add database to immich

2026-02-08 01:36:28 +01:00 · 2026-01-03 12:29:44 +01:00
parent c1c0ae8707
commit 71feab50b1
9 changed files with 394 additions and 205 deletions
--- a/apps/charts/immich/templates/database.yaml
+++ b/apps/charts/immich/templates/database.yaml
@@ -1,106 +1 @@
-{{ include "common.externalSecrets.passwordGenerators" . }}
-{{ include "common.externalSecrets.externalSecrets" . }}
-
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: "{{ .Release.Name }}-postgres"
-type: Opaque
-stringData:
-  POSTGRES_DB: immich
-  POSTGRES_USER: immich
-
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: "{{ .Release.Name }}-postgres"
-spec:
-  strategy:
-    type: Recreate
-  replicas: 1
-  selector:
-    matchLabels:
-      app: "{{ .Release.Name }}-postgres"
-  template:
-    metadata:
-      labels:
-        app: "{{ .Release.Name }}-postgres"
-    spec:
-      containers:
-        - name: postgres
-          image: "{{ .Values.postgres.image.repository }}:{{ .Values.postgres.image.tag }}"
-          imagePullPolicy: "{{ .Values.postgres.image.pullPolicy }}"
-          env:
-            - name: POSTGRES_DB
-              valueFrom:
-                secretKeyRef:
-                  name: "{{ .Release.Name }}-postgres"
-                  key: POSTGRES_DB
-            - name: POSTGRES_USER
-              valueFrom:
-                secretKeyRef:
-                  name: "{{ .Release.Name }}-postgres"
-                  key: POSTGRES_USER
-            - name: POSTGRES_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: "{{ .Release.Name }}-postgres-secret"
-                  key: password
-            - name: PGDATA
-              value: /var/lib/postgresql/data/pgdata
-          ports:
-            - name: postgres
-              containerPort: 5432
-              protocol: TCP
-          volumeMounts:
-            - mountPath: /var/lib/postgresql/data
-              name: postgres-data
-          livenessProbe:
-            exec:
-              command:
-                - /bin/sh
-                - -c
-                - pg_isready -U immich
-          readinessProbe:
-            exec:
-              command:
-                - /bin/sh
-                - -c
-                - pg_isready -U immich
-      volumes:
-        - name: postgres-data
-          persistentVolumeClaim:
-            claimName: "{{ .Release.Name }}-postgres-data"
-
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: "{{ .Release.Name }}-postgres"
-  labels:
-    app: "{{ .Release.Name }}-postgres"
-spec:
-  type: ClusterIP
-  ports:
-    - port: 5432
-      targetPort: 5432
-      protocol: TCP
-      name: postgres
-  selector:
-    app: "{{ .Release.Name }}-postgres"
-
---
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: "{{ .Release.Name }}-postgres-data"
-spec:
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 50Gi
-  storageClassName: "{{ .Values.globals.environment }}"
-
+{{ include "common.database" . }}
--- a/apps/charts/immich/templates/db-config-job.yaml
+++ b/apps/charts/immich/templates/db-config-job.yaml
@@ -1,87 +0,0 @@
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: "{{ .Release.Name }}-db-config-generator"
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade
-    "helm.sh/hook-weight": "5"
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
-spec:
-  template:
-    metadata:
-      annotations:
-        sidecar.istio.io/inject: "false"
-    spec:
-      restartPolicy: OnFailure
-      serviceAccountName: "{{ .Release.Name }}-db-config-sa"
-      containers:
-        - name: generator
-          image: python:3.11-slim
-          command:
-            - /bin/bash
-            - -c
-            - |
-              set -e
-              # Install kubectl
-              apt-get update -qq && apt-get install -y -qq curl > /dev/null 2>&1 && \
-              curl -sSL "https://dl.k8s.io/release/$(curl -sL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" -o /tmp/kubectl && \
-              chmod +x /tmp/kubectl && mv /tmp/kubectl /usr/local/bin/kubectl
-              
-              PASSWORD_B64=$(cat /secrets/password)
-              # Decode the password (secret is double base64-encoded, Kubernetes auto-decodes first level)
-              # Then URL encode the password to handle special characters using Python
-              PASSWORD=$(python3 -c "import base64; import sys; print(base64.b64decode(sys.stdin.read().strip()).decode('utf-8'))" <<< "$PASSWORD_B64")
-              ENCODED_PASSWORD=$(python3 -c "import urllib.parse; import sys; print(urllib.parse.quote(sys.stdin.read().strip(), safe=''))" <<< "$PASSWORD")
-              DB_URL="postgresql://immich:${ENCODED_PASSWORD}@{{ .Release.Name }}-postgres.{{ .Release.Namespace }}.svc.cluster.local:5432/immich"
-              # Create or update the ConfigMap
-              kubectl create configmap {{ .Release.Name }}-db-config --from-literal=url="${DB_URL}" --dry-run=client -o yaml | kubectl apply -f -
-              echo "ConfigMap {{ .Release.Name }}-db-config created/updated successfully"
-          volumeMounts:
-            - name: postgres-secret
-              mountPath: /secrets
-              readOnly: true
-      volumes:
-        - name: postgres-secret
-          secret:
-            secretName: "{{ .Release.Name }}-postgres-secret"
-
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: "{{ .Release.Name }}-db-config-sa"
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade
-    "helm.sh/hook-weight": "-10"
-    "helm.sh/hook-delete-policy": before-hook-creation
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: "{{ .Release.Name }}-db-config-role"
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade
-    "helm.sh/hook-weight": "-9"
-    "helm.sh/hook-delete-policy": before-hook-creation
-rules:
-  - apiGroups: [""]
-    resources: ["configmaps"]
-    verbs: ["get", "create", "update", "patch", "delete"]
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: "{{ .Release.Name }}-db-config-rolebinding"
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade
-    "helm.sh/hook-weight": "-8"
-    "helm.sh/hook-delete-policy": before-hook-creation
-subjects:
-  - kind: ServiceAccount
-    name: "{{ .Release.Name }}-db-config-sa"
-roleRef:
-  kind: Role
-  name: "{{ .Release.Name }}-db-config-role"
-  apiGroup: rbac.authorization.k8s.io
--- a/apps/charts/immich/templates/deployment.yaml
+++ b/apps/charts/immich/templates/deployment.yaml
@@ -21,8 +21,8 @@ spec:
          env:
            - name: DB_URL
              valueFrom:
-                configMapKeyRef:
-                  name: "{{ .Release.Name }}-db-config"
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-connection"
                  key: url
            - name: DB_VECTOR_EXTENSION
              value: pgvector
@@ -124,8 +124,8 @@ spec:
          env:
            - name: DB_URL
              valueFrom:
-                configMapKeyRef:
-                  name: "{{ .Release.Name }}-db-config"
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-connection"
                  key: url
            - name: DB_VECTOR_EXTENSION
              value: pgvector
--- a/apps/charts/immich/values.yaml
+++ b/apps/charts/immich/values.yaml
@@ -20,11 +20,6 @@ postgres:
    tag: pg16@sha256:0a07c4114ba6d1d04effcce3385e9f5ce305eb02e56a3d35948a415a52f193ec
    pullPolicy: IfNotPresent

-# External secrets configuration
-externalSecrets:
-  - name: "{release}-postgres-secret"
-    passwords:
-      - name: password
-        length: 64
-        encoding: base64
-        allowRepeat: true
+# Database configuration
+database:
+  enabled: true