Ontotext-AD · Secchol · Jul 23, 2024 · Jul 22, 2024 · Aug 6, 2024 · Aug 13, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,23 @@
 # GraphDB Helm chart release notes
 
+## Version 11.2.0
+
+### New
+
+- Added CronJob for scheduling GraphDB backups. The CronJob supports both local and cloud backups.
+ - Added new configurations under `backup`: `backup.enabled` for toggling the backup CronJob, `backup.type` for selecting between local and
+ cloud and more.
+ - Local backups support saving the GraphDB backup archives in volume from an existing persistent volume claim, configured
+ with `backup.local`
+ - Cloud backups support uploading the GraphDB backup archives in one of the supported cloud object storage services, configured
+ with `backup.cloud`
+ - Added a new example under [examples/backup-local](examples/backup-local) showing how to use the local backup feature
+
+### Fixed
+
+- Updated the GraphDB containers to explicitly use `/tmp` as a working directory to avoid permission errors due to the
+ default security context's `readOnlyRootFilesystem` when the container has a starting folder different from `/tmp`.
+
 ## Version 11.1.3
 
 ### New

diff --git a/Chart.yaml b/Chart.yaml
@@ -5,7 +5,7 @@ apiVersion: v2
 name: graphdb
 description: GraphDB is a highly efficient, scalable and robust graph database with RDF and SPARQL support.
 type: application
-version: 11.1.3
+version: 11.2.0
 appVersion: 10.7.3
 kubeVersion: ^1.26.0-0
 home: https://graphdb.ontotext.com/

diff --git a/README.md b/README.md
@@ -1,7 +1,7 @@
 # Helm Chart for GraphDB
 
 [![CI](https://github.com/Ontotext-AD/graphdb-helm/actions/workflows/ci.yml/badge.svg)](https://github.com/Ontotext-AD/graphdb-helm/actions/workflows/ci.yml)
-![Version: 11.1.3](https://img.shields.io/badge/Version-11.1.3-informational?style=flat-square)
+![Version: 11.2.0](https://img.shields.io/badge/Version-11.2.0-informational?style=flat-square)
 ![AppVersion: 10.7.3](https://img.shields.io/badge/AppVersion-10.7.3-informational?style=flat-square)
 
 <!--
@@ -310,6 +310,19 @@ IMPORTANT: This is generated by helm-docs, do not attempt modifying it on hand a
 | annotations | object | `{}` | |
 | args | list | `[]` | |
 | automountServiceAccountToken | bool | `false` | |
+| backup.cloud.bucketUri | string | `""` | |
+| backup.enabled | bool | `false` | |
+| backup.extraEnv | list | `[]` | |
+| backup.extraEnvFrom | list | `[]` | |
+| backup.failedJobsHistoryLimit | int | `3` | |
+| backup.local.existingPVC | string | `""` | |
+| backup.local.mountPath | string | `"/opt/graphdb/backups/"` | |
+| backup.options.backupSystemData | bool | `true` | |
+| backup.optionsSecret.existingSecret | string | `""` | |
+| backup.optionsSecret.secretKey | string | `"backup_options.json"` | |
+| backup.schedule | string | `"@midnight"` | |
+| backup.successfulJobsHistoryLimit | int | `3` | |
+| backup.type | string | `"cloud"` | |
 | cluster.clusterCreationTimeout | int | `60` | |
 | cluster.config.configmapKey | string | `"cluster-config.json"` | |
 | cluster.config.existingConfigmap | string | `""` | |
@@ -384,7 +397,7 @@ IMPORTANT: This is generated by helm-docs, do not attempt modifying it on hand a
 | ingress.path | string | `""` | |
 | ingress.pathType | string | `"Prefix"` | |
 | ingress.tls.enabled | bool | `false` | |
-| ingress.tls.secretName | string | `nil` | |
+| ingress.tls.secretName | string | `""` | |
 | initContainerDataPermissions.enabled | bool | `false` | |
 | initContainerDataPermissions.securityContext.runAsNonRoot | bool | `false` | |
 | initContainerDataPermissions.securityContext.runAsUser | int | `0` | |
@@ -638,6 +651,16 @@ DNS is broken. This is a common issue with Minikube between system restarts or w
 Minikube driver is used. Please refer to
 https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/.
 
+**Filesystem provisioning errors (in Multi-Node Minikube Cluster)**
+
+When expanding your Minikube cluster from one to two or more nodes to deploy different GraphDB
+instances across multiple nodes to ensure high availability, you may encounter errors when
+setting up persistent storage. These issues are due to implementation problems with the storage
+provisioner included with Minikube. To resolve this, you need to adjust your environment accordingly.
+Follow the steps outlined in the official Minikube documentation under the ["CSI Driver and Volume
+Snapshots"](https://minikube.sigs.k8s.io/docs/tutorials/volume_snapshots_and_csi/) section, specifically
+in the "Multi-Node Clusters" chapter.
+
 ## Maintainers
 
 | Name | Email | Url |

diff --git a/README.md.gotmpl b/README.md.gotmpl
@@ -323,6 +323,16 @@ DNS is broken. This is a common issue with Minikube between system restarts or w
 Minikube driver is used. Please refer to
 https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/.
 
+**Filesystem provisioning errors (in Multi-Node Minikube Cluster)**
+
+When expanding your Minikube cluster from one to two or more nodes to deploy different GraphDB
+instances across multiple nodes to ensure high availability, you may encounter errors when
+setting up persistent storage. These issues are due to implementation problems with the storage
+provisioner included with Minikube. To resolve this, you need to adjust your environment accordingly.
+Follow the steps outlined in the official Minikube documentation under the ["CSI Driver and Volume
+Snapshots"](https://minikube.sigs.k8s.io/docs/tutorials/volume_snapshots_and_csi/) section, specifically
+in the "Multi-Node Clusters" chapter.
+
 ## Maintainers
 
 {{ template "chart.maintainersTable" . }}

diff --git a/examples/aws/ingress/README.md b/examples/aws/ingress/README.md
@@ -17,4 +17,8 @@ This document describes the steps on how to configure the GraphDB Helm chart to
 
 ## Note
 
-After you deploy and the ingress is created please change the externalUrl value to the DNS name of the ALB or Route53.
+After you deploy the GraphDB chart you should either point an DNS name to the ALB and set
+the externalUrl property in the chart and re-apply it, or the other option you can use nip.io and map it's
+public ip address to nip.io. In order to do that use the kubectl get ingress commands and copy the Public IP
+for the GraphDB ingress, then go to the values file and set the externalUrl property to http://ip.address.nip.io/.
+Otherwise Workbench won't be accessible.
diff --git a/examples/aws/ingress/values.yaml b/examples/aws/ingress/values.yaml
@@ -1,14 +1,18 @@
 # This example shows how to deploy and expose GraphDB with AWS Load Balancer Controller Ingress without SSL.
 
 configuration:
- externalUrl: http://graphdb-example-dns-name.com/ # Change this to your ALB DNS name or Route53 if you use it.
+ # Change this to your Route53 domain name or use nip.io which you can do after you deploy the chart since you
+ # need to map the public IP address of the AWS Load Balancer to the nip.io.
+ externalUrl: http://ip.address.nip.io/
 
 ingress:
  enabled: true
  className: alb
  annotations:
  alb.ingress.kubernetes.io/load-balancer-name: graphdb-ingress
  alb.ingress.kubernetes.io/target-type: ip
+ # This ensures the load balancer is public
  alb.ingress.kubernetes.io/scheme: internet-facing
  alb.ingress.kubernetes.io/inbound-cidrs: "0.0.0.0/0"
+ # Define the ports on which the Ingress should create listener
  alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}]'
diff --git a/examples/aws/ingress/values_https.yaml b/examples/aws/ingress/values_https.yaml
@@ -1,17 +1,23 @@
 # This example shows how to deploy and expose GraphDB with AWS Load Balancer Controller Ingress with SSL enabled.
 
 configuration:
- externalUrl: https://graphdb-example-dns-name.com/ # Change this to your ALB DNS name or Route53 if you use it.
+ # Change this to your Route53 domain name or use nip.io which you can do after you deploy the chart since you
+ # need to map the public IP address of the AWS Load Balancer to the nip.io.
+ externalUrl: https://ip.address.nip.io
 
 ingress:
  enabled: true
  className: alb
  annotations:
  alb.ingress.kubernetes.io/load-balancer-name: graphdb-ingress
  alb.ingress.kubernetes.io/target-type: ip
+ # This ensures the load balancer is public
  alb.ingress.kubernetes.io/scheme: internet-facing
  alb.ingress.kubernetes.io/inbound-cidrs: "0.0.0.0/0"
+ # Define the ports on which the Ingress should create listener
  alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
- alb.ingress.kubernetes.io/certificate-arn: "" # ARN of the ACM SSL Certificate that will be used
+ # ARN of the ACM SSL Certificate that will be used
+ alb.ingress.kubernetes.io/certificate-arn: ""
  alb.ingress.kubernetes.io/ssl-policy: "ELBSecurityPolicy-TLS13-1-2-2021-06"
- alb.ingress.kubernetes.io/ssl-redirect: '443'
+ # Enable SSL redirect on the listener
+ alb.ingress.kubernetes.io/ssl-redirect: '443'
diff --git a/examples/aws/lb-example/README.md b/examples/aws/lb-example/README.md
@@ -11,4 +11,4 @@ This folder contains examples of using GraphDB with the AWS Network Load Balance
 ## Example
 
 * [values.yaml](values.yaml) - Example of how to deploy and expose GraphDB with Network Load Balancer without SSL enabled.
-* [values_https.yaml] - Example of how to deploy and expose GraphDB with Network Load Balancer with SSL enabled.
+* [values_https.yaml](values_https.yaml) - Example of how to deploy and expose GraphDB with Network Load Balancer with SSL enabled.
diff --git a/examples/aws/lb-example/values.yaml b/examples/aws/lb-example/values.yaml
@@ -10,5 +10,6 @@ service:
  service.beta.kubernetes.io/aws-load-balancer-name: "graphdb-lb"
  service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
  service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
- service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing" # This ensures the load balancer is internet-facing
+ # This ensures the load balancer is public
+ service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
  service.beta.kubernetes.io/load-balancer-source-ranges: "0.0.0.0/0"
diff --git a/examples/aws/lb-example/values_https.yaml b/examples/aws/lb-example/values_https.yaml
@@ -10,8 +10,10 @@ service:
  service.beta.kubernetes.io/aws-load-balancer-name: "graphdb-lb"
  service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
  service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
- service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing" # This ensures the load balancer is internet-facing
+ # This ensures the load balancer is public
+ service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
  service.beta.kubernetes.io/load-balancer-source-ranges: "0.0.0.0/0"
- service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "" # ARN of the ACM SSL Certificate that will be used
- service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443" # Ports to be used for the SSL
- service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: "ELBSecurityPolicy-TLS13-1-2-2021-06"
+ # ARN of the ACM SSL Certificate that will be used
+ service.beta.kubernetes.io/aws-load-balancer-ssl-cert: ""
+ service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
+ service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: "ELBSecurityPolicy-TLS13-1-2-2021-06"
diff --git a/examples/aws/service-account/README.md b/examples/aws/service-account/README.md
@@ -2,7 +2,8 @@
 
 This folder contains examples of using GraphDB with the Service account to gain access to the AWS services.
 
-The main reason that we want to use service accounts is that GraphDB relies on S3 for the Cloud Backups. But you can use that service account to use other AWS services from the EKS cluster as well, 
+The main reason that we want to use service accounts is that GraphDB relies on S3 for the Cloud Backups. 
+But you can use that service account to use other AWS services from the EKS cluster as well, 
 when you have configured your IAM policies properly.
 
 ## Pre-requisites
@@ -15,4 +16,3 @@ when you have configured your IAM policies properly.
 ## Example
 
 * [values.yaml](values.yaml) - Example of how to deploy the service account.
-
diff --git a/examples/aws/service-account/values.yaml b/examples/aws/service-account/values.yaml
@@ -1,5 +1,5 @@
 serviceAccount:
  create: true
- name: graphdb
  annotations:
- eks.amazonaws.com/role-arn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/eks-service-account-role # Example ARN Role, replace with your actual IAM Role ARN
+ # Example ARN Role, replace with your actual IAM Role ARN
+ eks.amazonaws.com/role-arn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/eks-service-account-role
diff --git a/examples/azure/ingress/README.md b/examples/azure/ingress/README.md
@@ -0,0 +1,22 @@
+# AKS Application Gateway Ingress deployment
+
+This document describes the steps on how to configure the GraphDB Helm chart to use Application Gateway Ingress on Azure AKS.
+
+## Prerequisites
+
+* AKS Cluster: Ensure you have an AKS cluster up and running.
+* [Enable application gateway ingress on existing AKS cluster](https://learn.microsoft.com/en-us/azure/application-gateway/tutorial-ingress-controller-add-on-new)
+* [Application Gateway supported annotations](https://azure.github.io/application-gateway-kubernetes-ingress/annotations/)
+
+## Example
+
+* [values.yaml](values.yaml) - Example of how to deploy and expose GraphDB with Ingress without SSL enabled.
+* [values_https.yaml](values_https.yaml) - Example of how to deploy and expose GraphDB with Ingress with SSL enabled.
+
+## Note
+
+After you deploy the GraphDB chart you should either point an DNS name to the Application Gateway and set 
+the externalUrl property in the chart and re-apply it, or the other option you can use nip.io and map it's 
+public ip address to nip.io. In order to do that use the kubectl get ingress commands and copy the Public IP 
+for the GraphDB ingress, then go to the values file and set the externalUrl property to http://ip.address.nip.io/. 
+Otherwise Workbench won't be accessible.
diff --git a/examples/azure/ingress/values.yaml b/examples/azure/ingress/values.yaml
@@ -0,0 +1,10 @@
+# This example shows how to deploy and expose GraphDB with Application Gateway Ingress without SSL.
+
+configuration:
+ # Change this to your AzureDNS domain name or use nip.io which you can do after you deploy the chart since you
+ # need to map the public IP address of the Application Gateway to the nip.io.
+ externalUrl: http://ip.address.nip.io/
+
+ingress:
+ enabled: true
+ className: azure-application-gateway
diff --git a/examples/azure/ingress/values_https.yaml b/examples/azure/ingress/values_https.yaml
@@ -0,0 +1,15 @@
+# This example shows how to deploy and expose GraphDB with Application Gateway Ingress with SSL certificate hosted in the KeyVault Service.
+
+configuration:
+ # Change this to your AzureDNS domain name or use nip.io which you can do after you deploy the chart since you
+ # need to map the public IP address of the Application Gateway to the nip.io.
+ externalUrl: https://ip.address.nip.io/
+
+ingress:
+ enabled: true
+ className: azure-application-gateway
+ annotations:
+ # Set the name of the SSL certificate that you have in the KeyVault Service
+ appgw.ingress.kubernetes.io/appgw-ssl-certificate: "name-of-appgw-installed-certificate"
+ # Enable SSL redirect on the listener
+ appgw.ingress.kubernetes.io/ssl-redirect: "true"
diff --git a/examples/azure/lb-example/README.md b/examples/azure/lb-example/README.md
@@ -0,0 +1,14 @@
+# AKS Load Balancer type deployment
+
+This folder contains examples of using GraphDB with the Azure Load Balancer.
+
+## Pre-requisites 
+
+* AKS Cluster: Ensure you have an AKS cluster up and running.
+* [Use a public standard load balancer in Azure Kubernetes Service (AKS)](https://learn.microsoft.com/en-us/azure/aks/load-balancer-standard)
+* [Expose an AKS service over HTTP or HTTPS using Application Gateway](https://learn.microsoft.com/en-us/azure/application-gateway/ingress-controller-expose-service-over-http-https)
+* [Azure Kubernetes Service Type Load Balancer supported annotations](https://cloud-provider-azure.sigs.k8s.io/topics/loadbalancer/#loadbalancer-annotations)
+
+## Example
+
+* [values.yaml](values.yaml) - Example of how to deploy and expose GraphDB with Azure Load Balancer.
diff --git a/examples/azure/lb-example/values.yaml b/examples/azure/lb-example/values.yaml
@@ -0,0 +1,9 @@
+# This example shows how to deploy and expose GraphDB with Service Type Load Balancer without SSL enabled.
+
+service:
+ enabled: true
+ ports:
+ http: 80
+ type: LoadBalancer
+ annotations:
+ service.beta.kubernetes.io/azure-load-balancer-internal: "false"
diff --git a/examples/azure/service-account/README.md b/examples/azure/service-account/README.md
@@ -0,0 +1,21 @@
+# Azure Service Account Examples
+
+This folder contains examples of using GraphDB with the Service account to gain access to the Azure services.
+
+The main reason that we want to use service accounts is that GraphDB relies on Azure Storage Account 
+for the Cloud Backups. But you can use that service account to use other Azure services from the AKS cluster as well,
+when you have configured your IAM Role Assignments properly.
+
+## Pre-requisites
+
+* AKS Cluster: Ensure you have an AKS cluster up and running.
+* Before starting with the service account setup you should have an IAM Role assignment that should 
+ have access to the Azure Storage Account Service.
+* [Best practices for authentication and authorization in Azure Kubernetes Service (AKS)](https://learn.microsoft.com/en-us/azure/aks/operator-best-practices-identity)
+* [Azure Login using identity](https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli-managed-identity)
+* [Deploy and configure workload identity on an Azure Kubernetes Service (AKS) cluster](https://learn.microsoft.com/en-us/azure/aks/workload-identity-deploy-cluster)
+* [Azure Role Assignments](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal)
+
+## Example
+
+* [values.yaml](values.yaml) - Example of how to deploy the service account.
diff --git a/examples/azure/service-account/values.yaml b/examples/azure/service-account/values.yaml
@@ -0,0 +1,4 @@
+serviceAccount:
+ create: true
+ annotations:
+ azure.workload.identity/client-id: <YOUR_MANAGED_IDENTITIY_CLIENT_ID>
diff --git a/examples/backup-local/README.md b/examples/backup-local/README.md
@@ -0,0 +1,16 @@
+# Local GraphDB Backups Example
+
+This example shows how to configure the Helm chart with local GraphDB backups backed by an existing Persistence Volume Claim.
+
+## Configuration
+
+The default [values.yaml](values.yaml) in the example uses a simple PVC that should be sufficient for demonstration purposes.
+Ideally, you should consider using a PVC with cross-zone or cross-region data replication for better resiliency.
+
+Keep in mind that the chart does not rotate backups, this is up to you and your retention policy.
+
+## Usage
+
+```bash
+helm upgrade --install --values ./values.yaml graphdb ontotext/graphdb
+```
diff --git a/examples/backup-local/values.yaml b/examples/backup-local/values.yaml
@@ -0,0 +1,21 @@
+backup:
+ enabled: true
+
+ type: local
+
+ local:
+ existingPVC: local-backups
+
+# Example of a simple PVC that can be used as local backup storage.
+# Ideally, you should provide something that is replicated across AZs or even regions.
+extraObjects:
+ - apiVersion: v1
+ kind: PersistentVolumeClaim
+ metadata:
+ name: local-backups
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 5Gi