Skip to content

fix(helm): fix mariadb.enabled=false causing configmap and job failures#166

Merged
eduardofraga merged 2 commits into
eftechcombr:latestfrom
leandrosouza:fix/mariadb_false
Jul 1, 2026
Merged

fix(helm): fix mariadb.enabled=false causing configmap and job failures#166
eduardofraga merged 2 commits into
eftechcombr:latestfrom
leandrosouza:fix/mariadb_false

Conversation

@leandrosouza

@leandrosouza leandrosouza commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Problem

When mariadb.enabled: false is set to use an external database, two bugs caused failures:

  1. Job initContainers failing: The wait-for-db initContainers in glpi-job.yaml referenced
    mariadb-glpi-config, which is only created when mariadb.enabled: true. With an external
    database this ConfigMap does not exist, causing all jobs to crash on startup.

  2. Wrong port reference: MARIADB_PORT in glpi-configmap.yaml was outside the if/else
    block, always reading from mariadb.service.port even when using an external database.

Fix

  • glpi-job.yaml: initContainers now reference glpi-config instead of mariadb-glpi-config.
    glpi-config always exists and already contains the correct MARIADB_HOST and MARIADB_PORT
    for both internal MariaDB and external database scenarios.
  • mariadb-configmap.yaml: kept scoped to mariadb.enabled: true only (internal MariaDB).
  • glpi-configmap.yaml: MARIADB_HOST and MARIADB_PORT are now both inside the if/else
    block, correctly resolving to the external database values when MariaDB is disabled.
  • values.yaml: added externalDatabase.port field (default: 3306).

Testing

Validated with helm template using both mariadb.enabled: true (default values) and
mariadb.enabled: false with externalDatabase configured.

leandrosouza and others added 2 commits June 29, 2026 18:26
When mariadb.enabled is set to false (external database), two problems
occurred:

- mariadb-glpi-config ConfigMap was not created, causing initContainers
  in glpi-job.yaml to fail with a missing ConfigMap reference
- MARIADB_PORT in glpi-configmap.yaml always referenced
  mariadb.service.port regardless of which database was in use

Fixes:
- mariadb-configmap.yaml now always renders, with conditional values for
  internal or external database host/port
- glpi-configmap.yaml MARIADB_HOST and MARIADB_PORT are now both inside
  the if/else block
- Added externalDatabase.port field to values.yaml (default: 3306)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…lpi-config

The initContainers that wait for the database were referencing
mariadb-glpi-config, which only exists when mariadb.enabled=true.

Changed to reference glpi-config, which always exists and already
contains the correct MARIADB_HOST and MARIADB_PORT for both internal
MariaDB and external database scenarios.

mariadb-configmap.yaml is reverted to only render when
mariadb.enabled=true, keeping it scoped to the internal MariaDB setup.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@eduardofraga eduardofraga added the bug Something isn't working label Jul 1, 2026
@eduardofraga eduardofraga merged commit c398420 into eftechcombr:latest Jul 1, 2026
3 checks passed
eduardofraga added a commit that referenced this pull request Jul 1, 2026
* fix: render podSecurityContext and securityContext in all workload templates

Move security contexts from global scope to per-component values
(glpi.*, mariadb.*, redis.*) and wire them into every template.

- glpi: podSecurityContext (fsGroup: 82) and securityContext (runAsUser: 82,
  non-root, drop ALL) rendered on php-fpm, nginx, all 5 init jobs, cronjob
- mariadb/redis: podSecurityContext and securityContext stubbed as {}
  (no-op by default, can be overridden)

Fixes #153

* fix: gate Namespace creation behind  flag

Remove the implicit Namespace creation via  which
breaks namespace-scoped RBAC deployments (e.g., FluxCD multi-tenancy).

- Add  (default: false) to explicitly opt in
-  now only controls resource scoping
- Namespace template uses  helper for consistent behavior

Closes #154

* fix: add role: primary selector to mariadb-headless service

The headless service selector previously matched all pods in the release
(nginx, php-fpm) because glpi.selectorLabels is applied chart-wide.
This caused ~75% of connection attempts from GLPI to mariadb-headless
to time out as DNS round-robined across non-MariaDB endpoints.

Fixed by adding 'role: primary' to the selector, consistent with the
ClusterIP mariadb service which already does this.

Closes #155

* fix(chart): add Helm hooks and ordering to init Jobs, add wait-for-mariadb initContainers

- Add helm.sh/hook annotations with hook-weights to all 6 jobs
- db-install: post-install only (weight 10)
- db-upgrade: post-upgrade only (weight 10)
- verify-dir: post-install,post-upgrade (weight 5)
- mariadb-timezone: post-install,post-upgrade (weight 7)
- db-configure: post-install,post-upgrade (weight 20)
- cache-configure: post-install,post-upgrade (weight 30)
- Add hook-delete-policy: before-hook-creation,hook-succeeded to all jobs
- Add wait-for-mariadb initContainers (busybox nc) to db-install,
  db-upgrade, db-configure, and mariadb-timezone
- Fixes dbUpgrade running on fresh installs (db-upgrade is post-upgrade only)

Closes #156

* docs: sync documentation with current codebase (v11.0.7)

* fix(chart): major Helm chart fixes for v11.0.7-1

- Fix CronJob YAML indentation preventing deployment
- Fix Ingress backend service name to match nginx service
- StatefulSet: volumeClaimTemplates for multi-replica, requiredDuringScheduling
- Add app.kubernetes.io/component labels consistently across templates
- Add ServiceAccount template, imagePullSecrets, scheduling values
- Add external database support via externalDatabase config
- Add security contexts + resource limits to init containers
- Redis: add liveness/readiness probes and non-root security context
- MariaDB/Redis: non-root security contexts by default
- Fix GLPI_DOC_DIR pointing to /var/www/html instead of var dir
- Remove deprecated annotations and status subresource fields
- Add terminationGracePeriodSeconds(120s) to MariaDB StatefulSet

* fix(ci): publish job condition was skipping on release events

* chore(chart): trigger chart release for v11.0.7-1

* fix(chart): move terminationGracePeriodSeconds to pod spec

* docs: sync documentation with current codebase (v11.0.7)

* fix(chart): major Helm chart fixes for v11.0.7-1

- Fix CronJob YAML indentation preventing deployment
- Fix Ingress backend service name to match nginx service
- StatefulSet: volumeClaimTemplates for multi-replica, requiredDuringScheduling
- Add app.kubernetes.io/component labels consistently across templates
- Add ServiceAccount template, imagePullSecrets, scheduling values
- Add external database support via externalDatabase config
- Add security contexts + resource limits to init containers
- Redis: add liveness/readiness probes and non-root security context
- MariaDB/Redis: non-root security contexts by default
- Fix GLPI_DOC_DIR pointing to /var/www/html instead of var dir
- Remove deprecated annotations and status subresource fields
- Add terminationGracePeriodSeconds(120s) to MariaDB StatefulSet

* fix(ci): publish job condition was skipping on release events

* chore(chart): trigger chart release for v11.0.7-1

* fix(chart): move terminationGracePeriodSeconds to pod spec

* chore(chart): bump chart version to 11.0.7-2

* chore(chart): bump version back to 11.0.7 (recreate with fixes)

* docs: update README files with current versions and config

* chore: bump version from 11.0.7 to 11.0.8

Update all version references across Dockerfiles, docker-compose
configs, Helm chart, and documentation to GLPI 11.0.8.

* chore(deps): bump actions/checkout from 6 to 7 (#164)

Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix(helm): fix mariadb.enabled=false causing configmap and job failures (#166)

* fix(helm): fix mariadb.enabled=false causing configmap and job failures

When mariadb.enabled is set to false (external database), two problems
occurred:

- mariadb-glpi-config ConfigMap was not created, causing initContainers
  in glpi-job.yaml to fail with a missing ConfigMap reference
- MARIADB_PORT in glpi-configmap.yaml always referenced
  mariadb.service.port regardless of which database was in use

Fixes:
- mariadb-configmap.yaml now always renders, with conditional values for
  internal or external database host/port
- glpi-configmap.yaml MARIADB_HOST and MARIADB_PORT are now both inside
  the if/else block
- Added externalDatabase.port field to values.yaml (default: 3306)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(helm): use glpi-config in job initContainers instead of mariadb-glpi-config

The initContainers that wait for the database were referencing
mariadb-glpi-config, which only exists when mariadb.enabled=true.

Changed to reference glpi-config, which always exists and already
contains the correct MARIADB_HOST and MARIADB_PORT for both internal
MariaDB and external database scenarios.

mariadb-configmap.yaml is reverted to only render when
mariadb.enabled=true, keeping it scoped to the internal MariaDB setup.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Leandro Souza <lsouzarj@gmail.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
eduardofraga added a commit that referenced this pull request Jul 1, 2026
* fix: render podSecurityContext and securityContext in all workload templates

Move security contexts from global scope to per-component values
(glpi.*, mariadb.*, redis.*) and wire them into every template.

- glpi: podSecurityContext (fsGroup: 82) and securityContext (runAsUser: 82,
  non-root, drop ALL) rendered on php-fpm, nginx, all 5 init jobs, cronjob
- mariadb/redis: podSecurityContext and securityContext stubbed as {}
  (no-op by default, can be overridden)

Fixes #153

* fix: gate Namespace creation behind  flag

Remove the implicit Namespace creation via  which
breaks namespace-scoped RBAC deployments (e.g., FluxCD multi-tenancy).

- Add  (default: false) to explicitly opt in
-  now only controls resource scoping
- Namespace template uses  helper for consistent behavior

Closes #154

* fix: add role: primary selector to mariadb-headless service

The headless service selector previously matched all pods in the release
(nginx, php-fpm) because glpi.selectorLabels is applied chart-wide.
This caused ~75% of connection attempts from GLPI to mariadb-headless
to time out as DNS round-robined across non-MariaDB endpoints.

Fixed by adding 'role: primary' to the selector, consistent with the
ClusterIP mariadb service which already does this.

Closes #155

* fix(chart): add Helm hooks and ordering to init Jobs, add wait-for-mariadb initContainers

- Add helm.sh/hook annotations with hook-weights to all 6 jobs
- db-install: post-install only (weight 10)
- db-upgrade: post-upgrade only (weight 10)
- verify-dir: post-install,post-upgrade (weight 5)
- mariadb-timezone: post-install,post-upgrade (weight 7)
- db-configure: post-install,post-upgrade (weight 20)
- cache-configure: post-install,post-upgrade (weight 30)
- Add hook-delete-policy: before-hook-creation,hook-succeeded to all jobs
- Add wait-for-mariadb initContainers (busybox nc) to db-install,
  db-upgrade, db-configure, and mariadb-timezone
- Fixes dbUpgrade running on fresh installs (db-upgrade is post-upgrade only)

Closes #156

* docs: sync documentation with current codebase (v11.0.7)

* fix(chart): major Helm chart fixes for v11.0.7-1

- Fix CronJob YAML indentation preventing deployment
- Fix Ingress backend service name to match nginx service
- StatefulSet: volumeClaimTemplates for multi-replica, requiredDuringScheduling
- Add app.kubernetes.io/component labels consistently across templates
- Add ServiceAccount template, imagePullSecrets, scheduling values
- Add external database support via externalDatabase config
- Add security contexts + resource limits to init containers
- Redis: add liveness/readiness probes and non-root security context
- MariaDB/Redis: non-root security contexts by default
- Fix GLPI_DOC_DIR pointing to /var/www/html instead of var dir
- Remove deprecated annotations and status subresource fields
- Add terminationGracePeriodSeconds(120s) to MariaDB StatefulSet

* fix(ci): publish job condition was skipping on release events

* chore(chart): trigger chart release for v11.0.7-1

* fix(chart): move terminationGracePeriodSeconds to pod spec

* docs: sync documentation with current codebase (v11.0.7)

* fix(chart): major Helm chart fixes for v11.0.7-1

- Fix CronJob YAML indentation preventing deployment
- Fix Ingress backend service name to match nginx service
- StatefulSet: volumeClaimTemplates for multi-replica, requiredDuringScheduling
- Add app.kubernetes.io/component labels consistently across templates
- Add ServiceAccount template, imagePullSecrets, scheduling values
- Add external database support via externalDatabase config
- Add security contexts + resource limits to init containers
- Redis: add liveness/readiness probes and non-root security context
- MariaDB/Redis: non-root security contexts by default
- Fix GLPI_DOC_DIR pointing to /var/www/html instead of var dir
- Remove deprecated annotations and status subresource fields
- Add terminationGracePeriodSeconds(120s) to MariaDB StatefulSet

* fix(ci): publish job condition was skipping on release events

* chore(chart): trigger chart release for v11.0.7-1

* fix(chart): move terminationGracePeriodSeconds to pod spec

* chore(chart): bump chart version to 11.0.7-2

* chore(chart): bump version back to 11.0.7 (recreate with fixes)

* docs: update README files with current versions and config

* chore: bump version from 11.0.7 to 11.0.8

Update all version references across Dockerfiles, docker-compose
configs, Helm chart, and documentation to GLPI 11.0.8.

* chore(deps): bump actions/checkout from 6 to 7 (#164)

Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix(helm): fix mariadb.enabled=false causing configmap and job failures (#166)

* fix(helm): fix mariadb.enabled=false causing configmap and job failures

When mariadb.enabled is set to false (external database), two problems
occurred:

- mariadb-glpi-config ConfigMap was not created, causing initContainers
  in glpi-job.yaml to fail with a missing ConfigMap reference
- MARIADB_PORT in glpi-configmap.yaml always referenced
  mariadb.service.port regardless of which database was in use

Fixes:
- mariadb-configmap.yaml now always renders, with conditional values for
  internal or external database host/port
- glpi-configmap.yaml MARIADB_HOST and MARIADB_PORT are now both inside
  the if/else block
- Added externalDatabase.port field to values.yaml (default: 3306)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(helm): use glpi-config in job initContainers instead of mariadb-glpi-config

The initContainers that wait for the database were referencing
mariadb-glpi-config, which only exists when mariadb.enabled=true.

Changed to reference glpi-config, which always exists and already
contains the correct MARIADB_HOST and MARIADB_PORT for both internal
MariaDB and external database scenarios.

mariadb-configmap.yaml is reverted to only render when
mariadb.enabled=true, keeping it scoped to the internal MariaDB setup.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

* Update Helm publish workflow to clean package directory

Remove existing package directory before creating a new one.

* Update helm chart artifact upload path (#168)

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Leandro Souza <lsouzarj@gmail.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants