claude
96cac05191
Two bugs caused the "temporary key" warning in phpMyAdmin: 1. deployment.yaml: PMA_BLOWFISH_SECRET env var was only injected when blowfishSecret or existingSecret was explicitly set. With default empty values, the env var was never passed to the container, so phpMyAdmin fell back to an empty string and auto-generated a temporary key. Fix: always inject PMA_BLOWFISH_SECRET since the Secret is always created. 2. secret.yaml: randAlphaNum generated a new random value on every helm upgrade, invalidating all cookies and logging out users on every deployment. Fix: use lookup to check if the Secret already exists and reuse its value; only generate a new random value on first install. Also add checksum/secret annotation to trigger pod rollout when the secret changes (e.g. when blowfishSecret value is updated in values.yaml). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
203 lines
7.5 KiB
YAML
203 lines
7.5 KiB
YAML
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: {{ include "phpmyadmin-nginx.fullname" . }}
|
|
labels:
|
|
{{- include "phpmyadmin-nginx.labels" . | nindent 4 }}
|
|
spec:
|
|
{{- if not .Values.autoscaling.enabled }}
|
|
replicas: {{ .Values.replicaCount }}
|
|
{{- end }}
|
|
selector:
|
|
matchLabels:
|
|
{{- include "phpmyadmin-nginx.selectorLabels" . | nindent 6 }}
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
|
|
checksum/nginx-config: {{ include (print $.Template.BasePath "/nginx-configmap.yaml") . | sha256sum }}
|
|
checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
|
|
{{- with .Values.podAnnotations }}
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
labels:
|
|
{{- include "phpmyadmin-nginx.selectorLabels" . | nindent 8 }}
|
|
spec:
|
|
{{- with .Values.imagePullSecrets }}
|
|
imagePullSecrets:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
serviceAccountName: {{ include "phpmyadmin-nginx.serviceAccountName" . }}
|
|
securityContext:
|
|
{{- toYaml .Values.podSecurityContext | nindent 8 }}
|
|
initContainers:
|
|
- name: copy-phpmyadmin
|
|
image: "{{ .Values.image.phpmyadmin.registry }}/{{ .Values.image.phpmyadmin.repository }}:{{ .Values.image.phpmyadmin.tag }}"
|
|
imagePullPolicy: {{ .Values.image.phpmyadmin.pullPolicy }}
|
|
command:
|
|
- sh
|
|
- -c
|
|
- |
|
|
echo "Copying phpMyAdmin files to shared volume..."
|
|
cp -rp /var/www/html/. /tmp/phpmyadmin/
|
|
echo "Copy completed successfully"
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
runAsNonRoot: true
|
|
runAsUser: 82
|
|
volumeMounts:
|
|
- name: phpmyadmin-data
|
|
mountPath: /tmp/phpmyadmin
|
|
containers:
|
|
- name: nginx
|
|
securityContext:
|
|
{{- toYaml .Values.securityContext.nginx | nindent 10 }}
|
|
image: "{{ .Values.image.nginx.registry }}/{{ .Values.image.nginx.repository }}:{{ .Values.image.nginx.tag }}"
|
|
imagePullPolicy: {{ .Values.image.nginx.pullPolicy }}
|
|
ports:
|
|
- name: http
|
|
containerPort: 8080
|
|
protocol: TCP
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /
|
|
port: http
|
|
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
|
|
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
|
|
timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
|
|
failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /
|
|
port: http
|
|
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
|
|
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
|
|
timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
|
|
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
|
|
resources:
|
|
{{- toYaml .Values.resources.nginx | nindent 10 }}
|
|
volumeMounts:
|
|
- name: nginx-config
|
|
mountPath: /etc/nginx/nginx.conf
|
|
subPath: nginx.conf
|
|
readOnly: true
|
|
- name: nginx-default-conf
|
|
mountPath: /etc/nginx/conf.d/default.conf
|
|
subPath: default.conf
|
|
readOnly: true
|
|
- name: nginx-cache
|
|
mountPath: /var/cache/nginx
|
|
- name: nginx-run
|
|
mountPath: /var/run
|
|
- name: phpmyadmin-data
|
|
mountPath: /var/www/html
|
|
- name: phpmyadmin
|
|
securityContext:
|
|
{{- toYaml .Values.securityContext.phpmyadmin | nindent 10 }}
|
|
image: "{{ .Values.image.phpmyadmin.registry }}/{{ .Values.image.phpmyadmin.repository }}:{{ .Values.image.phpmyadmin.tag }}"
|
|
imagePullPolicy: {{ .Values.image.phpmyadmin.pullPolicy }}
|
|
env:
|
|
{{- range .Values.phpmyadmin.hosts }}
|
|
- name: PMA_HOST
|
|
value: {{ .host | quote }}
|
|
- name: PMA_PORT
|
|
value: {{ .port | quote }}
|
|
{{- end }}
|
|
- name: PMA_ARBITRARY
|
|
value: {{ .Values.phpmyadmin.env.PMA_ARBITRARY | quote }}
|
|
{{- if .Values.phpmyadmin.env.PMA_ABSOLUTE_URI }}
|
|
- name: PMA_ABSOLUTE_URI
|
|
value: {{ .Values.phpmyadmin.env.PMA_ABSOLUTE_URI | quote }}
|
|
{{- end }}
|
|
- name: UPLOAD_LIMIT
|
|
value: {{ .Values.phpmyadmin.env.UPLOAD_LIMIT | quote }}
|
|
- name: MEMORY_LIMIT
|
|
value: {{ .Values.phpmyadmin.env.MEMORY_LIMIT | quote }}
|
|
- name: MAX_EXECUTION_TIME
|
|
value: {{ .Values.phpmyadmin.env.MAX_EXECUTION_TIME | quote }}
|
|
{{- /* Secretは常に存在する(自動生成 or existingSecret)ため、常に注入する */}}
|
|
- name: PMA_BLOWFISH_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ .Values.phpmyadmin.existingSecret | default (include "phpmyadmin-nginx.fullname" .) }}
|
|
key: blowfish-secret
|
|
ports:
|
|
- name: php-fpm
|
|
containerPort: 9000
|
|
protocol: TCP
|
|
livenessProbe:
|
|
tcpSocket:
|
|
port: php-fpm
|
|
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
|
|
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
|
|
timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
|
|
failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
|
|
readinessProbe:
|
|
tcpSocket:
|
|
port: php-fpm
|
|
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
|
|
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
|
|
timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
|
|
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
|
|
resources:
|
|
{{- toYaml .Values.resources.phpmyadmin | nindent 10 }}
|
|
volumeMounts:
|
|
- name: phpmyadmin-data
|
|
mountPath: /var/www/html
|
|
- name: phpmyadmin-config
|
|
mountPath: /etc/phpmyadmin/config.user.inc.php
|
|
subPath: config.inc.php
|
|
readOnly: true
|
|
{{- if .Values.persistence.enabled }}
|
|
- name: sessions
|
|
mountPath: /sessions
|
|
{{- end }}
|
|
- name: php-fpm-run
|
|
mountPath: /var/run
|
|
volumes:
|
|
- name: nginx-config
|
|
configMap:
|
|
name: {{ include "phpmyadmin-nginx.fullname" . }}-nginx
|
|
items:
|
|
- key: nginx.conf
|
|
path: nginx.conf
|
|
- name: nginx-default-conf
|
|
configMap:
|
|
name: {{ include "phpmyadmin-nginx.fullname" . }}-nginx
|
|
items:
|
|
- key: default.conf
|
|
path: default.conf
|
|
- name: phpmyadmin-config
|
|
configMap:
|
|
name: {{ include "phpmyadmin-nginx.fullname" . }}
|
|
items:
|
|
- key: config.inc.php
|
|
path: config.inc.php
|
|
- name: nginx-cache
|
|
emptyDir: {}
|
|
- name: nginx-run
|
|
emptyDir: {}
|
|
- name: php-fpm-run
|
|
emptyDir: {}
|
|
- name: phpmyadmin-data
|
|
emptyDir: {}
|
|
{{- if .Values.persistence.enabled }}
|
|
- name: sessions
|
|
persistentVolumeClaim:
|
|
claimName: {{ include "phpmyadmin-nginx.fullname" . }}
|
|
{{- end }}
|
|
{{- with .Values.nodeSelector }}
|
|
nodeSelector:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- with .Values.affinity }}
|
|
affinity:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- with .Values.tolerations }}
|
|
tolerations:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }} |