fix(helm): fix mariadb.enabled=false causing configmap and job failures#166
Merged
Merged
Conversation
When mariadb.enabled is set to false (external database), two problems occurred: - mariadb-glpi-config ConfigMap was not created, causing initContainers in glpi-job.yaml to fail with a missing ConfigMap reference - MARIADB_PORT in glpi-configmap.yaml always referenced mariadb.service.port regardless of which database was in use Fixes: - mariadb-configmap.yaml now always renders, with conditional values for internal or external database host/port - glpi-configmap.yaml MARIADB_HOST and MARIADB_PORT are now both inside the if/else block - Added externalDatabase.port field to values.yaml (default: 3306) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…lpi-config The initContainers that wait for the database were referencing mariadb-glpi-config, which only exists when mariadb.enabled=true. Changed to reference glpi-config, which always exists and already contains the correct MARIADB_HOST and MARIADB_PORT for both internal MariaDB and external database scenarios. mariadb-configmap.yaml is reverted to only render when mariadb.enabled=true, keeping it scoped to the internal MariaDB setup. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
eduardofraga
approved these changes
Jul 1, 2026
eduardofraga
added a commit
that referenced
this pull request
Jul 1, 2026
* fix: render podSecurityContext and securityContext in all workload templates
Move security contexts from global scope to per-component values
(glpi.*, mariadb.*, redis.*) and wire them into every template.
- glpi: podSecurityContext (fsGroup: 82) and securityContext (runAsUser: 82,
non-root, drop ALL) rendered on php-fpm, nginx, all 5 init jobs, cronjob
- mariadb/redis: podSecurityContext and securityContext stubbed as {}
(no-op by default, can be overridden)
Fixes #153
* fix: gate Namespace creation behind flag
Remove the implicit Namespace creation via which
breaks namespace-scoped RBAC deployments (e.g., FluxCD multi-tenancy).
- Add (default: false) to explicitly opt in
- now only controls resource scoping
- Namespace template uses helper for consistent behavior
Closes #154
* fix: add role: primary selector to mariadb-headless service
The headless service selector previously matched all pods in the release
(nginx, php-fpm) because glpi.selectorLabels is applied chart-wide.
This caused ~75% of connection attempts from GLPI to mariadb-headless
to time out as DNS round-robined across non-MariaDB endpoints.
Fixed by adding 'role: primary' to the selector, consistent with the
ClusterIP mariadb service which already does this.
Closes #155
* fix(chart): add Helm hooks and ordering to init Jobs, add wait-for-mariadb initContainers
- Add helm.sh/hook annotations with hook-weights to all 6 jobs
- db-install: post-install only (weight 10)
- db-upgrade: post-upgrade only (weight 10)
- verify-dir: post-install,post-upgrade (weight 5)
- mariadb-timezone: post-install,post-upgrade (weight 7)
- db-configure: post-install,post-upgrade (weight 20)
- cache-configure: post-install,post-upgrade (weight 30)
- Add hook-delete-policy: before-hook-creation,hook-succeeded to all jobs
- Add wait-for-mariadb initContainers (busybox nc) to db-install,
db-upgrade, db-configure, and mariadb-timezone
- Fixes dbUpgrade running on fresh installs (db-upgrade is post-upgrade only)
Closes #156
* docs: sync documentation with current codebase (v11.0.7)
* fix(chart): major Helm chart fixes for v11.0.7-1
- Fix CronJob YAML indentation preventing deployment
- Fix Ingress backend service name to match nginx service
- StatefulSet: volumeClaimTemplates for multi-replica, requiredDuringScheduling
- Add app.kubernetes.io/component labels consistently across templates
- Add ServiceAccount template, imagePullSecrets, scheduling values
- Add external database support via externalDatabase config
- Add security contexts + resource limits to init containers
- Redis: add liveness/readiness probes and non-root security context
- MariaDB/Redis: non-root security contexts by default
- Fix GLPI_DOC_DIR pointing to /var/www/html instead of var dir
- Remove deprecated annotations and status subresource fields
- Add terminationGracePeriodSeconds(120s) to MariaDB StatefulSet
* fix(ci): publish job condition was skipping on release events
* chore(chart): trigger chart release for v11.0.7-1
* fix(chart): move terminationGracePeriodSeconds to pod spec
* docs: sync documentation with current codebase (v11.0.7)
* fix(chart): major Helm chart fixes for v11.0.7-1
- Fix CronJob YAML indentation preventing deployment
- Fix Ingress backend service name to match nginx service
- StatefulSet: volumeClaimTemplates for multi-replica, requiredDuringScheduling
- Add app.kubernetes.io/component labels consistently across templates
- Add ServiceAccount template, imagePullSecrets, scheduling values
- Add external database support via externalDatabase config
- Add security contexts + resource limits to init containers
- Redis: add liveness/readiness probes and non-root security context
- MariaDB/Redis: non-root security contexts by default
- Fix GLPI_DOC_DIR pointing to /var/www/html instead of var dir
- Remove deprecated annotations and status subresource fields
- Add terminationGracePeriodSeconds(120s) to MariaDB StatefulSet
* fix(ci): publish job condition was skipping on release events
* chore(chart): trigger chart release for v11.0.7-1
* fix(chart): move terminationGracePeriodSeconds to pod spec
* chore(chart): bump chart version to 11.0.7-2
* chore(chart): bump version back to 11.0.7 (recreate with fixes)
* docs: update README files with current versions and config
* chore: bump version from 11.0.7 to 11.0.8
Update all version references across Dockerfiles, docker-compose
configs, Helm chart, and documentation to GLPI 11.0.8.
* chore(deps): bump actions/checkout from 6 to 7 (#164)
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v6...v7)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: '7'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* fix(helm): fix mariadb.enabled=false causing configmap and job failures (#166)
* fix(helm): fix mariadb.enabled=false causing configmap and job failures
When mariadb.enabled is set to false (external database), two problems
occurred:
- mariadb-glpi-config ConfigMap was not created, causing initContainers
in glpi-job.yaml to fail with a missing ConfigMap reference
- MARIADB_PORT in glpi-configmap.yaml always referenced
mariadb.service.port regardless of which database was in use
Fixes:
- mariadb-configmap.yaml now always renders, with conditional values for
internal or external database host/port
- glpi-configmap.yaml MARIADB_HOST and MARIADB_PORT are now both inside
the if/else block
- Added externalDatabase.port field to values.yaml (default: 3306)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(helm): use glpi-config in job initContainers instead of mariadb-glpi-config
The initContainers that wait for the database were referencing
mariadb-glpi-config, which only exists when mariadb.enabled=true.
Changed to reference glpi-config, which always exists and already
contains the correct MARIADB_HOST and MARIADB_PORT for both internal
MariaDB and external database scenarios.
mariadb-configmap.yaml is reverted to only render when
mariadb.enabled=true, keeping it scoped to the internal MariaDB setup.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Leandro Souza <lsouzarj@gmail.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
eduardofraga
added a commit
that referenced
this pull request
Jul 1, 2026
* fix: render podSecurityContext and securityContext in all workload templates
Move security contexts from global scope to per-component values
(glpi.*, mariadb.*, redis.*) and wire them into every template.
- glpi: podSecurityContext (fsGroup: 82) and securityContext (runAsUser: 82,
non-root, drop ALL) rendered on php-fpm, nginx, all 5 init jobs, cronjob
- mariadb/redis: podSecurityContext and securityContext stubbed as {}
(no-op by default, can be overridden)
Fixes #153
* fix: gate Namespace creation behind flag
Remove the implicit Namespace creation via which
breaks namespace-scoped RBAC deployments (e.g., FluxCD multi-tenancy).
- Add (default: false) to explicitly opt in
- now only controls resource scoping
- Namespace template uses helper for consistent behavior
Closes #154
* fix: add role: primary selector to mariadb-headless service
The headless service selector previously matched all pods in the release
(nginx, php-fpm) because glpi.selectorLabels is applied chart-wide.
This caused ~75% of connection attempts from GLPI to mariadb-headless
to time out as DNS round-robined across non-MariaDB endpoints.
Fixed by adding 'role: primary' to the selector, consistent with the
ClusterIP mariadb service which already does this.
Closes #155
* fix(chart): add Helm hooks and ordering to init Jobs, add wait-for-mariadb initContainers
- Add helm.sh/hook annotations with hook-weights to all 6 jobs
- db-install: post-install only (weight 10)
- db-upgrade: post-upgrade only (weight 10)
- verify-dir: post-install,post-upgrade (weight 5)
- mariadb-timezone: post-install,post-upgrade (weight 7)
- db-configure: post-install,post-upgrade (weight 20)
- cache-configure: post-install,post-upgrade (weight 30)
- Add hook-delete-policy: before-hook-creation,hook-succeeded to all jobs
- Add wait-for-mariadb initContainers (busybox nc) to db-install,
db-upgrade, db-configure, and mariadb-timezone
- Fixes dbUpgrade running on fresh installs (db-upgrade is post-upgrade only)
Closes #156
* docs: sync documentation with current codebase (v11.0.7)
* fix(chart): major Helm chart fixes for v11.0.7-1
- Fix CronJob YAML indentation preventing deployment
- Fix Ingress backend service name to match nginx service
- StatefulSet: volumeClaimTemplates for multi-replica, requiredDuringScheduling
- Add app.kubernetes.io/component labels consistently across templates
- Add ServiceAccount template, imagePullSecrets, scheduling values
- Add external database support via externalDatabase config
- Add security contexts + resource limits to init containers
- Redis: add liveness/readiness probes and non-root security context
- MariaDB/Redis: non-root security contexts by default
- Fix GLPI_DOC_DIR pointing to /var/www/html instead of var dir
- Remove deprecated annotations and status subresource fields
- Add terminationGracePeriodSeconds(120s) to MariaDB StatefulSet
* fix(ci): publish job condition was skipping on release events
* chore(chart): trigger chart release for v11.0.7-1
* fix(chart): move terminationGracePeriodSeconds to pod spec
* docs: sync documentation with current codebase (v11.0.7)
* fix(chart): major Helm chart fixes for v11.0.7-1
- Fix CronJob YAML indentation preventing deployment
- Fix Ingress backend service name to match nginx service
- StatefulSet: volumeClaimTemplates for multi-replica, requiredDuringScheduling
- Add app.kubernetes.io/component labels consistently across templates
- Add ServiceAccount template, imagePullSecrets, scheduling values
- Add external database support via externalDatabase config
- Add security contexts + resource limits to init containers
- Redis: add liveness/readiness probes and non-root security context
- MariaDB/Redis: non-root security contexts by default
- Fix GLPI_DOC_DIR pointing to /var/www/html instead of var dir
- Remove deprecated annotations and status subresource fields
- Add terminationGracePeriodSeconds(120s) to MariaDB StatefulSet
* fix(ci): publish job condition was skipping on release events
* chore(chart): trigger chart release for v11.0.7-1
* fix(chart): move terminationGracePeriodSeconds to pod spec
* chore(chart): bump chart version to 11.0.7-2
* chore(chart): bump version back to 11.0.7 (recreate with fixes)
* docs: update README files with current versions and config
* chore: bump version from 11.0.7 to 11.0.8
Update all version references across Dockerfiles, docker-compose
configs, Helm chart, and documentation to GLPI 11.0.8.
* chore(deps): bump actions/checkout from 6 to 7 (#164)
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v6...v7)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: '7'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* fix(helm): fix mariadb.enabled=false causing configmap and job failures (#166)
* fix(helm): fix mariadb.enabled=false causing configmap and job failures
When mariadb.enabled is set to false (external database), two problems
occurred:
- mariadb-glpi-config ConfigMap was not created, causing initContainers
in glpi-job.yaml to fail with a missing ConfigMap reference
- MARIADB_PORT in glpi-configmap.yaml always referenced
mariadb.service.port regardless of which database was in use
Fixes:
- mariadb-configmap.yaml now always renders, with conditional values for
internal or external database host/port
- glpi-configmap.yaml MARIADB_HOST and MARIADB_PORT are now both inside
the if/else block
- Added externalDatabase.port field to values.yaml (default: 3306)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(helm): use glpi-config in job initContainers instead of mariadb-glpi-config
The initContainers that wait for the database were referencing
mariadb-glpi-config, which only exists when mariadb.enabled=true.
Changed to reference glpi-config, which always exists and already
contains the correct MARIADB_HOST and MARIADB_PORT for both internal
MariaDB and external database scenarios.
mariadb-configmap.yaml is reverted to only render when
mariadb.enabled=true, keeping it scoped to the internal MariaDB setup.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* Update Helm publish workflow to clean package directory
Remove existing package directory before creating a new one.
* Update helm chart artifact upload path (#168)
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Leandro Souza <lsouzarj@gmail.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When
mariadb.enabled: falseis set to use an external database, two bugs caused failures:Job initContainers failing: The
wait-for-dbinitContainers inglpi-job.yamlreferencedmariadb-glpi-config, which is only created whenmariadb.enabled: true. With an externaldatabase this ConfigMap does not exist, causing all jobs to crash on startup.
Wrong port reference:
MARIADB_PORTinglpi-configmap.yamlwas outside theif/elseblock, always reading from
mariadb.service.porteven when using an external database.Fix
glpi-job.yaml: initContainers now referenceglpi-configinstead ofmariadb-glpi-config.glpi-configalways exists and already contains the correctMARIADB_HOSTandMARIADB_PORTfor both internal MariaDB and external database scenarios.
mariadb-configmap.yaml: kept scoped tomariadb.enabled: trueonly (internal MariaDB).glpi-configmap.yaml:MARIADB_HOSTandMARIADB_PORTare now both inside theif/elseblock, correctly resolving to the external database values when MariaDB is disabled.
values.yaml: addedexternalDatabase.portfield (default:3306).Testing
Validated with
helm templateusing bothmariadb.enabled: true(default values) andmariadb.enabled: falsewithexternalDatabaseconfigured.