdata.
+
+ Note, that with the upcoming Gerrit release the reviewdb-database will be
+ fully migrated to notedb and this chart is not required to run the gerrit-
+ master and gerrit-slave charts.
+name: reviewdb
+version: 0.1.0
+maintainers:
+- name: Thomas Draebing
+ email: thomas.draebing@sap.com
+- name: Matthias Sohn
+ email: matthias.sohn@sap.com
+- name: Sasa Zivkov
+ email: sasa.zivkov@sap.com
+- name: Christian Halstrick
+ email: christian.halstrick@sap.com
+home: https://gerrit.googlesource.com/k8s-gerrit/+/master/helm-charts/review-db
+icon: http://commondatastorage.googleapis.com/gerrit-static/diffy-w200.png
+sources:
+- https://gerrit.googlesource.com/k8s-gerrit/+/master/
+keywords:
+- gerrit
+- git
+- reviewdb
diff --git a/helm-charts/reviewdb/LICENSE b/helm-charts/reviewdb/LICENSE
new file mode 100644
index 0000000..028fc9f
--- /dev/null
+++ b/helm-charts/reviewdb/LICENSE
@@ -0,0 +1,201 @@
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "{}"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright (C) 2018 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
diff --git a/helm-charts/reviewdb/README.md b/helm-charts/reviewdb/README.md
new file mode 100644
index 0000000..d04a6b9
--- /dev/null
+++ b/helm-charts/reviewdb/README.md
@@ -0,0 +1,326 @@
+# A ReviewDB for Gerrit on Kubernetes
+
+Gerrit requires a database to store user and change data. The database is commonly
+called ReviewDB. Gerrit provides a set of options, which database technology to
+use. This chart is meant to install a database and initialize it, so it can be
+used as a ReviewDB for Gerrit-master and -slave setups installed with the
+respective charts. Currently, the following databases sre supported by this chart:
+
+- MySQL
+
+***note
+The gerrit-master and gerrit-slave charts also support H2, but since H2-databases
+do not require a separate server, this chart is not required in that case.
+***
+
+***note
+With upcoming versions of Gerrit, the ReviewDB will be completely migrated to
+NoteDB, removing the dependency on a external relational database.
+***
+
+## Installation
+
+To install a MySQL database with the reviewdb chart, set `mysql.enabled`to
+true in the `values.yaml`. This will then install the
+[mysql chart](https://github.com/helm/charts/tree/master/stable/mysql)
+onto the Kubernetes cluster as a dependency.
+
+To install the chart with the release name `reviewdb`, execute:
+
+```sh
+cd $(git rev-parse --show-toplevel)/helm-charts
+helm install ./reviewdb \
+ --dep-up \
+ -n reviewdb \
+ -f <path-to-custom-values>.yaml
+```
+
+## Configuration
+
+### Common
+
+#### Container images
+
+| Parameter | Description | Default |
+|--------------------------------------------|------------------------------------------------------|----------------------------------------------------------------------|
+| `images.registry.name` | The image registry to pull the container images from | `` |
+| `images.registry.ImagePullSecret.name` | Name of the ImagePullSecret | `image-pull-secret` (if empty no image pull secret will be deployed) |
+| `images.registry.ImagePullSecret.create` | Whether to create an ImagePullSecret | `false` |
+| `images.registry.ImagePullSecret.username` | The image registry username | `nil` |
+| `images.registry.ImagePullSecret.password` | The image registry password | `nil` |
+| `images.version` | The image version (image tag) to use | `latest` |
+| `images.imagePullPolicy` | Image pull policy | `Always` |
+
+#### Storage classes
+
+For information of how a `StorageClass` is configured in Kubernetes, read the
+[official Documentation](https://kubernetes.io/docs/concepts/storage/storage-classes/#introduction).
+
+| Parameter | Description | Default |
+|----------------------------------------|-------------------------------------------------------------------|---------------------------------------------------|
+| `storageClasses.default.name` | The name of the default StorageClass (RWO) | `default` |
+| `storageClasses.default.create` | Whether to create the StorageClass | `false` |
+| `storageClasses.default.provisioner` | Provisioner of the StorageClass | `kubernetes.io/aws-ebs` |
+| `storageClasses.default.reclaimPolicy` | Whether to `Retain` or `Delete` volumes, when they become unbound | `Delete` |
+| `storageClasses.default.parameters` | Parameters for the provisioner | `parameters.type: gp2`, `parameters.fsType: ext4` |
+
+#### Replication
+
+***note
+Currently, only master-slave replication is possible. Thus, enabling replication
+always means to use the database as slave.
+***
+
+| Parameter | Description | Default |
+|-----------|--------------------------------------------------------|---------|
+| `isSlave` | Whether to switch on replication from another database | `false` |
+
+
+#### MySQL
+
+***note
+Not all options available in the mysql-chart that is used as a dependency are
+listed in the `values.yaml`-file of this chart. The complete list of options for
+the mysql-chart can be viewed in the chart's
+[documentation](https://github.com/helm/charts/blob/master/stable/mysql/README.md).
+***
+
+| Parameter | Description | Default |
+|--------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------|
+| `mysql.enabled` | Whether to install the MySQL database | `true` |
+| `mysql.replication` | Only used, if `isSlave` is `true` | `{}` |
+| `mysql.replication.config.masterHost` | Hostname of the Mysql database master | `mysql.example.com` |
+| `mysql.replication.config.masterPort` | Port of the Mysql database master | `3306` |
+| `mysql.replication.config.masterUser` | Username of technical user created for [replication](#Create-technical-user) | `repl` |
+| `mysql.replication.config.masterPassword` | Password of technical user created for [replication](#Create-technical-user) | `password` |
+| `mysql.replication.config.masterLogFile` | Transaction log file at timepoint of dump as retrieved [here](#Create-database-dump-and-note-database-state) | `mysql-bin.000001` |
+| `mysql.replication.config.masterLogPos` | Transaction log position at timepoint of dump as retrieved [here](#Create-database-dump-and-note-database-state) | `111` |
+| `mysql.replication.dbDumpAcceptPath` | Path, where the replication init script will expect the database dump file to appear | `/var/data/db/master_dump.sql` |
+| `mysql.image` | Which container image containing MySQL to use | `mysql` |
+| `mysql.imageTag` | Tag of container image (usually the database version) | `5.5.61` |
+| `mysql.mysqlRootPassword` | Password of the database `root` user | `big_secret` |
+| `mysql.mysqlUser` | Database user (The technical user used by Gerrit) | `gerrit` |
+| `mysql.mysqlPassword` | Password of the database user | `secret` |
+| `mysql.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | `30` |
+| `mysql.livenessProbe.periodSeconds` | How often to perform the probe | `10` |
+| `mysql.livenessProbe.timeoutSeconds` | When the probe times out | `5` |
+| `mysql.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | `1` |
+| `mysql.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `3` |
+| `mysql.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | `5` |
+| `mysql.readinessProbe.periodSeconds` | How often to perform the probe | `10` |
+| `mysql.readinessProbe.timeoutSeconds` | When the probe times out | `1` |
+| `mysql.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | `1` |
+| `mysql.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `3` |
+| `mysql.persistence.enabled` | Create a volume to store data | `true` |
+| `mysql.persistence.size` | Size of persistent volume claim | `8Gi` |
+| `mysql.persistence.storageClass` | Type of persistent volume claim | `default` |
+| `mysql.persistence.accessMode` | ReadWriteOnce or ReadOnly | `ReadWriteOnce` |
+| `mysql.resources` | Configure the amount of resources the pod requests/is allowed | `requests.cpu: 250m` |
+| | | `requests.memory: 1Gi` |
+| | | `limits.cpu: 250m` |
+| | | `limits.memory: 1Gi` |
+| `mysql.configurationFiles` | Add configuration files for MySQL | `{}` (check the [Configuration files-section](#Configuration-files) for configuration options) |
+| `mysql.initializationFiles` | Add scripts that are executed, when the database is started the first time | `initialize_reviewdb.sql` (Should not be changed) |
+| `mysql.service.type` | Type of the Service used to expose the database | `NodePort` |
+| `mysql.service.port` | The port used to expose the database | `3306` |
+| `mysql.ssl.enabled` | Setup and use SSL for MySQL connections | `false` |
+| `mysql.ssl.secret` | Name of the secret containing the SSL certificates (Has to be different between multiple instances running in the same cluster) | `ssl-certs` |
+| `mysql.ssl.certificates[0].name` | Name of the secret containing the SSL certificates (Has to be different between multiple instances running in the same cluster) | `ssl-certs` |
+| `mysql.ssl.certificates[0].ca` | CA certificate (if using replication use the CA created [here](#create-certificates-for-ssl_encrypted-communication)) | `-----BEGIN CERTIFICATE-----` |
+| `mysql.ssl.certificates[0].cert` | Server certificate (public key) (if using replication use the certificate created [here](#create-certificates-for-ssl_encrypted-communication)) | `-----BEGIN CERTIFICATE-----` |
+| `mysql.ssl.certificates[0].key` | Server key (private key) (if using replication use the key created [here](#create-certificates-for-ssl_encrypted-communication)) | `-----BEGIN RSA PRIVATE KEY-----` |
+
+##### Configuration files
+
+The configuration file for the MySQL-server is provided under the keys
+`mysql.configurationsFiles.*.cnf`. There are three different config-files provided:
+
+- `common.cnf`: Contains configuration, which is the same for master- and slave-
+databases:
+
+| Parameter | Description | Default |
+|-----------------|----------------------------------------------------------|-------------------|
+| `log-bin` | Name of transaction logs (used for database replication) | `mysql-bin` |
+| `log-bin-index` | Name of transaction log indices | `mysql-bin.index` |
+| `log-error` | Error log file | `error.log` |
+| `binlog_format` | Format of the binlogs (Has to be the same as on master) | `row` |
+
+In addition, if using SSL for MySQL-requests the following options have to be made
+available by uncommenting them. The values must not be changed, when using the chart:
+
+```sh
+ssl-ca=/ssl/ca.pem
+ssl-cert=/ssl/server-cert.pem
+ssl-key=/ssl/server-key.pem
+```
+
+- `mysql-master.cnf`: Contains configuration specific for the master database:
+
+| Parameter | Description | Default |
+|-------------|------------------------------|---------|
+| `server-id` | ID unique in the MySQL setup | `1` |
+
+- `mysql-slave.cnf`: Contains configuration specific for the slave database:
+
+| Parameter | Description | Default |
+|-----------------------|-----------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------|
+| `relay-log` | The slave's relay log location | `/var/lib/mysql/relay.log` |
+| `relay-log-info-file` | The slave's relay log info file location | `/var/lib/mysql/relay-log.info` |
+| `relay-log-index` | The slave's relay log index location | `/var/lib/mysql/relay-log.index` |
+| `log_slave_updates` | Whether to log slave update | `1` |
+| `sql_mode` | Configure SQL-mode | `"ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"` |
+| `read_only` | Toggle read only mode. In production this should be on (`1`). The test mode of the Gerrit slave expects it to be off (`0`). | `0` |
+| `replicate-ignore-db` | Databases not to replicate (replicating the `mysql`-DB for example would overwrite database users) | `mysql` |
+| `server-id` | ID unique in the MySQL setup | `42` |
+
+The `mysql-master.cnf`- and `mysql-slave.cnf`-files are mutually exclusive.
+Comment out the contents of the file, that is not needed, depending on installing
+a master or slave database.
+
+## Aditional configuration steps
+
+### Create certificates for SSL-encrypted communication
+
+For SSL-encrypted communication, a set of certificates is needed. Use the
+following commands to create them after adjusting the subject strings:
+
+```sh
+openssl genrsa -out ./ca.key.pem 4096
+
+openssl req \
+ -key ./ca.key.pem \
+ -new \
+ -x509 \
+ -days 7300 \
+ -sha256 \
+ -out ./ca.cert.pem \
+ -subj "/C=DE/O=Gerrit/CN=gerrit-db-master" \
+ -nodes
+
+openssl genrsa -out ./master.key.pem 4096
+
+openssl req \
+ -key ./master.key.pem \
+ -new \
+ -sha256 \
+ -out ./master.csr.pem \
+ -subj "/C=DE/O=Gerrit/CN=gerrit-db-master" \
+ -nodes
+
+openssl x509 \
+ -req \
+ -CA ./ca.cert.pem \
+ -CAkey ./ca.key.pem \
+ -CAcreateserial \
+ -in ./master.csr.pem \
+ -out ./master.cert.pem
+
+openssl genrsa -out ./slave.key.pem 4096
+
+openssl req \
+ -key ./slave.key.pem \
+ -new \
+ -sha256 \
+ -out ./slave.csr.pem \
+ -subj "/C=DE/O=Gerrit/CN=gerrit-db-slave" \
+ -nodes
+
+openssl x509 \
+ -req \
+ -CA ./ca.cert.pem \
+ -CAkey ./ca.key.pem \
+ -CAcreateserial \
+ -in ./slave.csr.pem \
+ -out ./slave.cert.pem
+```
+
+***note
+The `CN` has to be the hostname of the database instances. In case the database
+is running on Kubernetes it can be the service name.
+***
+
+### Configuring a master DB instance for replication
+
+For the replication to work, the MySQL database master has to be configured
+accordingly and some data about the database state has to be collected. The
+necessary steps are detailed in this section. If it is not planned to replicate
+the master database, skip this section.
+
+#### Create technical user
+
+Connect to the MySQL database master and create a technical user to handle the
+replication:
+
+```sql
+CREATE USER 'repl' IDENTIFIED BY 'password';
+GRANT REPLICATION SLAVE, REPLICATION CLIENT ON *.* TO 'repl'
+ IDENTIFIED BY 'password'
+ REQUIRE SUBJECT '/C=DE/O=Gerrit/CN=gerrit-db-slave';
+FLUSH PRIVILEGES;
+```
+
+The username and password have to be the same as configured in the database slave's
+`values.yaml` under `mysql.replication.config.masterUser` and
+`mysql.replication.config.masterPassword`.
+
+The subject string has to be the same as the one used for the slave's certificate
+signing request. If SSL is not used, omit the subject requirement.
+
+#### Create database dump and note database state
+
+In the next steps the content of the database has to be retrieved and the corresponding
+status of the transaction logs has to be retrieved. Depending on the traffic the
+database receives, the master DB should be stopped for these steps, since the
+information could get out off sync, if the data is changed inbetween the steps:
+
+```sql
+STOP MASTER;
+```
+
+Retrieve the status of the master:
+
+```sql
+SHOW MASTER STATUS;
+
+ +------------------+----------+--------------+------------------+-------------------+
+ | File | Position | Binlog_Do_DB | Binlog_Ignore_DB | Executed_Gtid_Set |
+ +------------------+----------+--------------+------------------+-------------------+
+ | mysql-bin.000004 | 69444891 | | | |
+ +------------------+----------+--------------+------------------+-------------------+
+```
+
+The filename and position have to be entered in the database slave's `values.yaml`
+under `mysql.replication.config.masterLogFile` and
+`mysql.replication.config.masterLogPos`.
+
+Dump the content of the database:
+
+```sh
+mysqldump --user=root -p --databases reviewdb > ./master_dump.sql
+```
+
+Afterwards, the master can be started again:
+
+```sql
+START MASTER;
+```
+
+## Initialize replication
+
+### MySQL
+
+Deploying the reviewdb chart with replication enabled, will create a MySQL
+database with a technical user to be used by the Gerrit slave and an empty
+ReviewDB database. In addition a Job will be deployed that waits for a database
+dump to be copied into the container to the location specified in
+`mysql.replication.dbDumpAcceptPath`. The dump file can be copied into the
+container using kubectl:
+
+```sh
+JOB_POD=$(kubectl get pod -l app=mysql-replication-init -o jsonpath="{.items[0].metadata.name}")
+kubectl cp <PATH_TO_DUMP> ${JOB_POD}:<DB_DUMP_ACCEPT_PATH>
+```
+
+As soon as the file is fully copied into the container, the script will load
+the dump into the database and initialize the replication in the slave. The
+database is then fully configured.
diff --git a/helm-charts/gerrit-slave/requirements.yaml b/helm-charts/reviewdb/requirements.yaml
similarity index 100%
rename from helm-charts/gerrit-slave/requirements.yaml
rename to helm-charts/reviewdb/requirements.yaml
diff --git a/helm-charts/reviewdb/templates/NOTES.txt b/helm-charts/reviewdb/templates/NOTES.txt
new file mode 100644
index 0000000..123eea9
--- /dev/null
+++ b/helm-charts/reviewdb/templates/NOTES.txt
@@ -0,0 +1,17 @@
+A ReviewDB has been deployed.
+==================================
+
+A {{ if .Values.mysql.enabled -}} MySQL {{- end }} database has been deployed and
+initialized to serve a ReviewDB-database.
+
+{{ if .Values.isSlave -}}
+The components to initialize database replication have been deployed. To start
+initialization the Job needs a database dump containing the master's data. Use
+the following command to make the database dump available to the job:
+
+ JOB_POD=$(kubectl get pod -l app=mysql-replication-init -o jsonpath="{.items[0].metadata.name}")
+ kubectl cp <PATH_TO_DUMP> ${JOB_POD}:{{ .Values.mysql.replication.dbDumpAcceptPath }}
+
+Depending on the size of the database the initialization will take a while. When
+finished the job will shut down.
+{{- end }}
diff --git a/helm-charts/reviewdb/templates/_helpers.tpl b/helm-charts/reviewdb/templates/_helpers.tpl
new file mode 100644
index 0000000..f4468cd
--- /dev/null
+++ b/helm-charts/reviewdb/templates/_helpers.tpl
@@ -0,0 +1,20 @@
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "reviewdb.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create secret to access docker registry
+*/}}
+{{- define "imagePullSecret" }}
+{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.images.registry.name (printf "%s:%s" .Values.images.registry.ImagePullSecret.username .Values.images.registry.ImagePullSecret.password | b64enc) | b64enc }}
+{{- end }}
+
+{{/*
+Add '/' to registry if needed.
+*/}}
+{{- define "registry" -}}
+{{ if .Values.images.registry.name }}{{- printf "%s/" .Values.images.registry.name -}}{{end}}
+{{- end -}}
diff --git a/helm-charts/reviewdb/templates/image-pull.secret.yaml b/helm-charts/reviewdb/templates/image-pull.secret.yaml
new file mode 100644
index 0000000..d107472
--- /dev/null
+++ b/helm-charts/reviewdb/templates/image-pull.secret.yaml
@@ -0,0 +1,9 @@
+{{ if and .Values.images.registry.ImagePullSecret.name .Values.images.registry.ImagePullSecret.create -}}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ .Values.images.registry.ImagePullSecret.name }}
+type: kubernetes.io/dockerconfigjson
+data:
+ .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}
\ No newline at end of file
diff --git a/helm-charts/gerrit-slave/templates/mysql-replication-init.job.yaml b/helm-charts/reviewdb/templates/mysql-replication-init.job.yaml
similarity index 73%
rename from helm-charts/gerrit-slave/templates/mysql-replication-init.job.yaml
rename to helm-charts/reviewdb/templates/mysql-replication-init.job.yaml
index e2a0214..6e8c9b8 100644
--- a/helm-charts/gerrit-slave/templates/mysql-replication-init.job.yaml
+++ b/helm-charts/reviewdb/templates/mysql-replication-init.job.yaml
@@ -1,23 +1,23 @@
-{{ if and .Values.database.replication.enabled (eq .Values.database.provider "mysql") }}
+{{ if and .Values.isSlave .Values.mysql.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-mysql-replication-init-configmap
labels:
app: mysql-replication-init
- chart: {{ template "gerrit-slave.chart" . }}
+ chart: {{ template "reviewdb.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
data:
initialize-slave.sql: |
SET @query = CONCAT(
"CHANGE MASTER TO ",
- "MASTER_HOST = '{{ .Values.database.replication.mysql.config.masterHost }}' , ",
- "MASTER_PORT = {{ .Values.database.replication.mysql.config.masterPort }} , ",
- "MASTER_USER = '{{ .Values.database.replication.mysql.config.masterUser }}' , ",
+ "MASTER_HOST = '{{ .Values.mysql.replication.config.masterHost }}' , ",
+ "MASTER_PORT = {{ .Values.mysql.replication.config.masterPort }} , ",
+ "MASTER_USER = '{{ .Values.mysql.replication.config.masterUser }}' , ",
"MASTER_PASSWORD ='", @replpwd, "', ",
- "MASTER_LOG_FILE = '{{ .Values.database.replication.mysql.config.masterLogFile }}' , ",
- "MASTER_LOG_POS = {{ .Values.database.replication.mysql.config.masterLogPos }} , ",
+ "MASTER_LOG_FILE = '{{ .Values.mysql.replication.config.masterLogFile }}' , ",
+ "MASTER_LOG_POS = {{ .Values.mysql.replication.config.masterLogPos }} , ",
"MASTER_SSL = {{ if .Values.mysql.ssl.enabled }} 1 {{ else }} 0 {{ end }} , ",
"MASTER_SSL_CA = '/ssl/ca.pem', ",
"MASTER_SSL_CERT = '/ssl/server-cert.pem', ",
@@ -30,7 +30,7 @@
START SLAVE;
DO SLEEP(15);
SHOW SLAVE STATUS\G;
- dump-filepath: {{ .Values.database.replication.mysql.dbDumpAcceptPath }}
+ dump-filepath: {{ .Values.mysql.replication.dbDumpAcceptPath }}
---
apiVersion: v1
kind: Secret
@@ -38,11 +38,11 @@
name: {{ .Release.Name }}-mysql-replication-init-secret
labels:
app: mysql-replication-init
- chart: {{ template "gerrit-slave.chart" . }}
+ chart: {{ template "reviewdb.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
data:
- repl-password: {{ .Values.database.replication.mysql.config.masterPassword | b64enc }}
+ repl-password: {{ .Values.mysql.replication.config.masterPassword | b64enc }}
type: Opaque
---
apiVersion: batch/v1
@@ -51,7 +51,7 @@
name: {{ .Release.Name }}-mysql-replication-init-job
labels:
app: mysql-replication-init
- chart: {{ template "gerrit-slave.chart" . }}
+ chart: {{ template "reviewdb.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
@@ -69,7 +69,7 @@
containers:
- name: mysql-replication-init
imagePullPolicy: {{ .Values.images.imagePullPolicy }}
- image: {{ template "registry" . }}{{ .Values.database.replication.image }}:{{ .Values.images.version }}
+ image: {{ template "registry" . }}{{ .Values.mysql.replication.image }}:{{ .Values.images.version }}
env:
- name: REPL_PASSWORD
valueFrom:
@@ -97,5 +97,4 @@
- name: mysql-replication-init-configmap
configMap:
name: {{ .Release.Name }}-mysql-replication-init-configmap
-
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/helm-charts/reviewdb/templates/storageclasses.yaml b/helm-charts/reviewdb/templates/storageclasses.yaml
new file mode 100644
index 0000000..e0764fc
--- /dev/null
+++ b/helm-charts/reviewdb/templates/storageclasses.yaml
@@ -0,0 +1,18 @@
+{{ if .Values.storageClasses.default.create -}}
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
+metadata:
+ name: {{ .Values.storageClasses.default.name }}
+ labels:
+ chart: {{ template "reviewdb.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+provisioner: {{ .Values.storageClasses.default.provisioner }}
+reclaimPolicy: {{ .Values.storageClasses.default.reclaimPolicy }}
+{{ if .Values.storageClasses.shared.parameters -}}
+parameters:
+{{- range $key, $value := .Values.storageClasses.default.parameters }}
+ {{ $key }}: {{ $value }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/helm-charts/reviewdb/values.yaml b/helm-charts/reviewdb/values.yaml
new file mode 100644
index 0000000..c147e80
--- /dev/null
+++ b/helm-charts/reviewdb/values.yaml
@@ -0,0 +1,176 @@
+images:
+ registry:
+ # The registry name must NOT contain a trailing slash
+ name:
+ ImagePullSecret:
+ # Leave blank, if no ImagePullSecret is needed.
+ name: image-pull-secret
+ # If set to false, the gerrit-master chart expects either a ImagePullSecret
+ # with the name configured above to be present on the cluster or that no
+ # credentials are needed.
+ create: false
+ username:
+ password:
+ version: latest
+ imagePullPolicy: Always
+
+
+storageClasses:
+ # Storage class used for storing logs and other pod-specific persisted data
+ default:
+ # If create is set to false, an existing StorageClass with the given
+ # name is expected to exist in the cluster. Setting create to true will
+ # create a storage class with the parameters given below.
+ name: default
+ create: false
+ provisioner: kubernetes.io/aws-ebs
+ reclaimPolicy: Delete
+ # Use the parameters key to set all parameters needed for the provisioner
+ parameters:
+ type: gp2
+ fsType: ext4
+
+
+isSlave: false
+
+
+mysql:
+ # Enabling the installation of the MySQL database will only make sense, if
+ # `mysql` is chosen as a provider under `database.provider`.
+ enabled: true
+
+ replication:
+ image: k8sgerrit/mysql-replication-init
+ config:
+ masterHost: mysql.example.com
+ masterPort: 3306
+ masterUser: repl
+ masterPassword: password
+ masterLogFile: mysql-bin.000001
+ masterLogPos: 111
+ dbDumpAcceptPath: /var/data/db/master_dump.sql
+
+ image: mysql
+ # The major.minor version of mysql should be the same as for the master database
+ imageTag: 5.5.61
+
+ mysqlRootPassword: big_secret
+ mysqlUser: gerrit
+ mysqlPassword: secret
+
+ livenessProbe:
+ initialDelaySeconds: 30
+ periodSeconds: 10
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 3
+
+ readinessProbe:
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 1
+ successThreshold: 1
+ failureThreshold: 3
+
+ persistence:
+ enabled: true
+ storageClass: default
+ accessMode: ReadWriteOnce
+ size: 8Gi
+
+ resources:
+ requests:
+ cpu: 250m
+ memory: 1Gi
+ limits:
+ cpu: 250m
+ memory: 1Gi
+
+ configurationFiles:
+ common.cnf: |-
+ [mysqld]
+
+ # Name of transaction logs (used for database replication)
+ log-bin=mysql-bin
+ log-bin-index=mysql-bin.index
+ log-error=error.log
+
+ # Adapt to the binlog format of the Gerrit master's database
+ binlog_format=row
+
+ # Add the following options to the config, if using SSL (`mysql.ssl.enabled: true`)
+ # But do not change the values.
+ # ssl-ca=/ssl/ca.pem
+ # ssl-cert=/ssl/server-cert.pem
+ # ssl-key=/ssl/server-key.pem
+
+ # Use only one of the following configuration files, depending on whether
+ # the database deployment should be used as master or as slave, and comment
+ # out the contents of the other one.
+ mysql-master.cnf: |-
+ [mysqld]
+
+ # Adapt the following changes to your setup
+ ###########################################
+
+ # Has to be different for each database in the replication setup.
+ server-id=1
+
+ mysql-slave.cnf: |-
+ # [mysqld]
+
+ # # The following options should not be changed
+ # #############################################
+
+ # relay-log=/var/lib/mysql/relay.log
+ # relay-log-info-file=/var/lib/mysql/relay-log.info
+ # relay-log-index=/var/lib/mysql/relay-log.index
+
+ # log_slave_updates = 1
+
+ # sql_mode="ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"
+
+ # # Adapt the following changes to your setup
+ # ###########################################
+
+ # # Should usually set to '1', when running in production.
+ # read_only=1
+
+ # # The mysql database should not be replicated to avoid to overwrite user data
+ # # of the database
+ # replicate-ignore-db=mysql
+
+ # # Has to be different for each database in the replication setup.
+ # server-id=42
+
+ initializationFiles:
+ # Do not change or remove this script.
+ initialize_reviewdb.sql: |-
+ CREATE DATABASE reviewdb DEFAULT CHARACTER SET 'utf8';
+ GRANT ALL ON reviewdb.* TO 'gerrit';
+ FLUSH PRIVILEGES;
+
+ service:
+ type: NodePort
+ port: 3306
+
+ ssl:
+ # If enabled, add the required lines to the configuration as described in
+ # `mysql.configurationFiles.mysql.cnf`
+ enabled: false
+ # Has to be different between multiple instances running in the same cluster
+ secret: ssl-certs
+ certificates:
+ - name: ssl-certs
+ ca: |-
+ -----BEGIN CERTIFICATE-----
+
+ -----END CERTIFICATE-----
+ cert: |-
+ -----BEGIN CERTIFICATE-----
+
+ -----END CERTIFICATE-----
+ key: |-
+ -----BEGIN RSA PRIVATE KEY-----
+
+ -----END RSA PRIVATE KEY-----
