From f2a72888decd8af77d360bc2ff539e754522ff7b Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Thu, 30 Oct 2025 21:26:57 -0400 Subject: [PATCH 01/11] Add a .editorconfig, cribbed from zulip/zulip. --- .editorconfig | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 .editorconfig diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000000..9a0ae3c7c3 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,16 @@ +root = true + +[*] +end_of_line = lf +charset = utf-8 +indent_size = 4 +indent_style = space +insert_final_newline = true +trim_trailing_whitespace = true + +[[shell]] +binary_next_line = true +switch_case_indent = true + +[*.{yaml,yml}] +indent_size = 2 From de78ce62dbde30062bb6532805bf4e872c5e848e Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Thu, 30 Oct 2025 21:27:16 -0400 Subject: [PATCH 02/11] entrypoint: Run shfmt. --- entrypoint.sh | 127 +++++++++++++++++++++++++------------------------- 1 file changed, 63 insertions(+), 64 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index a546361ddd..1f66f21466 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -86,37 +86,37 @@ setConfigurationValue() { local TYPE="$4" if [ -z "$TYPE" ]; then case "$2" in - [Tt][Rr][Uu][Ee]|[Ff][Aa][Ll][Ss][Ee]|[Nn]one) - TYPE="bool" - ;; + [Tt][Rr][Uu][Ee] | [Ff][Aa][Ll][Ss][Ee] | [Nn]one) + TYPE="bool" + ;; +([0-9])) - TYPE="integer" - ;; + TYPE="integer" + ;; [\[\(]*[\]\)]) - TYPE="array" - ;; + TYPE="array" + ;; *) - TYPE="string" - ;; + TYPE="string" + ;; esac fi case "$TYPE" in emptyreturn) - if [ -z "$2" ]; then - return 0 - fi - ;; + if [ -z "$2" ]; then + return 0 + fi + ;; literal) - VALUE="$1" - ;; - bool|boolean|int|integer|array) - VALUE="$KEY = $2" - ;; - string|*) - VALUE="$KEY = '${2//\'/\'}'" - ;; + VALUE="$1" + ;; + bool | boolean | int | integer | array) + VALUE="$KEY = $2" + ;; + string | *) + VALUE="$KEY = '${2//\'/\'}'" + ;; esac - echo "$VALUE" >> "$FILE" + echo "$VALUE" >>"$FILE" echo "Setting key \"$KEY\", type \"$TYPE\" in file \"$FILE\"." } nginxConfiguration() { @@ -260,7 +260,7 @@ authenticationBackends() { echo "Activating authentication backends ..." local FIRST=true local auth_backends - IFS=, read -r -a auth_backends <<< "$ZULIP_AUTH_BACKENDS" + IFS=, read -r -a auth_backends <<<"$ZULIP_AUTH_BACKENDS" for AUTH_BACKEND in "${auth_backends[@]}"; do if [ "$FIRST" = true ]; then setConfigurationValue "AUTHENTICATION_BACKENDS" "('zproject.backends.${AUTH_BACKEND//\'/\'}',)" "$SETTINGS_PY" "array" @@ -275,7 +275,7 @@ authenticationBackends() { zulipConfiguration() { echo "Executing Zulip configuration ..." if [ -n "$ZULIP_CUSTOM_SETTINGS" ]; then - echo -e "\n$ZULIP_CUSTOM_SETTINGS" >> "$SETTINGS_PY" + echo -e "\n$ZULIP_CUSTOM_SETTINGS" >>"$SETTINGS_PY" fi local key for key in "${!SETTING_@}"; do @@ -288,35 +288,35 @@ zulipConfiguration() { continue fi # Zulip settings.py / zproject specific overrides here - if [ "$setting_key" = "AUTH_LDAP_CONNECTION_OPTIONS" ] || \ - [ "$setting_key" = "AUTH_LDAP_GLOBAL_OPTIONS" ] || \ - [ "$setting_key" = "AUTH_LDAP_USER_SEARCH" ] || \ - [ "$setting_key" = "AUTH_LDAP_GROUP_SEARCH" ] || \ - [ "$setting_key" = "AUTH_LDAP_REVERSE_EMAIL_SEARCH" ] || \ - [ "$setting_key" = "AUTH_LDAP_USER_ATTR_MAP" ] || \ - [ "$setting_key" = "AUTH_LDAP_USER_FLAGS_BY_GROUP" ] || \ - [ "$setting_key" = "AUTH_LDAP_GROUP_TYPE" ] || \ - [ "$setting_key" = "AUTH_LDAP_ADVANCED_REALM_ACCESS_CONTROL" ] || \ - [ "$setting_key" = "LDAP_SYNCHRONIZED_GROUPS_BY_REALM" ] || \ - [ "$setting_key" = "SOCIAL_AUTH_OIDC_ENABLED_IDPS" ] || \ - [ "$setting_key" = "SOCIAL_AUTH_SAML_ENABLED_IDPS" ] || \ - [ "$setting_key" = "SOCIAL_AUTH_SAML_ORG_INFO" ] || \ - [ "$setting_key" = "SOCIAL_AUTH_SYNC_ATTRS_DICT" ] || \ - { [ "$setting_key" = "LDAP_APPEND_DOMAIN" ] && [ "$setting_var" = "None" ]; } || \ - [ "$setting_key" = "SCIM_CONFIG" ] || \ - [ "$setting_key" = "SECURE_PROXY_SSL_HEADER" ] || \ - [[ "$setting_key" = "CSRF_"* ]] || \ - [ "$setting_key" = "REALM_HOSTS" ] || \ - [ "$setting_key" = "ALLOWED_HOSTS" ]; then + if [ "$setting_key" = "AUTH_LDAP_CONNECTION_OPTIONS" ] \ + || [ "$setting_key" = "AUTH_LDAP_GLOBAL_OPTIONS" ] \ + || [ "$setting_key" = "AUTH_LDAP_USER_SEARCH" ] \ + || [ "$setting_key" = "AUTH_LDAP_GROUP_SEARCH" ] \ + || [ "$setting_key" = "AUTH_LDAP_REVERSE_EMAIL_SEARCH" ] \ + || [ "$setting_key" = "AUTH_LDAP_USER_ATTR_MAP" ] \ + || [ "$setting_key" = "AUTH_LDAP_USER_FLAGS_BY_GROUP" ] \ + || [ "$setting_key" = "AUTH_LDAP_GROUP_TYPE" ] \ + || [ "$setting_key" = "AUTH_LDAP_ADVANCED_REALM_ACCESS_CONTROL" ] \ + || [ "$setting_key" = "LDAP_SYNCHRONIZED_GROUPS_BY_REALM" ] \ + || [ "$setting_key" = "SOCIAL_AUTH_OIDC_ENABLED_IDPS" ] \ + || [ "$setting_key" = "SOCIAL_AUTH_SAML_ENABLED_IDPS" ] \ + || [ "$setting_key" = "SOCIAL_AUTH_SAML_ORG_INFO" ] \ + || [ "$setting_key" = "SOCIAL_AUTH_SYNC_ATTRS_DICT" ] \ + || { [ "$setting_key" = "LDAP_APPEND_DOMAIN" ] && [ "$setting_var" = "None" ]; } \ + || [ "$setting_key" = "SCIM_CONFIG" ] \ + || [ "$setting_key" = "SECURE_PROXY_SSL_HEADER" ] \ + || [[ "$setting_key" = "CSRF_"* ]] \ + || [ "$setting_key" = "REALM_HOSTS" ] \ + || [ "$setting_key" = "ALLOWED_HOSTS" ]; then type="array" fi - if [ "$SPECIAL_SETTING_DETECTION_MODE" = "True" ] || [ "$SPECIAL_SETTING_DETECTION_MODE" = "true" ] || \ - [ "$type" = "string" ]; then + if [ "$SPECIAL_SETTING_DETECTION_MODE" = "True" ] || [ "$SPECIAL_SETTING_DETECTION_MODE" = "true" ] \ + || [ "$type" = "string" ]; then type="" fi - if [ "$setting_key" = "EMAIL_HOST_USER" ] || \ - [ "$setting_key" = "EMAIL_HOST_PASSWORD" ] || \ - [ "$setting_key" = "EXTERNAL_HOST" ]; then + if [ "$setting_key" = "EMAIL_HOST_USER" ] \ + || [ "$setting_key" = "EMAIL_HOST_PASSWORD" ] \ + || [ "$setting_key" = "EXTERNAL_HOST" ]; then type="string" fi setConfigurationValue "$setting_key" "$setting_var" "$SETTINGS_PY" "$type" @@ -333,7 +333,7 @@ autoBackupConfiguration() { echo "Auto backup is disabled. Continuing." return 0 fi - printf 'MAILTO=""\n%s cd /;/sbin/entrypoint.sh app:backup\n' "$AUTO_BACKUP_INTERVAL" > /etc/cron.d/autobackup + printf 'MAILTO=""\n%s cd /;/sbin/entrypoint.sh app:backup\n' "$AUTO_BACKUP_INTERVAL" >/etc/cron.d/autobackup echo "Auto backup enabled." } initialConfiguration() { @@ -357,8 +357,7 @@ initialConfiguration() { waitingForDatabase() { local TIMEOUT=60 echo "Waiting for database server to allow connections ..." - while ! PGPASSWORD="${SECRETS_postgres_password?}" /usr/bin/pg_isready -h "$DB_HOST" -p "$DB_HOST_PORT" -U "$DB_USER" -t 1 >/dev/null 2>&1 - do + while ! PGPASSWORD="${SECRETS_postgres_password?}" /usr/bin/pg_isready -h "$DB_HOST" -p "$DB_HOST_PORT" -U "$DB_USER" -t 1 >/dev/null 2>&1; do if ! ((TIMEOUT--)); then echo "Could not connect to database server. Exiting." exit 1 @@ -435,7 +434,7 @@ function runCertbotAsNeeded() { echo "Waiting for nginx to come online before generating certbot certificate ..." while ! curl -sk "$SETTING_EXTERNAL_HOST" >/dev/null 2>&1; do - sleep 1; + sleep 1 done echo "Generating LetsEncrypt/certbot certificate ..." @@ -507,7 +506,7 @@ appBackup() { BACKUP_FOLDER="/tmp/backup-$TIMESTAMP)" mkdir -p "$BACKUP_FOLDER" waitingForDatabase - pg_dump -h "$DB_HOST" -p "$DB_HOST_PORT" -U "$DB_USER" "$DB_NAME" > "$BACKUP_FOLDER/database-postgres.sql" + pg_dump -h "$DB_HOST" -p "$DB_HOST_PORT" -U "$DB_USER" "$DB_NAME" >"$BACKUP_FOLDER/database-postgres.sql" tar -zcvf "$DATA_DIR/backups/backup-$TIMESTAMP.tar.gz" "$BACKUP_FOLDER/" rm -r "${BACKUP_FOLDER:?}/" echo "Backup process succeeded." @@ -552,7 +551,7 @@ appRestore() { echo "!! WARNING !! Starting restore process ... !! WARNING !!" waitingForDatabase tar -zxvf "$DATA_DIR/backups/$BACKUP_FILE" -C /tmp - psql -h "$DB_HOST" -p "$DB_HOST_PORT" -U "$DB_USER" "$DB_NAME" < "/tmp/$(basename "$BACKUP_FILE" | cut -d. -f1)/database-postgres.sql" + psql -h "$DB_HOST" -p "$DB_HOST_PORT" -U "$DB_USER" "$DB_NAME" <"/tmp/$(basename "$BACKUP_FILE" | cut -d. -f1)/database-postgres.sql" rm -r "/tmp/$(basename "$BACKUP_FILE" | cut -d. -f1)/" echo "Restore process succeeded. Exiting." exit 0 @@ -583,30 +582,30 @@ appVersion() { case "$1" in app:run) appRun - ;; + ;; app:init) appInit - ;; + ;; app:managepy) shift 1 appManagePy "$@" - ;; + ;; app:backup) appBackup - ;; + ;; app:restore) appRestore - ;; + ;; app:certs) appCerts - ;; + ;; app:help) appHelp - ;; + ;; app:version) appVersion - ;; + ;; *) exec "$@" || appHelp - ;; + ;; esac From d467b7e487960c7dc3ff132883647152536b9ab0 Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Thu, 30 Oct 2025 21:52:37 -0400 Subject: [PATCH 03/11] upgrade-postgresql: Run shfmt. --- upgrade-postgresql | 68 +++++++++++++++++++++++----------------------- 1 file changed, 34 insertions(+), 34 deletions(-) diff --git a/upgrade-postgresql b/upgrade-postgresql index 1b50f92ca5..0e5cef2f92 100755 --- a/upgrade-postgresql +++ b/upgrade-postgresql @@ -5,36 +5,36 @@ new_version=14 # Require the `yq` tool if ! command -v yq >/dev/null; then - echo "You must install the 'yq' tool to use this script." - exit 1 + echo "You must install the 'yq' tool to use this script." + exit 1 fi # Require docker compose 2.1.1 or higher, for `docker compose up --wait` docker_compose_version=$(docker compose --version --short) if [ "${docker_compose_version}" = "$(echo -e "2.1.0\n${docker_compose_version}" | sort -V | head -n1)" ]; then - echo "Your docker compose is too old (${docker_compose_version}); upgrade to at least 2.1.1." - exit 1 + echo "Your docker compose is too old (${docker_compose_version}); upgrade to at least 2.1.1." + exit 1 fi image=$(yq ".services.database.image" docker-compose.yml) if [[ $image =~ ^zulip/zulip-postgresql:([0-9]+)$ ]]; then - old_version="${BASH_REMATCH[1]}" + old_version="${BASH_REMATCH[1]}" else - echo "Unexpected PostgreSQL image: $image" - exit 1 + echo "Unexpected PostgreSQL image: $image" + exit 1 fi volume_mount=$(yq ".services.database.volumes.0" docker-compose.yml) if [[ "$volume_mount" =~ ^([^:]+):/var/lib/postgresql/data:rw$ ]]; then - old_mountpoint="${BASH_REMATCH[1]}" + old_mountpoint="${BASH_REMATCH[1]}" else - echo "Unexpected volume mount: $volume_mount" - exit 1 + echo "Unexpected volume mount: $volume_mount" + exit 1 fi if [ "$new_version" -eq "$old_version" ]; then - echo "PostgreSQL image is already version $new_version!" - exit 1 + echo "PostgreSQL image is already version $new_version!" + exit 1 fi # Create a new volume for the data; scope it with the current @@ -48,26 +48,26 @@ trap 'docker volume --force "$full_new_volume"' EXIT # Start a new PostgreSQL container of the right version to read in the # dumped database and write a new data dir on the new volume temp_container=$( - docker run -d \ - -e POSTGRES_DB=zulip \ - -e POSTGRES_USER=zulip \ - -e POSTGRES_PASSWORD=zulip \ - -v "$full_new_volume:/var/lib/postgresql/data:rw" \ - --health-cmd 'psql -U zulip -c "select 1"' \ - --health-interval 10s \ - "zulip/zulip-postgresql:$new_version" + docker run -d \ + -e POSTGRES_DB=zulip \ + -e POSTGRES_USER=zulip \ + -e POSTGRES_PASSWORD=zulip \ + -v "$full_new_volume:/var/lib/postgresql/data:rw" \ + --health-cmd 'psql -U zulip -c "select 1"' \ + --health-interval 10s \ + "zulip/zulip-postgresql:$new_version" ) trap 'docker rm --force "$temp_container"; docker volume rm --force "$full_new_volume"' EXIT # Wait for the new PostgreSQL container to become available tries=0 while [ "$(docker inspect --format='{{json .State.Health.Status}}' "$temp_container")" != '"healthy"' ]; do - tries=$((tries + 1)) - if [ "$tries" -gt 5 ]; then - echo "PostgreSQL $new_version container failed to start!" - exit 1 - fi - sleep 10 + tries=$((tries + 1)) + if [ "$tries" -gt 5 ]; then + echo "PostgreSQL $new_version container failed to start!" + exit 1 + fi + sleep 10 done # Ensure database is running @@ -76,19 +76,19 @@ docker compose up --wait database # Stop the zulip processes which talk to the database zulip_is_running=$(docker compose ps --filter status=running --services | grep zulip || true) if [ -n "$zulip_is_running" ]; then - docker compose stop zulip + docker compose stop zulip fi # Transfer the data to the new container -docker compose exec database pg_dumpall -U zulip | - docker exec -i "$temp_container" psql -U zulip +docker compose exec database pg_dumpall -U zulip \ + | docker exec -i "$temp_container" psql -U zulip if [ "$old_version" -eq "10" ]; then - # Upgrade MD5 password to SCRAM-SHA-256. We escape all 's by doubling them. - database_password=$(yq .services.database.environment.POSTGRES_PASSWORD docker-compose.yml | - perl -pe "s/'/''/g") - echo "ALTER USER zulip WITH PASSWORD '$database_password';" | - docker exec -i "$temp_container" psql -U zulip + # Upgrade MD5 password to SCRAM-SHA-256. We escape all 's by doubling them. + database_password=$(yq .services.database.environment.POSTGRES_PASSWORD docker-compose.yml \ + | perl -pe "s/'/''/g") + echo "ALTER USER zulip WITH PASSWORD '$database_password';" \ + | docker exec -i "$temp_container" psql -U zulip fi # Stop the running database From 5c4773b53631c430aa3fb4240be075f4ce41beda Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Thu, 30 Oct 2025 21:27:39 -0400 Subject: [PATCH 04/11] github: Add shellcheck + shellfmt action. --- .github/workflows/shell-test.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 .github/workflows/shell-test.yaml diff --git a/.github/workflows/shell-test.yaml b/.github/workflows/shell-test.yaml new file mode 100644 index 0000000000..692ee19aec --- /dev/null +++ b/.github/workflows/shell-test.yaml @@ -0,0 +1,14 @@ +--- +name: Shell check and lint + +on: + pull_request: + branches: + - main + +jobs: + shellcheck: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v5 + - uses: luizm/action-sh-checker@master From 4304a20c9bcf27c0a9e9192e1b39e440efe2c312 Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Thu, 6 Nov 2025 11:42:09 -0500 Subject: [PATCH 05/11] entrypoint: Better error handling on MANUAL_CONFIGURATION errors. --- entrypoint.sh | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/entrypoint.sh b/entrypoint.sh index 1f66f21466..f81deec6d6 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -349,6 +349,33 @@ initialConfiguration() { secretsConfiguration authenticationBackends zulipConfiguration + else + # Check that the configuration will work + root_path="/etc/zulip" + if [ "$LINK_SETTINGS_TO_DATA" = "True" ] || [ "$LINK_SETTINGS_TO_DATA" = "true" ]; then + root_path="/data/settings/etc-zulip" + fi + failure=0 + for conf_file in zulip.conf zulip-secrets.conf settings.py; do + if [ ! -f "/etc/zulip/$conf_file" ]; then + echo "ERROR: $root_path/$conf_file does not exist!" + failure=1 + elif ! sudo -u zulip test -r "/etc/zulip/$conf_file"; then + echo "ERROR: $root_path/$conf_file is not readable by the zulip user (UID $(id -u zulip))" + failure=1 + elif [ ! -s "/etc/zulip/$conf_file" ]; then + echo "ERROR: $root_path/$conf_file is empty" + failure=1 + fi + done + if [ "$failure" = "1" ]; then + ls -l /etc/zulip/ + exit 1 + fi + if ! su zulip -c "/home/zulip/deployments/current/manage.py checkconfig"; then + echo "Error in the Zulip configuration. Exiting." + exit 1 + fi fi autoBackupConfiguration echo "=== End Initial Configuration Phase ===" From c87f4dfe4303663fae6dd60bf4ef877e733add86 Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Thu, 30 Oct 2025 15:58:12 -0400 Subject: [PATCH 06/11] Dockerfile: Pass `hadolint`. --- Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 87ff46e891..8b6bdb5fde 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,6 +9,7 @@ ENV LANG="C.UTF-8" ARG UBUNTU_MIRROR +# hadolint ignore=DL3005,DL3008,DL3009 RUN { [ ! "$UBUNTU_MIRROR" ] || sed -i "s|http://\(\w*\.\)*archive\.ubuntu\.com/ubuntu/\? |$UBUNTU_MIRROR |" /etc/apt/sources.list; } && \ apt-get -q update && \ apt-get -q dist-upgrade -y && \ @@ -29,8 +30,7 @@ WORKDIR /home/zulip ARG ZULIP_GIT_URL=https://github.com/zulip/zulip.git ARG ZULIP_GIT_REF=11.4 -RUN git clone "$ZULIP_GIT_URL" -b "$ZULIP_GIT_REF" && \ - cd zulip +RUN git clone "$ZULIP_GIT_URL" -b "$ZULIP_GIT_REF" WORKDIR /home/zulip/zulip @@ -53,12 +53,12 @@ COPY custom_zulip_files/ /root/custom_zulip ARG CUSTOM_CA_CERTIFICATES +WORKDIR /root RUN \ # Make sure Nginx is started by Supervisor. dpkg-divert --add --rename /etc/init.d/nginx && \ ln -s /bin/true /etc/init.d/nginx && \ mkdir -p "$DATA_DIR" && \ - cd /root && \ tar -xf zulip-server-docker.tar.gz && \ rm -f zulip-server-docker.tar.gz && \ mv zulip-server-docker zulip && \ From 4aac655a7aeb80d9b1c23812463f6aaf23e037fd Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Thu, 30 Oct 2025 15:58:49 -0400 Subject: [PATCH 07/11] github: Add hadolint action. --- .github/workflows/dockerfile-lint.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 .github/workflows/dockerfile-lint.yaml diff --git a/.github/workflows/dockerfile-lint.yaml b/.github/workflows/dockerfile-lint.yaml new file mode 100644 index 0000000000..55559d16ae --- /dev/null +++ b/.github/workflows/dockerfile-lint.yaml @@ -0,0 +1,14 @@ +--- +name: Dockerfile lint + +on: + pull_request: + branches: + - main + +jobs: + hadolint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v5 + - uses: hadolint/hadolint-action@v3.1.0 From 3811f14e0ccf40e45f11260c60c271a7effcab12 Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Thu, 30 Oct 2025 16:24:30 -0400 Subject: [PATCH 08/11] helm: Pass `ct lint`. --- kubernetes/chart/zulip/Chart.yaml | 5 ++++- kubernetes/chart/zulip/README.md | 2 +- lintconf.yaml | 5 +++++ 3 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 lintconf.yaml diff --git a/kubernetes/chart/zulip/Chart.yaml b/kubernetes/chart/zulip/Chart.yaml index 840e2945d9..eacc22cd80 100644 --- a/kubernetes/chart/zulip/Chart.yaml +++ b/kubernetes/chart/zulip/Chart.yaml @@ -3,11 +3,14 @@ description: Zulip is an open source threaded team chat that helps teams stay pr name: zulip type: application icon: https://raw.githubusercontent.com/zulip/zulip/main/static/images/logo/zulip-icon-square.svg +maintainers: + - name: zulip + url: https://chat.zulip.org/ ## This is the chart version. This version number should be ## incremented each time you make changes to the chart and its ## templates, including the app version. Versions are expected to ## follow Semantic Versioning (https://semver.org/) -version: 0.11.4 +version: 0.11.41 ## This is the version number of the application being deployed. This ## version number should be incremented each time you make changes to diff --git a/kubernetes/chart/zulip/README.md b/kubernetes/chart/zulip/README.md index 811b582876..526c9dfad6 100644 --- a/kubernetes/chart/zulip/README.md +++ b/kubernetes/chart/zulip/README.md @@ -1,6 +1,6 @@ # Zulip -![Version: 0.11.4](https://img.shields.io/badge/Version-0.11.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 11.4-0](https://img.shields.io/badge/AppVersion-11.4--0-informational?style=flat-square) +![Version: 0.11.41](https://img.shields.io/badge/Version-0.11.41-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 11.4-0](https://img.shields.io/badge/AppVersion-11.4--0-informational?style=flat-square) [Zulip](https://zulip.com/) is an open source threaded team chat that helps teams stay productive and focused. diff --git a/lintconf.yaml b/lintconf.yaml new file mode 100644 index 0000000000..125bb08cb6 --- /dev/null +++ b/lintconf.yaml @@ -0,0 +1,5 @@ +--- +# This is consumed by `yamllint`, which is run by `ct lint` +rules: + comments: + min-spaces-from-content: 1 # Due to prettier: https://github.com/prettier/prettier/pull/10926 From 6ef5c6c3faa3a2d76e33e6e744f7075864ff369e Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Wed, 5 Nov 2025 23:30:34 -0500 Subject: [PATCH 09/11] helm: Fix containerSecurityContext to run PostgreSQL as non-root. Fixes: #470. --- kubernetes/chart/zulip/README.md | 4 +++- kubernetes/chart/zulip/values.yaml | 7 ++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/kubernetes/chart/zulip/README.md b/kubernetes/chart/zulip/README.md index 526c9dfad6..884bc89a5a 100644 --- a/kubernetes/chart/zulip/README.md +++ b/kubernetes/chart/zulip/README.md @@ -96,7 +96,9 @@ Now you're ready to follow [the installation instructions above](#installation). | postgresql.auth.username | string | `"zulip"` | | | postgresql.image.repository | string | `"zulip/zulip-postgresql"` | | | postgresql.image.tag | int | `14` | | -| postgresql.primary.containerSecurityContext.runAsUser | int | `0` | | +| postgresql.primary.containerSecurityContext.readOnlyRootFilesystem | bool | `false` | | +| postgresql.primary.containerSecurityContext.runAsGroup | int | `70` | | +| postgresql.primary.containerSecurityContext.runAsUser | int | `70` | | | rabbitmq.auth.username | string | `"zulip"` | | | rabbitmq.persistence.enabled | bool | `false` | | | redis.architecture | string | `"standalone"` | | diff --git a/kubernetes/chart/zulip/values.yaml b/kubernetes/chart/zulip/values.yaml index b11539b16d..d9aca8a80b 100644 --- a/kubernetes/chart/zulip/values.yaml +++ b/kubernetes/chart/zulip/values.yaml @@ -200,7 +200,12 @@ sidecars: [] postgresql: primary: containerSecurityContext: - runAsUser: 0 + # 70 is the standard uid/gid of the "postgres" user in Alpine, which is + # used as the base for zulip/zulip-postgresql + # https://github.com/docker-library/postgres/blob/23987751b63ce745bd27b1119ab29dc4a1ffd728/Dockerfile-alpine.template#L7 + runAsUser: 70 + runAsGroup: 70 + readOnlyRootFilesystem: false ## We need to override the Postgresql image to get all the plugins Zulip needs image: repository: zulip/zulip-postgresql From 90ff1b20fee49cfca2a888bc2a4497be801c8a04 Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Thu, 6 Nov 2025 00:14:48 -0500 Subject: [PATCH 10/11] checkpoint groundhog2k charts --- kubernetes/chart/zulip/Chart.lock | 20 +++---- kubernetes/chart/zulip/Chart.yaml | 20 ++++--- kubernetes/chart/zulip/README.md | 56 ++++++++++-------- kubernetes/chart/zulip/README.md.gotmpl | 25 ++++---- kubernetes/chart/zulip/templates/_helpers.tpl | 16 ++--- .../chart/zulip/values-local.yaml.example | 25 ++++---- kubernetes/chart/zulip/values.yaml | 58 +++++++++++-------- 7 files changed, 126 insertions(+), 94 deletions(-) diff --git a/kubernetes/chart/zulip/Chart.lock b/kubernetes/chart/zulip/Chart.lock index a227174d48..ffe1cf61c2 100644 --- a/kubernetes/chart/zulip/Chart.lock +++ b/kubernetes/chart/zulip/Chart.lock @@ -1,15 +1,15 @@ dependencies: - name: memcached repository: oci://registry-1.docker.io/bitnamicharts - version: 7.4.16 + version: 7.9.7 - name: rabbitmq - repository: oci://registry-1.docker.io/bitnamicharts - version: 14.7.0 + repository: https://groundhog2k.github.io/helm-charts/ + version: 2.2.0 - name: redis - repository: oci://registry-1.docker.io/bitnamicharts - version: 20.1.4 -- name: postgresql - repository: oci://registry-1.docker.io/bitnamicharts - version: 15.5.32 -digest: sha256:511a69dac54b26810b3b269751c8115d5b8ed7a9ecfe5cc4a656e7feb5dbd1ff -generated: "2024-09-23T17:27:41.004706+02:00" + repository: https://groundhog2k.github.io/helm-charts/ + version: 2.1.7 +- name: postgres + repository: https://groundhog2k.github.io/helm-charts/ + version: 1.5.11 +digest: sha256:c7d4845a79011fbbf12fee4e5e51c3c0762446f229c08e499f792a52bc185b16 +generated: "2025-11-06T00:13:51.539064-05:00" diff --git a/kubernetes/chart/zulip/Chart.yaml b/kubernetes/chart/zulip/Chart.yaml index eacc22cd80..71125dc77e 100644 --- a/kubernetes/chart/zulip/Chart.yaml +++ b/kubernetes/chart/zulip/Chart.yaml @@ -23,23 +23,25 @@ dependencies: repository: oci://registry-1.docker.io/bitnamicharts tags: - memcached - version: 7.4.16 + ## Note: values.yaml overwrites memcached image to docker.io memcached, not bitnami's + version: 7.9.7 - name: rabbitmq - repository: oci://registry-1.docker.io/bitnamicharts + repository: https://groundhog2k.github.io/helm-charts/ tags: - rabbitmq - version: 14.7.0 + version: 2.2.0 - name: redis - repository: oci://registry-1.docker.io/bitnamicharts + repository: https://groundhog2k.github.io/helm-charts/ tags: - redis - version: 20.1.4 - - name: postgresql - repository: oci://registry-1.docker.io/bitnamicharts + version: 2.1.7 + - name: postgres + repository: https://groundhog2k.github.io/helm-charts/ + alias: postgresql tags: - postgresql - ## Note: values.yaml overwrites posgresql image to zulip/zulip-postgresql:14 - version: 15.5.32 + ## Note: values.yaml overwrites postgresql image to zulip/zulip-postgresql:14 + version: 1.5.11 sources: - https://github.com/zulip/zulip diff --git a/kubernetes/chart/zulip/README.md b/kubernetes/chart/zulip/README.md index 884bc89a5a..c424cf26b0 100644 --- a/kubernetes/chart/zulip/README.md +++ b/kubernetes/chart/zulip/README.md @@ -85,6 +85,9 @@ Now you're ready to follow [the installation instructions above](#installation). | livenessProbe.periodSeconds | int | `10` | | | livenessProbe.successThreshold | int | `1` | | | livenessProbe.timeoutSeconds | int | `5` | | +| memcached.image.registry | string | `"docker.io"` | | +| memcached.image.repository | string | `"memcached"` | | +| memcached.image.tag | string | `"alpine"` | | | memcached.memcachedUsername | string | `"zulip@localhost"` | | | nameOverride | string | `""` | | | nodeSelector | object | `{}` | | @@ -92,17 +95,18 @@ Now you're ready to follow [the installation instructions above](#installation). | podLabels | object | `{}` | | | podSecurityContext | object | `{}` | | | postSetup.scripts | object | `{}` | | -| postgresql.auth.database | string | `"zulip"` | | -| postgresql.auth.username | string | `"zulip"` | | -| postgresql.image.repository | string | `"zulip/zulip-postgresql"` | | +| postgresql.customScripts."02-zulip-schema.sh" | string | `"psql -v ON_ERROR_STOP=1 --username \"$POSTGRES_USER\" --dbname \"$POSTGRES_DB\" \\\n -v \"dbuser=$USERDB_USER\" -v \"dbname=$POSTGRES_DB\" <<-EOSQL\n ALTER ROLE :\"dbuser\" SET search_path TO :\"dbname\",public;\n CREATE SCHEMA zulip AUTHORIZATION :\"dbuser\";\nEOSQL\n"` | | +| postgresql.image.registry | string | `"zulip"` | | +| postgresql.image.repository | string | `"zulip-postgresql"` | | | postgresql.image.tag | int | `14` | | -| postgresql.primary.containerSecurityContext.readOnlyRootFilesystem | bool | `false` | | -| postgresql.primary.containerSecurityContext.runAsGroup | int | `70` | | -| postgresql.primary.containerSecurityContext.runAsUser | int | `70` | | -| rabbitmq.auth.username | string | `"zulip"` | | -| rabbitmq.persistence.enabled | bool | `false` | | -| redis.architecture | string | `"standalone"` | | -| redis.master.persistence.enabled | bool | `false` | | +| postgresql.securityContext.readOnlyRootFilesystem | bool | `false` | | +| postgresql.securityContext.runAsGroup | int | `70` | | +| postgresql.securityContext.runAsUser | int | `70` | | +| postgresql.userDatabase.name.value | string | `"zulip"` | | +| postgresql.userDatabase.user.value | string | `"zulip"` | | +| rabbitmq.authentication.user.value | string | `"zulip"` | | +| rabbitmq.image.tag | string | `"4.2.0"` | | +| redis | object | `{}` | | | resources | object | `{}` | | | securityContext | object | `{}` | | | service.port | int | `80` | | @@ -161,22 +165,26 @@ SECRETS_email_password: ### Dependencies -The chart uses Memcached, RabbitMQ and Redis helm charts defined in -the Bitnami Helm repository. Most of these are configured following their -default settings, but you can check -https://github.com/bitnami/charts/tree/master/bitnami/ for more configuration -options of the subcharts. - -For PostgreSQL the chart also uses the Bitnami chart to install it on the -Kubernetes cluster. However, in this case we use Zulip's -[zulip-postgresql](https://hub.docker.com/r/zulip/zulip-postgresql) docker -image, because it contains the Postgresql plugins that are needed to run Zulip. +The chart uses PostgreSQL, RabbitMQ and Redis helm charts defined in +the groundhog2k Helm repository. Most of these are configured +following their default settings, but you can check +https://github.com/groundhog2k/helm-charts/tree/master/charts/ for +more configuration options of these subcharts. The PostgreSQL +subchart uses the +[zulip-postgresql](https://hub.docker.com/r/zulip/zulip-postgresql) +docker image, because it contains the Postgresql plugins that are +needed to run Zulip. + +For Memcached, the chart uses the Bitnami subcharts, but configured +with the stock docker.io memcached image. See [Bitnami's +documentation](https://artifacthub.io/packages/helm/bitnami/memcached) +for this subchart. ## Requirements | Repository | Name | Version | |------------|------|---------| -| oci://registry-1.docker.io/bitnamicharts | memcached | 7.4.16 | -| oci://registry-1.docker.io/bitnamicharts | postgresql | 15.5.32 | -| oci://registry-1.docker.io/bitnamicharts | rabbitmq | 14.7.0 | -| oci://registry-1.docker.io/bitnamicharts | redis | 20.1.4 | +| https://groundhog2k.github.io/helm-charts/ | postgresql(postgres) | 1.5.11 | +| https://groundhog2k.github.io/helm-charts/ | rabbitmq | 2.2.0 | +| https://groundhog2k.github.io/helm-charts/ | redis | 2.1.7 | +| oci://registry-1.docker.io/bitnamicharts | memcached | 7.9.7 | diff --git a/kubernetes/chart/zulip/README.md.gotmpl b/kubernetes/chart/zulip/README.md.gotmpl index 9de939a8dc..2492da97bd 100644 --- a/kubernetes/chart/zulip/README.md.gotmpl +++ b/kubernetes/chart/zulip/README.md.gotmpl @@ -91,15 +91,20 @@ SECRETS_email_password: ### Dependencies -The chart uses Memcached, RabbitMQ and Redis helm charts defined in -the Bitnami Helm repository. Most of these are configured following their -default settings, but you can check -https://github.com/bitnami/charts/tree/master/bitnami/ for more configuration -options of the subcharts. - -For PostgreSQL the chart also uses the Bitnami chart to install it on the -Kubernetes cluster. However, in this case we use Zulip's -[zulip-postgresql](https://hub.docker.com/r/zulip/zulip-postgresql) docker -image, because it contains the Postgresql plugins that are needed to run Zulip. +The chart uses PostgreSQL, RabbitMQ and Redis helm charts defined in +the groundhog2k Helm repository. Most of these are configured +following their default settings, but you can check +https://github.com/groundhog2k/helm-charts/tree/master/charts/ for +more configuration options of these subcharts. The PostgreSQL +subchart uses the +[zulip-postgresql](https://hub.docker.com/r/zulip/zulip-postgresql) +docker image, because it contains the Postgresql plugins that are +needed to run Zulip. + +For Memcached, the chart uses the Bitnami subcharts, but configured +with the stock docker.io memcached image. See [Bitnami's +documentation](https://artifacthub.io/packages/helm/bitnami/memcached) +for this subchart. + {{ template "chart.requirementsSection" . }} diff --git a/kubernetes/chart/zulip/templates/_helpers.tpl b/kubernetes/chart/zulip/templates/_helpers.tpl index a6fbde30a8..b9e72731e4 100644 --- a/kubernetes/chart/zulip/templates/_helpers.tpl +++ b/kubernetes/chart/zulip/templates/_helpers.tpl @@ -67,25 +67,25 @@ include all env variables for Zulip pods {{- define "zulip.env" -}} - name: DB_HOST - value: "{{ template "postgresql.v1.primary.fullname" .Subcharts.postgresql }}" + value: "{{ template "postgres.fullname" .Subcharts.postgresql }}" - name: DB_HOST_PORT - value: "{{ template "postgresql.v1.service.port" .Subcharts.postgresql }}" + value: "{{ .Values.postgresql.service.port }}" - name: DB_USER - value: "postgres" + value: "zulip" - name: SETTING_MEMCACHED_LOCATION value: "{{ template "common.names.fullname" .Subcharts.memcached }}:11211" - name: SETTING_RABBITMQ_HOST - value: "{{ template "common.names.fullname" .Subcharts.rabbitmq }}" + value: "{{ template "rabbitmq.fullname" .Subcharts.rabbitmq }}" - name: SETTING_REDIS_HOST - value: "{{ template "common.names.fullname" .Subcharts.redis }}-headless" + value: "{{ template "redis.fullname" .Subcharts.redis }}-headless" - name: SECRETS_rabbitmq_password - value: "{{ .Values.rabbitmq.auth.password }}" + value: "{{ .Values.rabbitmq.authentication.password.value }}" - name: SECRETS_postgres_password - value: "{{ .Values.postgresql.auth.password }}" + value: "{{ .Values.postgresql.userDatabase.password.value }}" - name: SECRETS_memcached_password value: "{{ .Values.memcached.memcachedPassword }}" - name: SECRETS_redis_password - value: "{{ .Values.redis.auth.password }}" + value: "{{ .Values.redis.password }}" - name: SECRETS_secret_key value: "{{ .Values.zulip.password }}" {{- range $key, $value := .Values.zulip.environment }} diff --git a/kubernetes/chart/zulip/values-local.yaml.example b/kubernetes/chart/zulip/values-local.yaml.example index b311fb4edb..48461ca0d2 100644 --- a/kubernetes/chart/zulip/values-local.yaml.example +++ b/kubernetes/chart/zulip/values-local.yaml.example @@ -43,18 +43,23 @@ memcached: # memcachedPassword: set-secure-password rabbitmq: - auth: - # password: set-secure-password - # erlangCookie: set-secure-password + authentication: + password: + # value: set-secure-password + erlangCookie: + # value: set-secure-password redis: - auth: - # password: set-secure-password + # XXX Is this actually used? + # password: set-secure-password postgresql: - auth: - # # postgres admin user password - # postgresqlPassword: set-secure-password - # # postgres zulip user password - # password: set-secure-password + settings: + superuserPassword: + ## postgres user password + # value: set-secure-password + userDatabase: + password: + ## postgres zulip user password + # value: set-secure-password diff --git a/kubernetes/chart/zulip/values.yaml b/kubernetes/chart/zulip/values.yaml index d9aca8a80b..9cd4c74672 100644 --- a/kubernetes/chart/zulip/values.yaml +++ b/kubernetes/chart/zulip/values.yaml @@ -22,10 +22,10 @@ image: ## Global Docker registry secret names as an array. imagePullSecrets: [] -## Partially override common.names.fullname template (will maintain the release name). +## Partially override zulip.fullname template (will maintain the release name). nameOverride: "" -## Fully override common.names.fullname template. +## Fully override zulip.fullname template. fullnameOverride: "" serviceAccount: @@ -198,37 +198,49 @@ sidecars: [] ## PostgreSQL settings, see [Requirements](#Requirements). postgresql: - primary: - containerSecurityContext: - # 70 is the standard uid/gid of the "postgres" user in Alpine, which is - # used as the base for zulip/zulip-postgresql - # https://github.com/docker-library/postgres/blob/23987751b63ce745bd27b1119ab29dc4a1ffd728/Dockerfile-alpine.template#L7 - runAsUser: 70 - runAsGroup: 70 - readOnlyRootFilesystem: false ## We need to override the Postgresql image to get all the plugins Zulip needs image: - repository: zulip/zulip-postgresql + registry: zulip + repository: zulip-postgresql tag: 14 - auth: - username: zulip - database: zulip + securityContext: + # 70 is the standard uid/gid of the "postgres" user in Alpine, which is + # used as the base for zulip/zulip-postgresql + # https://github.com/docker-library/postgres/blob/23987751b63ce745bd27b1119ab29dc4a1ffd728/Dockerfile-alpine.template#L7 + runAsUser: 70 + runAsGroup: 70 + readOnlyRootFilesystem: false + userDatabase: + name: + value: zulip + user: + value: zulip + customScripts: + 02-zulip-schema.sh: | + psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" \ + -v "dbuser=$USERDB_USER" -v "dbname=$POSTGRES_DB" <<-EOSQL + ALTER ROLE :"dbuser" SET search_path TO :"dbname",public; + CREATE SCHEMA zulip AUTHORIZATION :"dbuser"; + EOSQL ## Rabbitmq settings, see [Requirements](#Requirements). rabbitmq: - auth: - username: zulip - ## Set this to true if you need the rabbitmq to be persistent - persistence: - enabled: false + # Persistence is disabled by setting neither + # `storage.persistentVolumeClaimName` nor `storage.requestedSize`. + authentication: + user: + value: zulip ## Memcached settings, see [Requirements](#Requirements). memcached: memcachedUsername: "zulip@localhost" + image: + registry: docker.io + repository: memcached + tag: alpine ## Redis settings, see [Requirements](#Requirements). redis: - architecture: standalone - master: - persistence: - enabled: false + # Persistence is disabled by setting neither + # `storage.persistentVolumeClaimName` nor `storage.requestedSize`. + {} From 4b3cf919a4a08b3e47e30d6258f816710ab45eb5 Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Thu, 30 Oct 2025 16:48:58 -0400 Subject: [PATCH 11/11] github: Add chart lint and test action. --- .github/workflows/helm-test.yaml | 71 ++++++++++++++++++++ docker-compose.yml | 1 + kubernetes/chart/zulip/Chart.lock | 2 +- kubernetes/chart/zulip/ci/simple-values.yaml | 28 ++++++++ kubernetes/chart/zulip/values.yaml | 2 + 5 files changed, 103 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/helm-test.yaml create mode 100644 kubernetes/chart/zulip/ci/simple-values.yaml diff --git a/.github/workflows/helm-test.yaml b/.github/workflows/helm-test.yaml new file mode 100644 index 0000000000..67f4abae1d --- /dev/null +++ b/.github/workflows/helm-test.yaml @@ -0,0 +1,71 @@ +--- +name: Helm lint and test + +on: + pull_request: + branches: + - main + +jobs: + lint-test: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v5 + with: + fetch-depth: 0 + + - name: Set up Helm + uses: azure/setup-helm@v4.2.0 + with: + version: v3.17.0 + + - uses: actions/setup-python@v5.3.0 + with: + python-version: "3.x" + check-latest: true + + - name: Run helm-docs + uses: losisin/helm-docs-github-action@v1 + with: + fail-on-diff: true + + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.7.0 + with: + version: 3.14.0 + yamllint_version: 1.37.1 + yamale_version: 6.0.0 + + - name: Set up helm repos + run: | + helm repo add groundhog2k https://groundhog2k.github.io/helm-charts/ + + - name: Run chart-testing (list-changed) + id: list-changed + run: | + changed=$(ct list-changed --chart-dirs kubernetes/chart --target-branch ${{ github.event.repository.default_branch }}) + if [[ -n "$changed" ]]; then + echo "changed=true" >> "$GITHUB_OUTPUT" + fi + + - name: Run chart-testing (lint) + if: steps.list-changed.outputs.changed == 'true' + run: ct lint --chart-dirs kubernetes/chart --target-branch ${{ github.event.repository.default_branch }} --lint-conf lintconf.yaml --github-groups + + - name: Create kind cluster + if: steps.list-changed.outputs.changed == 'true' + uses: helm/kind-action@v1 + + - name: Run chart-testing (install) + id: chart-testing-install + if: steps.list-changed.outputs.changed == 'true' + run: ct install --chart-dirs kubernetes/chart --target-branch ${{ github.event.repository.default_branch }} --github-groups --skip-clean-up + + - name: Fetch logs + if: always() + run: | + namespace=$(helm list --all-namespaces --output json \ + | jq -r '[.[] | select(.namespace | startswith("zulip-"))][0].namespace') + pod=$(kubectl get pods -n "$namespace" -l app.kubernetes.io/name=zulip --output name) + kubectl -n "$namespace" exec -it "$pod" -c zulip -- cat /var/log/zulip/errors.log diff --git a/docker-compose.yml b/docker-compose.yml index 164beb95cf..95c2e1e451 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -63,6 +63,7 @@ services: - "80:80" - "443:443" environment: + MANUAL_CONFIGURATION: True ## See https://github.com/zulip/docker-zulip#configuration for ## details on this section and how to discover the many ## additional settings that are supported here. diff --git a/kubernetes/chart/zulip/Chart.lock b/kubernetes/chart/zulip/Chart.lock index ffe1cf61c2..89aa2c3adb 100644 --- a/kubernetes/chart/zulip/Chart.lock +++ b/kubernetes/chart/zulip/Chart.lock @@ -12,4 +12,4 @@ dependencies: repository: https://groundhog2k.github.io/helm-charts/ version: 1.5.11 digest: sha256:c7d4845a79011fbbf12fee4e5e51c3c0762446f229c08e499f792a52bc185b16 -generated: "2025-11-06T00:13:51.539064-05:00" +generated: "2025-11-06T14:56:51.248272-05:00" diff --git a/kubernetes/chart/zulip/ci/simple-values.yaml b/kubernetes/chart/zulip/ci/simple-values.yaml new file mode 100644 index 0000000000..bcb73b97c0 --- /dev/null +++ b/kubernetes/chart/zulip/ci/simple-values.yaml @@ -0,0 +1,28 @@ +--- +zulip: + password: set-secure-zulip-password + environment: + SETTING_ZULIP_ADMINISTRATOR: "admin@example.net" + SETTING_EXTERNAL_HOST: zulip.example.net + ZULIP_AUTH_BACKENDS: "EmailAuthBackend" + +memcached: + memcachedPassword: set-secure-memcached-password + +rabbitmq: + authentication: + password: + value: thing + erlangCookie: + value: moose + +redis: + password: set-secure-redis-password + +postgresql: + settings: + superuserPassword: + value: set-secure-postgresql-postgres-password + userDatabase: + password: + value: set-secure-postgresql-zulip-password diff --git a/kubernetes/chart/zulip/values.yaml b/kubernetes/chart/zulip/values.yaml index 9cd4c74672..4eadced25d 100644 --- a/kubernetes/chart/zulip/values.yaml +++ b/kubernetes/chart/zulip/values.yaml @@ -227,6 +227,8 @@ postgresql: rabbitmq: # Persistence is disabled by setting neither # `storage.persistentVolumeClaimName` nor `storage.requestedSize`. + image: + tag: 4.2.0 authentication: user: value: zulip