From 8fc931a0d9ed99b5b74a30e5bb2a47eccd4a701b Mon Sep 17 00:00:00 2001 From: Nicolas Giard Date: Sun, 22 Feb 2026 00:04:24 -0500 Subject: [PATCH] fix(helm): Replace bitname PostgreSQL chart with custom statefulset (#7936) * fix(helm): Replace Bitnami PostgreSQL chart with custom StatefulSet (#7831) * refactor: migrate from Bitnami PostgreSQL to official PostgreSQL image Replace Bitnami PostgreSQL dependency with custom PostgreSQL StatefulSet implementation Add new PostgreSQL templates: statefulset, service, and PVC Update values.yaml to include PostgreSQL image configuration with official postgres:17.4 image Implement custom PostgreSQL deployment using official Docker Hub image instead of Bitnami chart Add PostgreSQL resource, nodeSelector, tolerations, and affinity configuration options Update helper templates to support new PostgreSQL implementation Update deployment template to connect to the new PostgreSQL implementation Update README.md to document the new PostgreSQL configuration parameters BREAKING CHANGE: This replaces the Bitnami PostgreSQL dependency with a custom PostgreSQL implementation using the official PostgreSQL image from Docker Hub, changing how PostgreSQL is deployed and configured. Signed-off-by: Ilya Gilev jazer23569@gmail.com * feature: added a option to use an existing secret for postresql installation --------- Signed-off-by: Ilya Gilev jazer23569@gmail.com * refactor(helm): adjust helm templates for clarity --------- Signed-off-by: Ilya Gilev jazer23569@gmail.com Co-authored-by: acidsugarx <58903233+acidsugarx@users.noreply.github.com> --- dev/helm/Chart.lock | 6 -- dev/helm/Chart.yaml | 35 +----- dev/helm/README.md | 70 ++++++++---- dev/helm/charts/postgresql-6.5.0.tgz | Bin 23426 -> 0 bytes dev/helm/templates/NOTES.txt | 13 +++ dev/helm/templates/_helpers.tpl | 61 ++++++++--- dev/helm/templates/deployment.yaml | 40 +++++-- dev/helm/templates/postgresql-pvc.yaml | 21 ++++ dev/helm/templates/postgresql-secret.yaml | 12 +++ dev/helm/templates/postgresql-service.yaml | 21 ++++ .../templates/postgresql-statefulset.yaml | 101 ++++++++++++++++++ dev/helm/templates/service.yaml | 4 - dev/helm/values.yaml | 75 +++++++++---- 13 files changed, 357 insertions(+), 102 deletions(-) delete mode 100644 dev/helm/Chart.lock delete mode 100644 dev/helm/charts/postgresql-6.5.0.tgz create mode 100644 dev/helm/templates/postgresql-pvc.yaml create mode 100644 dev/helm/templates/postgresql-secret.yaml create mode 100644 dev/helm/templates/postgresql-service.yaml create mode 100644 dev/helm/templates/postgresql-statefulset.yaml diff --git a/dev/helm/Chart.lock b/dev/helm/Chart.lock deleted file mode 100644 index d383d6e44..000000000 --- a/dev/helm/Chart.lock +++ /dev/null @@ -1,6 +0,0 @@ -dependencies: -- name: postgresql - repository: https://charts.bitnami.com/bitnami - version: 8.10.14 -digest: sha256:db7c1e0bc9ec0ed45520521bd76bb390d04711fd0f04affaadafa1dc498ce68b -generated: "2020-07-21T20:34:41.41180748-04:00" diff --git a/dev/helm/Chart.yaml b/dev/helm/Chart.yaml index 458defa31..b156d5efa 100644 --- a/dev/helm/Chart.yaml +++ b/dev/helm/Chart.yaml @@ -1,11 +1,7 @@ apiVersion: v2 -name: wiki -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -version: 2.3.0 -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. -AppVersion: latest +name: wiki-js +version: '3.0.0' +appVersion: '2' description: The most powerful and extensible open source Wiki software. keywords: - wiki @@ -14,29 +10,8 @@ keywords: - docs - reference - editor -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. type: application -dependencies: - - name: postgresql - version: 8.10.14 - repository: https://charts.bitnami.com/bitnami - condition: postgresql.enabled -home: https://wiki.js.org +home: https://js.wiki icon: https://cdn.js.wiki/images/wikijs-butterfly.svg sources: - - https://github.com/Requarks/wiki -maintainers: - - name: Nicolas Giard - email: github@ngpixel.com - url: https://github.com/NGPixel - - name: James Greenhill - email: james@fuziontech.net - url: https://github.com/fuziontech -engine: gotpl + - https://github.com/requarks/wiki diff --git a/dev/helm/README.md b/dev/helm/README.md index c1b73e227..762594b16 100644 --- a/dev/helm/README.md +++ b/dev/helm/README.md @@ -43,7 +43,7 @@ Wiki.js is an open source project that has been made possible due to the generou This chart bootstraps a Wiki.js deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. -It also optionally packages the [PostgreSQL](https://github.com/kubernetes/charts/tree/master/stable/postgresql) as the database but you are free to bring your own. +It also optionally deploys PostgreSQL as the database using the official PostgreSQL image from Docker Hub, but you are free to bring your own database. ## Prerequisites @@ -59,7 +59,7 @@ $ helm repo add requarks https://charts.js.wiki To install the chart with the release name `my-release` run the following: -### Using Helm 3: +### Using Helm 3/4: ```console $ helm install my-release requarks/wiki ``` @@ -95,7 +95,7 @@ The following table lists the configurable parameters of the Wiki.js chart and t | Parameter | Description | Default | | ------------------------------- | ------------------------------- | ---------------------------------------------------------- | | `image.repository` | Wiki.js image | `requarks/wiki` | -| `image.tag` | Wiki.js image tag | `latest` | +| `image.tag` | Wiki.js image tag | `2` | | `imagePullPolicy` | Image pull policy | `IfNotPresent` | | `replicacount` | Number of Wiki.js pods to run | `1` | | `revisionHistoryLimit` | Total number of revision history points | `10` | @@ -119,20 +119,33 @@ The following table lists the configurable parameters of the Wiki.js chart and t | `sideload.resources.limits` | Resource limits for the sideload container | `nil` | | `sideload.resources.requests` | Resource requests for the sideload container | `nil` | | `nodeExtraCaCerts` | Trusted certificates path | `nil` | +| `externalPostgresql.databaseURL` | External postgres connection string | `nil` | | `postgresql.enabled` | Deploy postgres server (see below) | `true` | | `postgresql.postgresqlDatabase` | Postgres database name | `wiki` | | `postgresql.postgresqlUser` | Postgres username | `postgres` | -| `postgresql.postgresqlHost` | External postgres host | `nil` | -| `postgresql.postgresqlPassword` | External postgres password | `nil` | +| `postgresql.postgresqlHost` | Postgres host | `nil` | +| `postgresql.postgresqlPassword` | Postgres password | `nil` | | `postgresql.existingSecret` | Provide an existing `Secret` for postgres | `nil` | | `postgresql.existingSecretKey` | The postgres password key in the existing `Secret` | `postgresql-password` | -| `postgresql.postgresqlPort` | External postgres port | `5432` | +| `postgresql.existingSecretUserKey` | The postgres username key in the existing `Secret` | `postgresql-username` | +| `postgresql.postgresqlPort` | Postgres port | `5432` | | `postgresql.ssl` | Enable external postgres SSL connection | `false` | | `postgresql.ca` | Certificate of Authority content for postgres | `nil` | | `postgresql.persistence.enabled` | Enable postgres persistence using PVC | `true` | | `postgresql.persistence.existingClaim` | Provide an existing `PersistentVolumeClaim` for postgres | `nil` | | `postgresql.persistence.storageClass` | Postgres PVC Storage Class (example: `nfs`) | `nil` | -| `postgresql.persistence.size` | Postgers PVC Storage Request | `8Gi` | +| `postgresql.persistence.size` | Postgres PVC Storage Request | `8Gi` | +| `postgresql.persistence.accessMode` | Postgres Persistent Volume Access Mode | `ReadWriteOnce` | +| `postgresql.image.repository` | PostgreSQL image repository | `postgres` | +| `postgresql.image.tag` | PostgreSQL image tag | `18` | +| `postgresql.image.pullPolicy` | PostgreSQL image pull policy | `IfNotPresent` | +| `postgresql.resources` | PostgreSQL resource requests/limits | `{}` | +| `postgresql.nodeSelector` | PostgreSQL node selector labels | `{}` | +| `postgresql.tolerations` | PostgreSQL toleration labels | `[]` | +| `postgresql.affinity` | PostgreSQL affinity settings | `{}` | +| `postgresql.service.type` | PostgreSQL service type | `ClusterIP` | +| `postgresql.service.port` | PostgreSQL service port | `5432` | +| `postgresql.service.annotations` | PostgreSQL service annotations | `{}` | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, @@ -150,25 +163,44 @@ $ helm install --name my-release -f values.yaml requarks/wiki > **Tip**: You can use the default [values.yaml](values.yaml) -## PostgresSQL +## PostgreSQL -By default, PostgreSQL is installed as part of the chart. +By default, PostgreSQL is installed as part of the chart using the official PostgreSQL image from Docker Hub (version 18). ### Using an external PostgreSQL server -To use an external PostgreSQL server, set `postgresql.enabled` to `false` and then set `postgresql.postgresqlHost` and `postgresql.postgresqlPassword`. To use an existing `Secret`, set `postgresql.existingSecret`. The other options (`postgresql.postgresqlDatabase`, `postgresql.postgresqlUser`, `postgresql.postgresqlPort` and `postgresql.existingSecretKey`) may also want changing from their default values. +To use an external PostgreSQL server, set `postgresql.enabled` to `false`, then use either: -To use an SSL connection you can set `postgresql.ssl` to `true` and if needed the path to a Certificate of Authority can be set using `postgresql.ca` to `/path/to/ca`. Default `postgresql.ssl` value is `false`. +#### Connection String -If `postgresql.existingSecret` is not specified, you also need to add the following Helm template to your deployment in order to create the postgresql `Secret`: +Set `externalPostgresql.databaseURL` to the full PostgreSQL connection string. -```yaml -kind: Secret -apiVersion: v1 -metadata: - name: {{ template "wiki.postgresql.secret" . }} -data: - {{ template "wiki.postgresql.secretKey" . }}: "{{ .Values.postgresql.postgresqlPassword | b64enc }}" +#### Connection Parameters + +Set `externalPostgresql.host`, `externalPostgres.port`, `externalPostgres.database`, `externalPostgres.username`, `externalPostgres.existingSecret` *(secret name)* and `externalPostgres.existingSecretKey` *(key in the secret containing the password)* + +Ensure the secret specified in `externalPostgresql.existingSecret` already exists, with a password set at the path specified in `externalPostgres.existingSecretKey`. + +To use an SSL connection you can set `externalPostgresql.ssl` to `true` and if needed the path to a Certificate of Authority can be set using `externalPostgresql.ca` to `/path/to/ca`. Default `externalPostgresql.ssl` value is `false`. + +### Using an existing PostgreSQL secret with built-in PostgreSQL + +When using the built-in PostgreSQL (default behavior with `postgresql.enabled: true`), you can still use an existing Kubernetes secret for the database credentials by setting: + +- `postgresql.existingSecret`: Name of the existing secret containing the credentials +- `postgresql.existingSecretKey`: Key in the secret containing the password (defaults to `postgresql-password`) +- `postgresql.existingSecretUserKey`: Key in the secret containing the username (defaults to `postgresql-username`) +Example usage: +```bash +# Create your existing secret +kubectl create secret generic my-postgres-secret \ + --from-literal=postgresql-username=postgres \ + --from-literal=postgresql-password=yourpassword + +# Deploy with existing secret +helm install my-release requarks/wiki \ + --set postgresql.enabled=true \ + --set postgresql.existingSecret=my-postgres-secret ``` ## Persistence diff --git a/dev/helm/charts/postgresql-6.5.0.tgz b/dev/helm/charts/postgresql-6.5.0.tgz deleted file mode 100644 index acc79962ce8f45da1a26062d7d64520e3e065af8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 23426 zcmV*IKxe-niwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0POvHcN;g7Fb>b({1o+2*^T9>NlLyYeAe?mvgLSm#uu$5Cp*WJ zR|301660p01E3{yEPwakK>_GS-*}NIJI<=lOe}WeQdKBa6$*ty%B7kJDu0jr&!bHzx!bC(c{0shQVllGO398%V2QRcB;sI zBM(X0FH}gzlObH}c1W7$KX-R~k9vbnL}e&gs_-512#mRaBf~f+|NUwQNCJHHFB+;q z(3t3wB!-A6G9r?~j3i`2XEaeD=TgyG2jJe@3pE` zOD-Zg>;zC0^nP@LoEV(|%r`;Pn1x8IP5@z?Nkv6xMp&Wa zjQNPfaDWpT*o;glq(qPzRaD5%))pMalt{V*30D-H^>EHF&V{qi56go z=FKskFsX#m9r)%bi{ld-3aT_h9n;FN1D@O)!l%!jEr4c=FOak)`Thbhm zgE|DiE7Q~4)R;5z9Hc`r0U`vM10UBop=YUKe!(o03PxxGW!Oe2C{Z*5mLR`t-78a~ zEtxW2vKcW&t+5Jdww)_sTV7UG-pt$wkHZyh=~5=vxL z589k(aLKbcf|z}v`irDgTWx{>OU7Kx(5}%|Tg)eh&~T_gWg?OAZ2#nMI5FSszdnSB zjZ~qOE(|zBp4An4f1w7VEP!sn8cFeL_1MJ_o%oQ z9g5+|1>mdR~XQ^gRxQ8;&nQ1tNf}(W9vE0@ZZ43W=Yug)Edem*M*qdq0 zy)HGV+dNE|@@zw24C>DpJkDnHh>97LT6##d-jj)uwEQxmLUXYGk!txOm8}9Zo+T>f zEWuGf&XRrkPEs)(%a?*@sqVhscn5$cT0}=fWR#8-llnuO%xRW71s7PMBbA^koZ^cm zqGsd5W|QK^PQkLsG4Q#bt|4x&FK}*OUibPLi8BS@G#Z>G7?M-^n)w=mZw^!4!tpp*FW>dXr3+&>} zqtPsj6-#3pw5wW@R0&ha7a4hFlO5-ssf z0kODXA%*=g)Y9VS02lA2X*wXL>3+w)uw9j)HZmQVMN?GI5gceiNi+xgkx8ZHu5AHq zlRd4`@B`YhXl_Epq;6E=JRzClT8o9%s%Anlo}k7y3+hhCTg^9ummvXlsWbhjwmOKE zms~{lt^282IwlwN*fc1Iuv@5LIZwi=;0ezpgnTw*3T8Z_L*U5{@bP#D1f6k3&q$ia z^ZeJPV2Yx~jd@7o21}#CQ-UM*Q}1zKWQk%k8kq43E=k;*s#(1C^4;^`*Zo()s~5k# zc%{KEfP0Rx4WY}&5HMZJVKHr90lWF%k=Gl?%$gZ;klXVpy})0X%6UV z2{X=Obc`V$nzx)3@Zo|~i+zUbz-tAi0nFxS-a9+h@}&Su9OR_hWLw8Q(;vlr)SnR) zS;sH-4_?3M&7v)7CPbj7G!UGtz;UFusK!i46^Jb96zyo4P<9w$|hw`lCh zO}aKvA(MLKJh`D2k}m9C85K2jU-YNfC>Ole%r_ts2#i@wfhAH=5@{yZJz*Eg1rt0$ zujmC4Obd+8mL6UQ~i2^IojCKaEdSVrNX#fO%8 z9vzh+i6kL@j``$^f%_|oHC3y_>a?_xP#!W?O_U3GOA<31A{MG0JIO*aqw#a}D`^`{ zH}A!`)l+sW@mPFLh zQ%^$K*X&3`z1FBvu}uMn#{blpO4|YzU5I+HO1wMF8XUj|kh%Rup9M1z=h zcB0Tki8(q_0s~YpD$Ti$1NOwUWBkao`I&xuW*YCw=@720gBiB|Pk+RczMQ%jG@Nqi z9&nI+M%9!hlU}!prYj)ZI@To^t1wrHZ|tL$`hpw{yHe-DiTOyYfbsrx&kg7N6YKsSU3gQ|3N zi`Me2v2TZFVROW#p1^)_HBa?wRsS<|i=D$GTW3!*r1mrj{94JN+npR0^7`(3k2Ok?p#I97@Q!a$0V6h zyVDWC?x1J>rxjx3n&rs&!nLvRi*bkBeL653bz56-ICjp8ozkYBS;haC|LU){ymc>k zgKkrmZgS@&KweVA$Afc#%{8~&rj|rPupRh;#qhFrq9&hL9&RZPOF&EVBX`n_M zQ5f+oiA+nUQ)bJNLVPm~~vPUe-s zH8@d3X@s;`#!vwzjeAh~pXxq>)fBrnX#|ha`!8*ClB)ie0VRhOuNCYLknvbsJ|-YS@t6v$(qb~Au{6sfu6bXw2@dF* zYNupq^i4D9;MZ!lzoq{xX^afE*_It<0ZF2OB#H&@&1U=2#;KCni$}j;L=_3fl&DN- zcGP80ES^^DJ8<=YDjtX$}f@fXurv{*e`6BI)nV;ZS3ZO59kXs zU(ki=09viFre;hFbv8ZGbE?9nIM42w^o~g#du)bB{k9geC^!d&Hsy^`i#9!#N}A0w zHe(gpzjXUQ^*w?n&F!;&GgT~tkbb3yp0qv zSie9kD&K|F%KD98EJvo$wUyn-LhIWaGak`c>v`NZ?7^?v(y*2!R@uRoh#pjF7WUda z2)WP(gK5or)fTy-YE+A$XG|`A@ zb`g|B41cA9kLXH9!>T*tuA?CDBru)yx4g>uX1n7GAL-wXVL1s?jKl{tCUf710Fajb z3cLE9Vl&D!mA`z{0T>e&XM&zi1(j1CM?-jwHXRPL_jb3_$st}3oJY3ZbuF`WjUh{-$nU1Au;DhJZC<$v9$AED`LztOX%w*Kx&}(p^XT^ho4O9XH_o*2T zJvQ?C@m_94666DsM}7@@k9xaawCR%vwfLz@$mU%XRV|9DF~Dd8P}f6@+~Te&D64@V ztFc8Jfa#ht6MMeCs0XMC-MXAxAnBTAU9+@nlXoo=51=lA|0uBG-WyA(+XruoiI65r zx3C^e5a*N%+QDIZkzAl0``QO7zR|}&DPVnGvj67o>5G$|`lvS3$CC4(Paf}9&woCA z@?>y#{^v_P_wU=&JzC$TM4=sjIc2d46A$scCzCLu_6$$V=QM)*_d6Yb-`MPa7(1Uv zaKVT%^FMtmV&}VFgoXatg&utV4BY6{G1nHj?&RRjiE*%^QLk-ymYD5UyLEsbRA_D6 z13Kvt&c+$V^=oHEeLXJ2-+}eC5y~W70V0(hkr?)q(n`hc0ctZqKFrm zlSlb|?!py}h@_7nLJ&kWK zAZ8E*O3fi)`WMwAMLqrg4ZWb^`_(8E82hiaYy9en6wu`2Y4_-5F*3Em>VjojZLr*P zoLllJINsfcdkI(2T&A=x-nMKW1jZlqw3WLWDfJW=IZ$vd1c4m{2m(mu?=b`c2D7Zz zE(Gt8q89Rca4LNMT$#J|&_!$~YHr6X<3pXUAlEvbPoHju{%^RVLpWhcNGq-%CY@nd z^Vk^A%ymY~ZAqcqNtGrT2G5sbvW(2~<Q*_}tyDfpGNp__PAVb-LG!Tx31$&qX$T?&kY$D~|lO(_w53_sq%N3VU1mtBY>~ zeE#gopl-7evW(zQ?(Z!5AqbEZ-{rLUIuqKk6CMLA@suB>v5>Fwa|Saq2Sq+mATXwv zFk?xksB8{@IXtp~QTgHKp7s9#{7O`4JeP){a1syU`;z{>2v=m5%N2+J`_ddad2#&9 z;q!)RvU10(3h|&Q_34vVDFTlv-eXBbKZ2W6zT2zE65W=B!8VR$Pyfe`X7{t3X)81G zb@{j;kz?f*?A<>Ui|6jjC34e^zs4gNb8$&Tv>Fr0i?F{UBP=K0a0UAQ=NB3K-MuHh zL2uC8{iE9;We#u#Nx=cm3tKP%nwq`BQ)}&$d*$znOyCL>wbtf=LeRIdG45u zcqn^*`k>+*c7Mt*1I7Co6O7SPf$b&Gy#!v#()fIx^?#%P=WI&jlnU8X=_XRaEcXBG zJ$mw>>i>E4`0-u-moM^s`qaM<7i>1f9p5pFsh0asXPPYGln&v3|MTaLF4cMQF~!IX z7yoAC#Lz|5>)3LEjm|4cBqQU4q5uXNnkYHc7RBPnOLU;ci^!4?9zVc8+3X}6kJ(4) z21R3f@&rb@_3w9zGjg^MlWpPmjKplrXapop&56yh@Nt>M$v2gQRkS0bjBlKwAXExlbEz*MkAjiLJ=GWZYKt+ZzPU58ED|Na)a$3*%y zFwymg^}9R^iC6pH@=@4c&b3QCs4XL20Ms?;c5lK&etXyD8^bKeRAs`r6iJ#2o(hJ{ zkmpmxRiAa{q{f-ESV)%rK6yJO(IDyUf{N#SmTE5Q{`Ki@?_n_5f&bd=JqZR~=shPX z!NiG-%ARIG+e+^xQw}iQUe_jBnjKjQxFh3le~ zsCEXLT?ZT_t#NGnD@Ti3OM6{A0woPVS7 z4EB1vyCAa^9Z_atwy?q z-wE-U{Cn;W2H=S>i3dbUVnYLpG4n*5O;DHb2Q_@`m6O!jqON$sp8fxjL*&p!wX1`R z0~dJR=aO)7CuOEu-l{)`{T^=A`br|VDaFL1*;B0d8#IxnX=(XfO&8%0=34bi1Zs2u zl!{jSSk|InN021ikJBl6lg(gva4l+<@|3JXSznE>NoB97U6XS?-_u&0o7Zc_eSx2AAsJTTxs_<*57nCV@v3T|*XB2@w3ISc0Iw(5 zxKN9Q8uv|_g=kxcE*`U831z>+QgofWI4zZ4163DWnWwc`gtjZR_KfhnsB6uLyxwwI zUMku?U+OKcvc|BsV_`7jUTl%i(Vo^zi;Rp5=~&C(xU!AeQgbbw;m7x__%E14PP$jO24aFAqv#8a!x{Vv=-ZuUA8p6XS8zuyCMmb*)~{+X(>V0>qcaolV~;i zx$mhoURLkB?WLP8rJ9@J4@auz++J(Z%+CV0jCPF~!sTI#JpJY6%e=zI~9SuwCCy{d9)HA>jNzN>@XW=-1bP7cw6 z%=Nf!2g9wF?;m&v9=l)F3`2`(6LuIjbW4`l0xQfTq%K*%495BhCv=tS0D--h>(eI_ zwDqZo3Gx*e7nRKz?<{DG?cG$OZ2_IGk5yyErTCQFXa{)xwpK)KImN4n>K*mJ7WErN zc;)=9I~TCTZS0?deQs(PIT*l|o9>N@rtmrT>;af`a>k^&V!%XyHdXTvSY5&I8CPDI z=kkvHDpNn)bfv)0oON#w?=?Fw2DB7#ygc00fczeUG4y$=8t=54rTt#6$Y}(>t+pib zRcbk_-@@gfmzwMw)|?CUU9iyg;NxHO3g}5gf5-TT1=Y4o^{NZcdP2m1cK_M!*7_yskbf-*TmN+XDf*pd4<*`^^J-A z<=Jv&ycQC!;qTSre;eb!&5CtK(#>23y5#)--e6F@|MT(gqusms?=SIqhg7+Md%d4o zOl9w7%tz2Qxy&mrs_u4ksUrVFY zQAM;tHO#L)UiI{ADQ9+``p#rfO4IgsiZ)Clw-j z#@&wv&HTx8Fxyei3j@)jg4Et_;MHb|C--7r6Tbf7<==iOv5mCRE`KeO@tlKg;^;(mwvK0FO09 zm}B72DCwJ@M)_aPT5w|xuyp@t_fbXuKiS>8%m4F5o{Ic$Oi-$4ff4(qe4{1J&^ilS zvs&QHysrNEmi2}c_9>4}O5$urR5*R*p|u`jE5mA&C%OwH_T!je0!#2}ME_PD{2mli zyZG4-lNSc$ZOE^f-?qSHEcndtvO+2IG|lMwsQH(`n|0;Mr)0fR{^yXUYb^l z0Qmg5G>XO5G4_gy zwS4xf*Y2J(MgCVRbF*T5o08u%+HuGi5ac%&4BNtP{cN;NF0@)8Tl?cQ^yr@^J@=z=~*=Y?M;xkJ^%Oi_Nw;ZlfB1x@xNc> z@#cTq9zct`*WNbTwpCDEBiakOpj={_^r}R#jWnB%OHTbZT1PEFCf=0Au{ea^)J`Qfd}m^JJo9S$(wazHKvqAF_jW8lSclKC0*q+ z4FY^@OMPKYQrkKyZ<@H~EgT-R>Ss-drGDbdX3)ADL2EMY+WSUp8G}`NwXkB!qee5Z z;JhDKQ2m?cbk83x^(_OA0f*Y8&Gn2IVV zcrV*K_iJ9Ke?`TNCD_1AK|*@uUv}@ovZz=|7_QjhQo7JE6HLvY^F+~)s(R0~ma3%! zg%ldgmx5<$38-pow#+){pDOzFnA!5R2i)kYJOpoo62`BHDD2d%` z0>hKR;Cj`^EQwaB3BgQbpQny60RUHcMkPrLQ*;9s#|&;bE$q9^DK$F za0UM?^$+loh>3)7$}bZLju%ZtktO@mCZiv&Ghr790D!#Jk`Sn~&?0E^=1jHMnsA=2 z<7PyK`Z;}vtBinGQD&os)$I2L5-V(-wQCu5ODFT%Q}-4p>bgqf8eFpykJJVOfF>7p zZh3Zi`ey(2;n~59XYXEmUE^s$OLCDAF}E>U&>fQ)6JnKU8PQQTX)<74KkgRS|9*A$ z%iCA)UcWdyI6SWR*Ij`}yNen>dV73&_U7H|XD?b>UlJqNZ5zp@GbRV-<-z{xej_QH zuO2vHqKR@1BUr`v?D)metHbB}r-yIfoV|W~@S*|bd?CL=6Yox%sJ23oLUX3FHd1Di zx{G3dX7NIHDS_uM06zQq@KqD4ZOO@O@Kk?EI7WHst2u;Lf~*SE&tA}^c?>Lnr}JYv z9#)jpV%g~Dz^+9v0(_wJ;j(~}wRr3Kt9K`-FOJXlkB-jX?7waxc#Fe;;|n*Cn0;A=KKtd|4RZ%0G$4J5^^;M$b8Z4K%Ql3r)l~W!^ z3!14GEjKhKEY1X7rJ-ukB{ooPd&JKo+cZndC2nJy>KC;1qRkoElJiz`YvPs@d+Tvp zg#b5TwMt9Z5J={}%Xa5!EV86}mb;*%q%u zYS;H%pK7-wch-Kgw9emKVV`ApVr%S^k!>iV{X~x_UHBE zX7sW&B8r|UK@^?L4IOLQ9m<8gO7j@2D2jVxH3Wzb`JAq?&UDO~N^sq$tla*D82x zFZ@UX0D^|#YaY=?a2gRSs+55<;g%~pU%h>Sq6I;J&!|+D^T#%8c)KOU{@obu(Xy;9 zUw6=UL&sgH=AYwP7XNws`JWy<91I>;^FKX${NOJB^GiI}jqGf*15Ey$KhXi-ni8`Z z-ZZk)HuFae?cDvN+b>@~rqrg1x(g~@HK^3ftJO3OHV{@?v~(9&TA|7H0!y1JUnj)U zNxHQ{ORJS`(D8MGOB<@*MVG>#GP-m*n0Mi&cj2YQa~EEE7hYO|@h-gde{p!}<|06E zHFmY?@y$Uw#6;-(TA(b7cZ2$P>Nh4hsHoTh0a|wvQlK6m$Re=0;|5YQ! z7Jz9RzaF4}fKc64Q-rk;ZiT>JV-Vj(_TEMIE(xCW_VoO` ze!w(_dlj?Q71@UG7CZ0YE|&W)misQ2`!1HdagyG}a^J;rf3;ZdTfAzo2>omP+@#~f zOe#LBUXkY>KfZPWfNM;>5FcSn#{^1UK>!--X%VB+TA! zu&x_t-&$>XpnVm9`b~FbT9mVmF7?~H_Ez%WHzfM3x$*1ErWOot!!6&|c7uCeX6`k6Oz|5RIU19g zk4W4rS?bmD+uiFej1Trt_s>q=zB_*Y;_Th=VdLUB6)aI>=;n)v;eSN^|B(MbDdQQB z=+lTvjWt5hvX5<-7Ten%5jWyi@!>z(KRNm0UX>~U-jgK zKz=(1eg6=it5y6~*BHSvFzb!nLYLMW4z24AVngq1L0?~1FFq05RDQ{k*oIizCJ#^J zw~tIJmQ3&LV-$BEXNWI3{>``XF*=1C_ z*V?a-nq9`;o$9?i)eCn=dGDUTw4VRH2=kMH8#n;Gta!EW{b$H$MJ+};27MV>|1 zHD3EdU;kL?H+%5csSI=K^?96WljrcLqm2Ul_YmIjgm%1TYD;|4T6g9vA|_Osb!@4f z@}bvth`ADVzBVh~JzwEzmH&d0XhRpkFO&a|A6Di6qbGZh?&SZMcvd?(a64K;v)H$+ zA!;ijd%AR!NgZlA7hE4jvW13~wJQ{J5;f?c~#ELUy>qSAg2 zPQL6}O)=hBGq#;5#>4BnylcVzZp5ZqctOUAjVoVhxPI$PEY8~G|As_AK1<~P-h&5^ zs`6hi3GU?o7kF+(vfl~yKebTzU|YHKMV*|WPwbc^6X#rO`#Qwlo5yESiz|)Jb+F8r zg$*d?%S6+jw`y!4dZq9+l<1ufg=)5;uPt1^fydMTy(x`nY?5$6H`~V&{XeMt{~kPi z^yE(ee~G6zVXE`?*EcVYPrf!Nch6UNy!n6pV*lXvi{32SbRP@n|L%iFj~`X%|K8)h zyZQe`o-H^s9B}gAuR5Lg#gE_aO_fUJu;0JDy!0cextR2~fk_|<@X^0$r~*M_w1Y`p zL}<@QLMC*k4J|pBiq7EP+v9_0uTQp(`9>0;vvf)%lfVpX-82K19Eb!d4&k_f%?14wc zDUmRuGyz4WG6DRTTzoJvym@)}=6~QY(Ik>P5K^H6i@^?z zsqP->@$BzM$7Kvs!J{7I{cXb=M}p!J1IZMXolXD+*XM)^$@XSEQnMh3soklwc{(jX^#Y+QlCtY z4K2Pd(OxOSPY*hU_oa8g-PE1esCIHlU_NIX-puXarFv3~3Qf z(^;qUSGa%wl%@CY58)M)3N!^Q-qOyOb0m-M%FOh432Pb)Js6q$)Q@OP6~)g!<-Li} zI0&{{QKL?3L1+AeN^pbj6PV9Zp3p=|AX4&>5#^?7!5(I~VyxhCiQ)26n4#%+%;T6} zBCeVZq(}68R7P=W1ni{pn4#!eO(_%k*k71+UZ-;fN3K4s@?60IHNkG055C}|J2tRi zt9IuKf^{BPv;4-Mn{|wcp4)>`cnIy7PMB0;e%?;lmslJQQ0Kv+t_8wYyUCC(8xuHB zSlkNNvf3V^3r~cd7yWq?qd0rUFQ^bKq7u#LDsTFj7kTq5aO0c)J2Uqk0^;|EXi?c8P~jt zn~m$OAZopfM_j0C%Oyn7Nb}KiZb|)NBMj?zd<%$r`|s5uy@KQ7BTmxh5%st5(@l)& z<`AuBF>h|Os$O!%VrQxrKH6;3OGqLF*_g(;g7f#kox{C|Q;Ct>B#O-0ZAde{q%=@# zQDKZj8bQhAc~sw)}Jdlub;468DkGoMJB6MYd}j%ZM(Nx30evn`Ys# zF7a;jal+_&V%I|y(>5=sQ-LTOgGu#l*0vz0Jc}b3QIPa{i^gS$V!G+;$z4QL3zN52 z)h})43QiO{QWV!qe#J-}&%s#=&=9>*Y{eQEElAVAy-TK9UeJ^pzd*@hRkJNNpk5qA zD$oL>#*-aL>o2h>WFSwyn2W5azyUnfAiurt)gt0Q@yT-7KOR^5??-Y959!^H@O7 zmO|KEyNYO9b%xdZYj>sG>f;by3So2YDxw%F?vlzkwRHt=ve}3VJ^!$<%&&Re7*5Tg z!ujqEh0((7{dF(k302?~!%aA*V8$cbgZ((>mo&15{t(W2a=xRxm~lnVNSelT@Asu( zit67n4@rEEn_=gCJZ`3N+m~x0+I(L?NsksInhz!JqoR#I)gsv^gWov3;ffC7IR-B4 zWzGbz<#vHy`I*v<19u6OQH*sgfuD%XGxV}$>e%G zeg)^V`I*=0T392Z3pOB{`n&Fy#0{SftX>vuDK+(1+miS)I>rO^8rW74t?jfl_1C`l za;wi3oC%UddA`~K_F~9M47182Kt_7Bnhp5Ra1eoOqh?rzE z3|P4>L^n60{-s_mO_mVVdL9)AF4+W0B(YITeB(atjUrkK0&3e$JI)ftX4FOu712Al zZvt)(Q9s>V>xjBS3oyP%($thu9A<2Q{nT^I zTDpP*hLV+tx#nK0VQenEYl5*7s2fJ~TC7{aw$7?$TCU88w~6SoC5&Ep<6;G|tYB#3 zdyVH4Buyk!>_XFF%*D*`uq8q*SiP0pTwI$@9&Hd&|0w4QyJ=qdt~)o3hd^)nxq|cj zl<75{W2Gpl<^5Fys=m;31?P_*KG?e^@0JjCr%;!;I~ztcKfij5&j#jb!=dy=b9CQ3 zyIyf8*p{x1%tBD%)8`x1_7N=~N^h0Am9y(?oa2X6l}R}F52jz=p;hg8ViE zydOn^N-JWCpg^pP^KwcPkQbrG)kk$xh`#^r2DK5rrlQ&JSMAR^$Fu_d@S}vh zI^5%G>YSI>gx_3*=O&E$dZN}9HkrIy_EgK!FVC-y#tNXqxf0nm_m~jmzTp!zG=x8=StvYSIx@tBHbix;?p)4bdlMb#b$ zxo&NLL|0g(>Hc05Jm&6a8dDs@p%piQR*EP(&SFV7iSXt|)C|vZquwHFNApYIXgl5% zqA8E|moL3n7}1nRa`U{qQAA%YAJoModOJAUjyHv9?Ml%W6L3F@n9X%!4TG7vf%JB9 zzJi-bqZULLi`^QgUy65cj44Jht!OZ;XE9*Q8}c%2fOid|s~HUITMU~*c4LUHW-wgG zV%Q9-8?YGch^}NXtZ6aG&0)N;5nat-SlwdSAda@<4I#Rk!Eh~$VI#b|NkmsL7}m8I zHYayChUjVr!woEk8{)h%J-VX7a4m~rL%e%qOcfO~mf(DQDM(0<{3~Reg3Zlsuofr0 zsT^^2?NFHLX3S~CjXfLi1Lil7t4qv@PP z8Rgq~HXwBy@9=N;8vTlS2+Ii{9( z-}tp|g2AewZXgvy2~mu`c=1tDk&p&fxq<_pe6LV-GC?7XnO=dS?TZ2`qyxVYF|9PoD`~o97=7Q#Y3n?-#lVIwr&GIdF{9tf{+I2+JMHZm$?{EAP_*l^d z^J`Es=3-_HLd5m9o-5ehETW3dD9=9Xus9R+ zbSkKv^0+FMuHZFG*esjr$*64&j8(OjiapcR6T!M5i>ROxmZK4nv7!Q|>as`h!izxOh<$8$PO3N{|1;<%j#@13`A)>oCMO07{u~jwc6*uC*2tzf!X?taT+w}R+mx%(}P-3p?M4w*qu=& zSSXi=v6}u)6y^}usJJBl^kd4!swu;-3+m0SdWYyrM??M$M?%6?+QAW3EG+IY11|9H zYvfvY+qYYfZ*B>*fu(nKL>Gq2m0Z}Q5;136Dp)z?8&juOaQ?}gEgoRnP@sIA!x*8j^{0%oY?%BzUB#2T(n3hlNv@%89L~# zVWzk{zIsw>!^D1icaNl05dHpoh;CRMIYdd$r2bZ0iFw_&ns>tn9@7gg8M z6`Y_D0Qb2Ehhyi0HD@EdadOAlWx0-?x;XTI2t*BVr^fa@uOVuU;&t$}Rjz~PMiE^p zBlfqP3A>8u!i?B|q)ga>)7VP`Q|o9h$%p-o=D~($WS8W`{+4rL*AZQi6Z>1vgQ=Upy{VCG&}Esu?4MyZVV!$^D4 zvWscHM)I)@_yMytB8r|UK@^=VKhX3Ji-WY~Z+|7~IzIoT=IES1=6JiX0i?SU_E(*b zTV7HUPK)b!y<5M}gFsRRAL#rk4#E4K{LkOc^IWXx(Dtu{KJUTLTmbz@W@$`!*1J6V zpB(_xZ9UuZQ?u}NX^eO3X@Z~5=0TnUST_ZWZlfk6eo1f66t5e@{?Z*Oh7_WI2zv=KRIxEN%pKSgXj z?gY?q%g7MW?a}$6`J*;kUE8fUH?(z8%Gp1J-AX5w&wH+)1s5l@_Ef!&VF+D59(Suf zHWf>{bp+SE$e<0Z=F1a?FsQ)QR&F;ZNqhW)-*+V{q8QuShhkh$IZU}=|K^E8K_x?i za>mW59T+nq6-4|pi8(R1t-WvNOE+t)@3*b+;(ERb%x)dqWaYS-k~Cguzp1J59el_} zG*q$0&ClmBn+HY7067wZzzzS?2Zlyk`aGYKWKvQH7gR_iez;~%tv)L%!$iJTrBXTU_ovyYXZK1%KI@ByWLkYiCbGX>SJ>XB!Kz9c)*Os- zKTmh}dV}5|i0FusB={*1gEn!c$@<>fEAYz+9L{DLmelCW0{@7IvS)Ed3goU**`M;u zK=FQ-L{vyck|+?S!9ceWcqO+xokQG|lS=Sp63;s6bh z+6+x3E=!QHjRzcQocqf|!#CxFEzG1O!<_kwOmM3Z4YtVL0jOs*6}lxu*-qz~A%Kxa zj`#!;dTCh-ThOFrN*3N^sXH^p96Q>CXqat0FSi4dO%gU{AxRw6atFA8P%wlWF0weG zf{a+ql(s(b*h|lhqj#?%X8!K`X}E1FY$C1hd`(iTw2`+A_#~DbWR_~NhWiO&CKaEt ze;X^|a>`@ckZ)SsOHpL#Z))ViriT=QMj?1th~>aL zHSZBwTa8TRwQ$DUa})@$o0gSCr&QGKy{c$vO}FitD&D+rO)p-U^|)e+Sg3Yv#gNQs z{G3R-1GG2k!KbdA5<#P9ndU;-9YXifVDS1`_j9k)IZVLCdssq93LFC+c3gYa8!#_O4iTYJpfTWdc(s=~6E1TWvGZ^)ikIPSdDIUFNlB0O|+NsJJ-hPlVy z3p1-DkKsW%#~C3Nn8~_e1dsl1Qsimd&kZmZ_F{hMx4o#pXkK(qr(9B7bKRK{MJ$>0 zHR&(4B(X!-c*lXy$JUZRijzv#@jPer^P<2Zsr85$S>BKtIwjQ}$LzQy)#nIm|Mt%&3RvkSKb_iZ!jf4d>i& zxrLb~O3YKv5*3)F?Y-z6BsWdk1+zANvYGQN~osf|4lKg7{X%YEEQ( z37P4A2{X2(xxcYw1tSAR3s_6i^2;ooqNEWtqKU4r*XPCEV+DnrTcP>dfC3Hc_pw>3 zaSobWUx}b_-jmbw9sSSm?!G=dqxG*3f8gIb3M}E%d+RqT+Eob6|S2%DRC)yMrA_de2Sg9>RZOv2@-l4Sg3;wMgkHT0tZ?ZZJYQWF7yy7!eV1|mXDmH zQ^9y^z#i;&dkN)az&rWM{5^3cH8Z4fHo_E^c`SqfX-K%SdXX=wk?|>rk;sp^@}yTM5S=%}*LY>9 z;I$`}b-`S@mN?BdQ=rV&-|=GX##v^^%ELhyLqW@N6W>5qde$TUX945w*9N*1LMdp6#4k`^ze52IB(bJW<**k zlYG4_F7@%Ugt&zgDt3n3;F2}@klIXe8AI-59E($Tk??@(W{@W zBF0KW4t$5bjb3|?pw6U^V|tJ9q*!<{lAQ}EocM7i!H}-gUGwwBMa9Fh9QndYBW-C) zb0(*B@iLevOD^gK_OU&xoj$iG+nM>{4U_+b1_%vf`ZVC=S!!(2D=xIT>1R(XXtzgr z4O^Ft4odV|_+XrHH!TYsu*WpZUAUtJaC3^AFN9i3k>|}T>!IkTtsMEP#u2sHUv{vo zbJ9EHlzubaVPj7)&gzO*?p-$K4_#n0LdM`Q#R|#J_0W z5!$yD{3X*kH6;?HF6zk=aS1pcKo|b@Mrl8tNj>uCAx;Hr zwLbPly2xn^_BlYc#`WbZqTG2Y7Lbj9625WsbC|*SgA0$V;w6Q-#dYYJQe=d@^S0Wn z{^t2m33^BM%xuNwC9mquoWVJzexN&h02^gcfEFU}Qdi zG=k*u5EIuoLl9t6{6Xo}jze_YUz+!#V!UY`m0zuSwGc0Qb-EcU|9l(vs3UHHERAS_ zW|q;uv!~7JoL$5jZWmU_3_Q=$;9{HI6)0D&R4LD5Xc%|cc$KjDgwWJ^CB}qIpZ99+ z&ga&6bpxuZU%TJ1ZKgLF0(6T?eO%tM>b6=RO(_yYpK{Z%%pD88+SO@C58O_>LcT3& zOsMJl-e`==Xe=3HWyOnkP5w7=*m*gP)H%MZLUeKATiBNcm>V0V@^kz9Y|wkxNz{mv zrtO;v5v0B^w-4@ND*0mj?mn% zW?$fvGR~qvMUyJ?pxQz27fLD2C$yhG)0)NQz@GTHK_ma#_*b)|&ve1#&0lN%SA_)(R@BW_ zjAqa*t$DKP8Mr0m>9(4@U^T>-KYW}NEeSy-*z6RHmI=VRS;)P&|2u)Wy~|tObIFgP zvP=<^Soaa56_}Y$qdvd!Cq>5+owNO;Wjw;C$@l)QWfUQvm|OJ&Su|}zZVw)|No4DA z@=o&rKm66_TnoI0rwVGM81KyZ6Qh_~XA_6%iq%)e5}Xz=1~Sffv-xh_w5r{xpt4rH z#OzA++*x0yYZp(XxMWQGiRQ7&h0YQT^^1(ZE|eI!QVjnHTpxaF2OUJhpaynHiJ#&+ z5XMf30FJnigG)WYx3s@VOd`JYD+xwmM>y3Jr+yhv#C5?qg&rPVT+HMZ>MP!x4f4!? z-Y+>mh5wx$2x!pID>ws#PS|R=N~O$wBnn?Xw8@j~zJ^TBe}oT(V{#;zcbqI4H+Cww z(SbeZf|o1$&NA(;II7~Yf4lJ!3|o@%Wwd2%+Cx6cDj|vW-5Cf5qQYDIn^zn%b#h!$-1UjzC?v2bW(zsJ6y;E)8 z9_lLHDrMym*bABSZ&@i?^U`jjzlXJyO2WlBbSh_s{4Ou`g33N4Uf-T(ed_-OOwcfA zTJ2f?i3u-6Wp7}zKLLm+^d_O)UMFfFeONy77TwXCOkvmea;?+oAmMaMfc0h7alBR#Wo(D?8c-MWmz}@3Sp8go?JPyIy#>>v`fQ$C347*9uuV7>?*2z>F zyuK6SJN+?y?@BV_TtPQ?l!@GlhyS;QWP^8PCAz_YvsoI2mI>VzzT(Y$M!QeQbV{g< zo4o6wfqto!)`d0GKOR*s1*=1%$(#f}EwfYD5o;O~TQ#1t9C5d}IO|C!U=TrLmL?R4Cu;*4knWj+j0&4_SrlgMG9tLcD#bl@ScZN+9& zr7>+g85qZwS_jgbGixtiv^WSQ3irKZrXxXdsNLnh_nUsmTSH_Ie2O15gA1<@3D9?& zC1YuE!Z<6eDkne~8*J=J$AwG9odY%XzJC}wVgrTz;K&5W*;$$r0r2CsJBT)VI0nSS zwN)qCH?>~qOjGYEIn^u*f|}(%y&Q0SD&Y9}OZL^AY}V_lm*p`9V`;ucLJ_QTI@||t z`Obm*3V7acwzMa7zbzQMOnD*44?@}0%ZF&)y9MPWX>3QT(yPmIQ`W(S93p`+{^o!1y?mGzh^5#L-)8eJgP6y)T4u_Uqvnw9qWDx-^W!JNMEJ2WAH@Z;$wd zf8A~+sK1AE#zfHKNNmCR&id5j?-i^)r;HzQa$c+y6>NTq_&Fe94i_T_26zel)4$)6 zYtI72VUC%U-o#1h%K*d64w+iS~E;2D8qeG zWK`|Lgt5tb8s_%OqoY`xyM0Ez9bAm^IOVz41KT)2+jXG=h9w+?J=5fEJW;C0y} zG%$j8uLDF-V*#GKlGli&z8pA$_8+5*H&~N@62g$h&JSt@Z(#U)iICDap3&K~T*NBj zg^xhGb)Y#WjEu~&_S3Y(ER*H1zwOK2mnLNln88$;0we4tABOpl1Z1WAPbU|&Mw+>g zgIYJp{$F$}2I}=+c5DsF~^s^t;)1G1^)uJe&TsN zLv8ZQ764pfBt1Rvem6C|5kSqr)Xg*@xyHX$E%upHq@*){MZ%QB2deyrVg|zaf!lz? z+fyZ1A)-v&N%O=gqr`@Yn+BBSb$L|mnepOEuG4z@i5EiUAJ00uMZ4K>8ur>l@!v|u zw`*BzD({1AmXJg|tpa2ctNn&tb~*LxLKgc8g6~#esR4+DJnzW~LiOWcdq@ysuj<@V zf%W3={i?pOZs~oCJvaOweJD{?7MDC%VtR&~ko9Ex(MnLm%TA@g=_#pabI`8|agRqU z{ELAgnq2N|)I~}bz(yPnTbg;{!TO-raTmnc7cpub-wJs#`)zEpgzbPg&QMlbPJdRW6 zlFsE#fD((g;(t!l&r3223X|2SS`0YJGtP`Ba1U)R?aorKWbL}&UJr{P?YdcNDdKQ> zG=lbc6>>tJ+kpx4Dn!cXL-?vq&c;o0&ZcEXpdHe``kxo^1QtmITRB`@qHRqqGd8%m ziv~BzD?V;uk)yP4Yhqu!*fLJs9V6(o0nSPsM5kjXyVmH|EbB$2Qpj zl?ouSt#8`ud(K0}Z5v0UR0Eki84T zxof8@?2nL?Tl6_*+sE!CY7{2s_ll7%x*;lKc+bZYRtr=$I~{JD(M1(>qo2Pt+(6=G zQ@8q3$?#S=P7Ez4rfF%IJ!ayKCL_wPhAQ2C9t|`@miL%O{9>1D%aK~y^)nY}WEK4L z3sE*V>JdBeF1DjnthwZ^$i-eRv!Gll8qK$j#p=yP^vD+h4Fh^F1T7Eh(Aniz?`h(U zDase*j^(gxV%>~yf4wg+cnFDfRAEl04Y?NBt^ssnP2Z@5!75H3T`U!F>rgH%iPhK5 z{0(FHy0JURm%qZe7bhg6I!smgqB??h^pMmBRGu@Ju+oycul+jf?9dK_LQbNXpoqvW z`oDhUR3?rO$ha!W)!IjUn3C%UHd+=d)k#O;3uv+mWDw$*$8%Y**#X-Fjp-=`Cgob!ON_e z!y!{n1oCKYAmVZ+ITaJg1a}<`wrWZ;M;B|1y9}?j?WcdEQ7gTX?Q@fu=KF-ULj~WD zzy(q%Y6=-s-{W)!z2cSO{Iurm!Bt4mPzLen!99e$ncC(9QyOz%O!%2nNv~b5EWyMc z{<{K?z?Gwu5AcTPPnmmPTw`KU?#$xsZl~W@{KRwC&_zi9IfFd-tBECMCc!998qyrU zaXwdgne~Lcr!Vs8zpSV&-3_&su~?x(20=CN2hFNzpIom-?yVEO@)Ds%=iZg<$l>q6 zth|F(%hL1QY@E$s9cji#h$~svgRu%uooONGuItTyaq3p7aG|6bi&&u{Y%uonsw>G>>t0n3QrlPL!# z$V*y>?Z0QXzX+?>96-j>8rD!+>O9}Y^%*uaasal|=1WgJ9JVW2{;hC2SFu0F2{pkcOmM3Q z-pP_-vl32UD292QnxQh1p-G^xHG=y<#KXYv$P_MgS0`u(uYlkbhB6N^eumD5qT0!Oe|awTZrlJHNrHzThmn@7q+LylPn7m{2~l_UhLF zl!emfDL1|AG_H_fN;9Gxk#elxJwM>R3Fg8>GK52SvcnO)WO;l4`;yY!U3((xp|8sSGrc`Rsb8N+BpE&)@gLK>Z{cE9Qqa8uUST z;->W~utapN^?!Ixs_9EOzUTWS(dD$kN`k+GXN1(NuBilX%Cx;PP6LmEsF1ZgEcl9n zKD%k3yqnj}bP1ma1~^AK*1!&co1h<@m#7BmIQjGBwl>4fDweYZuJPc(|7A5<y!oP^~SCUP<^uE1w0ByCTndvEH&)6#Ng;#H9+~#hRfZ zSux_QNlE-flI6;t(4o3BG~Za*Y|u|PXmydHlT*XC5g9I-6(zEp&E*_DQSxhQ%|v~k z(X|uEHL+TSjQM8XBOMY+U?ak)#*_qZQ61Aa0plF+lE06>Q26n@xqML?+CO;F7a7k# zIW4Njd*Y`n-|HEg`!zwC48+$-lhu2ADg7~!te5NRtJYIEMgaXqIO5lU0~(-AR;}N` z1)hgU&c)C;OX%gkM?Mp_)iwF+=A7});cI!WmTK|KMBqq9mLW?^xk6@w3HMZazHeNHDn(5WP*evzwPL|0{i7b;hQ%QG95@%^4c7@Pg7 z*o(7XRsM$fyE+f4kJZj~X!mLe-RKAn?gRN1;M${GWtI`wrcXV^YoZgcQWrzh)a^G~ ze(eZJdy9d(lopDZ7Rq;iq**>`h8sVBIb4;bcK7oJ@oB#A9Tvum3^3i70C58(gsRa% zjX>(o;v{dGo2T}y-gcjqlX68ql_&j&Uk!EsQCkpyn?Hd*417|jUlJK94o!dF^?ZxV z16Jf9sE(mIh&%kLG92++5uQCLjoXQ&Y+QhmQ1ExT^~d&k=M~V7WA+Wyr%eYwVJmH71q7R{@epl)djjs%{1x0YDeW<@m3Tb!E?X(UEYhtS=u&&u z3TU(rYMq<~uD26L2kotu!(FeWHWVPQfn0QMIl+`n6T#cVeATNLc;;FPUBg_+^T zTi)dU8@1};ek01q)&66OzznxO(Gp2Z_jeq=c$qQw zG?uHiF_#FqP}-A;)~NqcP;ZE*sbMdZHfz1D0Mjo1M)c_YT^045g1UzOL0~>}+la>0 LD}N+mWTgK9>s^5l diff --git a/dev/helm/templates/NOTES.txt b/dev/helm/templates/NOTES.txt index 93c0d3565..a28c69648 100644 --- a/dev/helm/templates/NOTES.txt +++ b/dev/helm/templates/NOTES.txt @@ -19,3 +19,16 @@ echo "Visit http://127.0.0.1:8080 to use your application" kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80 {{- end }} + +{{- if .Values.postgresql.enabled }} +2. PostgreSQL database has been deployed as part of this release: + - Database: {{ .Values.postgresql.postgresqlDatabase }} + - User: {{ .Values.postgresql.postgresqlUser }} + - Service: {{ include "wiki.postgresql.fullname" . }} + - Version: {{ .Values.postgresql.image.tag }} + - Persistence: {{ .Values.postgresql.persistence.enabled | ternary "Enabled" "Disabled" }} +{{- end }} + +{{- if not .Values.postgresql.enabled }} +2. External PostgreSQL setup detected. Ensure your database is accessible at the configured host. +{{- end }} diff --git a/dev/helm/templates/_helpers.tpl b/dev/helm/templates/_helpers.tpl index 193ceab78..1684409a7 100644 --- a/dev/helm/templates/_helpers.tpl +++ b/dev/helm/templates/_helpers.tpl @@ -63,15 +63,18 @@ Create the name of the service account to use {{- end -}} {{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +PostgreSQL fullname */}} {{- define "wiki.postgresql.fullname" -}} -{{- if .Values.postgresql.fullnameOverride -}} -{{- .Values.postgresql.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{ printf "%s-%s" .Release.Name "postgresql"}} +{{- printf "%s-%s" (include "wiki.fullname" .) "postgresql" | trunc 63 | trimSuffix "-" -}} {{- end -}} + +{{/* +PostgreSQL selector labels +*/}} +{{- define "wiki.postgresql.selectorLabels" -}} +app.kubernetes.io/name: {{ include "wiki.name" . }}-postgresql +app.kubernetes.io/instance: {{ .Release.Name }} {{- end -}} {{/* @@ -79,9 +82,9 @@ Set postgres host */}} {{- define "wiki.postgresql.host" -}} {{- if .Values.postgresql.enabled -}} -{{- template "wiki.postgresql.fullname" . -}} +{{- include "wiki.postgresql.fullname" . -}} {{- else -}} -{{- .Values.postgresql.postgresqlHost | quote -}} +{{- .Values.postgresql.postgresqlHost | default "localhost" | quote -}} {{- end -}} {{- end -}} @@ -89,10 +92,25 @@ Set postgres host Set postgres secret */}} {{- define "wiki.postgresql.secret" -}} -{{- if .Values.postgresql.enabled -}} -{{- template "wiki.postgresql.fullname" . -}} +{{- if and .Values.postgresql.enabled .Values.postgresql.existingSecret -}} + {{- .Values.postgresql.existingSecret -}} +{{- else if .Values.postgresql.enabled -}} + {{- include "wiki.postgresql.fullname" . -}} {{- else -}} -{{- template "wiki.fullname" . -}} + {{- template "wiki.fullname" . -}} +{{- end -}} +{{- end -}} + +{{/* +Set postgres secretUserKey +*/}} +{{- define "wiki.postgresql.secretUserKey" -}} +{{- if and .Values.postgresql.enabled .Values.postgresql.existingSecret -}} + {{- default "postgresql-username" .Values.postgresql.existingSecretUserKey | quote -}} +{{- else if .Values.postgresql.enabled -}} + "postgresql-username" +{{- else -}} + {{- default "postgresql-username" .Values.postgresql.existingSecretUserKey | quote -}} {{- end -}} {{- end -}} @@ -100,9 +118,24 @@ Set postgres secret Set postgres secretKey */}} {{- define "wiki.postgresql.secretKey" -}} -{{- if .Values.postgresql.enabled -}} -"postgresql-password" +{{- if and .Values.postgresql.enabled .Values.postgresql.existingSecret -}} + {{- default "postgresql-password" .Values.postgresql.existingSecretKey | quote -}} +{{- else if .Values.postgresql.enabled -}} + "postgresql-password" +{{- else -}} + {{- default "postgresql-password" .Values.postgresql.existingSecretKey | quote -}} +{{- end -}} +{{- end -}} + +{{/* +Set postgres secretDatabaseKey +*/}} +{{- define "wiki.postgresql.secretDatabaseKey" -}} +{{- if and .Values.postgresql.enabled .Values.postgresql.existingSecret -}} + {{- default "postgresql-database" .Values.postgresql.existingSecretDatabaseKey | quote -}} +{{- else if .Values.postgresql.enabled -}} + "postgresql-database" {{- else -}} -{{- default "postgresql-password" .Values.postgresql.existingSecretKey | quote -}} + {{- default "postgresql-database" .Values.postgresql.existingSecretDatabaseKey | quote -}} {{- end -}} {{- end -}} diff --git a/dev/helm/templates/deployment.yaml b/dev/helm/templates/deployment.yaml index e4d1d1975..f817f22d2 100644 --- a/dev/helm/templates/deployment.yaml +++ b/dev/helm/templates/deployment.yaml @@ -29,7 +29,7 @@ spec: - name: {{ .Chart.Name }}-sideload securityContext: {{- toYaml .Values.sideload.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ default "latest" .Values.image.tag }}" + image: "{{ .Values.image.repository }}:{{ default "2" .Values.image.tag }}" imagePullPolicy: {{ default "IfNotPresent" .Values.image.imagePullPolicy }} env: {{- toYaml .Values.sideload.env | nindent 12 }} @@ -42,7 +42,7 @@ spec: - name: {{ .Chart.Name }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ default "latest" .Values.image.tag }}" + image: "{{ .Values.image.repository }}:{{ default "2" .Values.image.tag }}" imagePullPolicy: {{ default "IfNotPresent" .Values.image.imagePullPolicy }} env: {{- if .Values.nodeExtraCaCerts }} @@ -56,15 +56,22 @@ spec: value: {{ .Values.externalPostgresql.databaseURL }} - name: NODE_TLS_REJECT_UNAUTHORIZED value: {{ default "1" .Values.externalPostgresql.NODE_TLS_REJECT_UNAUTHORIZED | quote }} - {{- else }} + {{- else if .Values.postgresql.enabled }} - name: DB_HOST value: {{ template "wiki.postgresql.host" . }} - name: DB_PORT value: "{{ default "5432" .Values.postgresql.postgresqlPort }}" - name: DB_NAME - value: {{ default "wiki" .Values.postgresql.postgresqlDatabase }} + value: {{ default "wiki" .Values.postgresql.postgresqlDatabase | quote }} - name: DB_USER - value: {{ default "wiki" .Values.postgresql.postgresqlUser }} + {{- if .Values.postgresql.existingSecret }} + valueFrom: + secretKeyRef: + name: {{ .Values.postgresql.existingSecret }} + key: {{ template "wiki.postgresql.secretUserKey" . }} + {{- else }} + value: {{ default "postgres" .Values.postgresql.postgresqlUser }} + {{- end }} - name: DB_SSL value: "{{ default "false" .Values.postgresql.ssl }}" - name: DB_SSL_CA @@ -72,12 +79,27 @@ spec: - name: DB_PASS valueFrom: secretKeyRef: - {{- if .Values.postgresql.existingSecret }} - name: {{ .Values.postgresql.existingSecret }} - {{- else }} name: {{ template "wiki.postgresql.secret" . }} - {{- end }} key: {{ template "wiki.postgresql.secretKey" . }} + {{- else if .Values.externalPostgresql }} + # External PostgreSQL configuration + - name: DB_HOST + value: {{ required "External PostgreSQL host is required when postgresql.enabled is false" .Values.externalPostgresql.host | quote }} + - name: DB_PORT + value: {{ required "External PostgreSQL port is required when postgresql.enabled is false" .Values.externalPostgresql.port | quote }} + - name: DB_NAME + value: {{ required "External PostgreSQL database name is required when postgresql.enabled is false" .Values.externalPostgresql.database | quote }} + - name: DB_USER + value: {{ required "External PostgreSQL user is required when postgresql.enabled is false" .Values.externalPostgresql.username | quote }} + - name: DB_PASS + valueFrom: + secretKeyRef: + name: {{ required "External PostgreSQL secret name is required when postgresql.enabled is false" .Values.externalPostgresql.existingSecret | quote }} + key: {{ required "External PostgreSQL secret key is required when postgresql.enabled is false" .Values.externalPostgresql.existingSecretKey | quote }} + - name: DB_SSL + value: "{{ default "false" .Values.externalPostgresql.ssl }}" + - name: DB_SSL_CA + value: "{{ default "" .Values.externalPostgresql.ca }}" {{- end }} - name: HA_ACTIVE value: {{ .Values.replicaCount | int | le 2 | quote }} diff --git a/dev/helm/templates/postgresql-pvc.yaml b/dev/helm/templates/postgresql-pvc.yaml new file mode 100644 index 000000000..fb3bd1854 --- /dev/null +++ b/dev/helm/templates/postgresql-pvc.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.postgresql.enabled .Values.postgresql.persistence.enabled -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "wiki.postgresql.fullname" . }} + labels: + {{- include "wiki.labels" . | nindent 4 }} +spec: + accessModes: + - {{ .Values.postgresql.persistence.accessMode | quote }} + resources: + requests: + storage: {{ .Values.postgresql.persistence.size | quote }} + {{- if .Values.postgresql.persistence.storageClass }} + {{- if (eq "-" .Values.postgresql.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: {{ .Values.postgresql.persistence.storageClass | quote }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/dev/helm/templates/postgresql-secret.yaml b/dev/helm/templates/postgresql-secret.yaml new file mode 100644 index 000000000..26a1da75b --- /dev/null +++ b/dev/helm/templates/postgresql-secret.yaml @@ -0,0 +1,12 @@ +{{- if and .Values.postgresql.enabled (not .Values.postgresql.existingSecret) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "wiki.postgresql.fullname" . }} + labels: + {{- include "wiki.labels" . | nindent 4 }} +type: Opaque +data: + postgresql-password: {{ .Values.postgresql.postgresqlPassword | b64enc | quote }} + postgresql-username: {{ .Values.postgresql.postgresqlUser | b64enc | quote }} +{{- end }} diff --git a/dev/helm/templates/postgresql-service.yaml b/dev/helm/templates/postgresql-service.yaml new file mode 100644 index 000000000..4e87c33b3 --- /dev/null +++ b/dev/helm/templates/postgresql-service.yaml @@ -0,0 +1,21 @@ +{{- if .Values.postgresql.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "wiki.postgresql.fullname" . }} + labels: + {{- include "wiki.labels" . | nindent 4 }} + {{- with .Values.postgresql.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.postgresql.service.type }} + ports: + - port: {{ .Values.postgresql.service.port }} + targetPort: 5432 + protocol: TCP + name: postgresql + selector: + {{- include "wiki.postgresql.selectorLabels" . | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/dev/helm/templates/postgresql-statefulset.yaml b/dev/helm/templates/postgresql-statefulset.yaml new file mode 100644 index 000000000..4d035295e --- /dev/null +++ b/dev/helm/templates/postgresql-statefulset.yaml @@ -0,0 +1,101 @@ +{{- if .Values.postgresql.enabled -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "wiki.postgresql.fullname" . }} + labels: + {{- include "wiki.labels" . | nindent 4 }} +spec: + serviceName: {{ include "wiki.postgresql.fullname" . }} + replicas: 1 + selector: + matchLabels: + {{- include "wiki.postgresql.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "wiki.postgresql.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.postgresql.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.postgresql.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.postgresql.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: postgresql + image: {{ .Values.postgresql.image.repository }}:{{ .Values.postgresql.image.tag }} + imagePullPolicy: {{ .Values.postgresql.image.pullPolicy }} + ports: + - containerPort: 5432 + name: postgresql + env: + - name: POSTGRES_DB + value: {{ .Values.postgresql.postgresqlDatabase | quote }} + - name: POSTGRES_USER + {{- if .Values.postgresql.existingSecret }} + valueFrom: + secretKeyRef: + name: {{ .Values.postgresql.existingSecret }} + key: {{ default "postgresql-username" .Values.postgresql.existingSecretUserKey | quote }} + {{- else }} + valueFrom: + secretKeyRef: + name: {{ include "wiki.postgresql.fullname" . }} + key: postgresql-username + {{- end }} + - name: POSTGRES_PASSWORD + {{- if .Values.postgresql.existingSecret }} + valueFrom: + secretKeyRef: + name: {{ .Values.postgresql.existingSecret }} + key: {{ default "postgresql-password" .Values.postgresql.existingSecretKey | quote }} + {{- else }} + valueFrom: + secretKeyRef: + name: {{ include "wiki.postgresql.fullname" . }} + key: postgresql-password + {{- end }} + - name: PGDATA + value: /var/lib/postgresql/data/pgdata + livenessProbe: + exec: + command: + - sh + - -c + - exec pg_isready -U {{ .Values.postgresql.postgresqlUser }} -d {{ .Values.postgresql.postgresqlDatabase }} + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + readinessProbe: + exec: + command: + - sh + - -c + - exec pg_isready -U {{ .Values.postgresql.postgresqlUser }} -d {{ .Values.postgresql.postgresqlDatabase }} + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 3 + failureThreshold: 6 + resources: + {{- toYaml .Values.postgresql.resources | nindent 12 }} + volumeMounts: + - name: postgresql-data + mountPath: /var/lib/postgresql/data + subPath: postgresql + volumes: + - name: postgresql-data + {{- if .Values.postgresql.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ include "wiki.postgresql.fullname" . }} + {{- else }} + emptyDir: {} + {{- end }} +{{- end }} diff --git a/dev/helm/templates/service.yaml b/dev/helm/templates/service.yaml index 62bcff25b..688f6b572 100644 --- a/dev/helm/templates/service.yaml +++ b/dev/helm/templates/service.yaml @@ -19,8 +19,4 @@ spec: targetPort: http protocol: TCP name: http - - port: {{ default "443" .Values.service.httpsPort}} - targetPort: http - protocol: TCP - name: https selector: {{- include "wiki.selectorLabels" . | nindent 4}} diff --git a/dev/helm/values.yaml b/dev/helm/values.yaml index db5496c04..9d65b2a82 100644 --- a/dev/helm/values.yaml +++ b/dev/helm/values.yaml @@ -3,7 +3,7 @@ # Declare variables to be passed into your templates. replicaCount: 1 -revisionHistoryLimit: 10 +revisionHistoryLimit: 2 image: repository: requarks/wiki @@ -61,7 +61,6 @@ service: # Annotations applied for services such as externalDNS or # service type LoadBalancer # type: LoadBalancer - # httpsPort: 443 # annotations: {} # loadBalancerIP: 172.16.0.1 @@ -108,7 +107,7 @@ volumes: [] sideload: enabled: false # Git-Repo containing all locales.json-files you need: - repoURL: https://github.com/Requarks/wiki-localization + repoURL: https://github.com/requarks/wiki-localization ## This can be helpfull if you have internet access over a http proxy: env: [] @@ -156,47 +155,52 @@ extraEnvVars: [] # # For self signed CAs, like DigitalOcean # NODE_TLS_REJECT_UNAUTHORIZED: "0" -## Configuration values for the postgresql dependency. -## ref: https://github.com/kubernetes/charts/blob/master/stable/postgresql/README.md +## Configuration for the custom PostgreSQL 18 deployment ## postgresql: - ## Use the PostgreSQL chart dependency. - ## Set to false if bringing your own PostgreSQL, and set secret value postgresql-uri. - ## enabled: true ## ssl enforce SSL communication with PostgresSQL ## Default to false ## - # ssl: false + ssl: false ## ca Certificate of Authority ## Default to empty, point to location of CA ## # ca: "path to ca" ## postgresqlHost override postgres database host - ## Default to postgres + ## Default to the service name of the custom PostgreSQL deployment ## - # postgresqlHost: postgres + postgresqlHost: "{{ include \"wiki.postgresql.fullname\" . }}" ## postgresqlPort port for postgres ## Default to 5432 ## - # postgresqlPort: 5432 - ## PostgreSQL fullname Override - ## Default to wiki-postgresql unless fullname override is set for Chart - ## - fullnameOverride: "" + postgresqlPort: 5432 ## PostgreSQL User to create. ## postgresqlUser: postgres ## PostgreSQL Database to create. ## postgresqlDatabase: wiki + ## PostgreSQL password (will be stored in a secret) + ## + postgresqlPassword: "postgres" + + ## Use existing secret for PostgreSQL credentials + ## If set, the chart will not create a new secret and will use the existing one + ## + # existingSecret: "my-existing-postgres-secret" + + ## Key in the existing secret containing the password + ## + # existingSecretKey: "postgresql-password" + + ## Key in the existing secret containing the username (defaults to "postgresql-username") + ## + # existingSecretUserKey: "postgresql-username" + ## Persistent Volume Storage configuration. ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes ## - replication: - ## Enable PostgreSQL replication (primary/secondary) - ## - enabled: false persistence: ## Enable PostgreSQL persistence using Persistent Volume Claims. ## @@ -215,3 +219,34 @@ postgresql: ## Persistent Volume Storage Size. ## size: 8Gi + + ## PostgreSQL Image Configuration + image: + repository: postgres + tag: "18" + pullPolicy: IfNotPresent + + ## PostgreSQL Resources Configuration + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + ## PostgreSQL Node Selector, Tolerations and Affinity + nodeSelector: {} + tolerations: [] + affinity: {} + + ## PostgreSQL Service Configuration + service: + type: ClusterIP + port: 5432 + # Additional service annotations + annotations: {}