diff --git a/applications/neo4j/.gitignore b/applications/neo4j/.gitignore new file mode 100644 index 00000000..7c561691 --- /dev/null +++ b/applications/neo4j/.gitignore @@ -0,0 +1 @@ +helm-charts \ No newline at end of file diff --git a/applications/neo4j/README.md b/applications/neo4j/README.md new file mode 100644 index 00000000..cd46617d --- /dev/null +++ b/applications/neo4j/README.md @@ -0,0 +1,22 @@ +# Neo4j browser helm chart + +Enable this application to deploy a Neo4j server with the neo4j browser enabled. + +## How to use +The neo4j browser will be enabled at neo4j.[DOMAIN]. + +![Neo4j browser login](docs/browser-login.png) + +The default credentials are set in the [application configuration file](deploy/values.yaml). + +It is recommended to change the password during the first login, such as: + +``` +ALTER USER default SET PASSWORD '' +``` + +## Implementation +This implementation uses the Neo4j reverse proxy server to enable usage via Ingress and http(s). + +For more information, see https://neo4j.com/docs/operations-manual/current/kubernetes/accessing-neo4j-ingress/ + diff --git a/applications/neo4j/deploy/templates/reverseProxyServer.yaml b/applications/neo4j/deploy/templates/reverseProxyServer.yaml new file mode 100644 index 00000000..f273acb9 --- /dev/null +++ b/applications/neo4j/deploy/templates/reverseProxyServer.yaml @@ -0,0 +1,37 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Values.apps.neo4j.harness.deployment.name }} + labels: + app: {{ .Values.apps.neo4j.harness.deployment.name }} + namespace: "{{ .Release.Namespace }}" +spec: + replicas: 1 + selector: + matchLabels: + app: {{ .Values.apps.neo4j.harness.deployment.name }} + template: + metadata: + name: {{ .Values.apps.neo4j.harness.deployment.name }} + labels: + name: {{ .Values.apps.neo4j.harness.deployment.name }} + app: {{ .Values.apps.neo4j.harness.deployment.name }} + spec: + securityContext: {{ toYaml .Values.apps.neo4j.reverseProxy.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Values.apps.neo4j.harness.deployment.name }} + image: {{ .Values.apps.neo4j.reverseProxy.image }} + imagePullPolicy: Always + securityContext: {{ toYaml .Values.apps.neo4j.reverseProxy.containerSecurityContext | nindent 12 }} + ports: + - containerPort: {{ .Values.apps.neo4j.harness.deployment.port }} + env: + - name: SERVICE_NAME + value: {{ .Values.apps.neo4j.harness.database.name }} + - name: PORT + value: {{ .Values.apps.neo4j.harness.deployment.port | quote }} + - name: DOMAIN + value: {{ .Values.apps.neo4j.reverseProxy.domain | default "cluster.local" }} + - name: NAMESPACE + value: {{ .Release.Namespace }} +--- \ No newline at end of file diff --git a/applications/neo4j/deploy/values.yaml b/applications/neo4j/deploy/values.yaml new file mode 100644 index 00000000..4a9a45a4 --- /dev/null +++ b/applications/neo4j/deploy/values.yaml @@ -0,0 +1,41 @@ +harness: + subdomain: neo4j + database: + auto: true + name: neo4j-db + type: neo4j + user: default + pass: default + deployment: + auto: false + service: + auto: true +# Parameters for reverse proxy +reverseProxy: + image: "neo4j/helm-charts-reverse-proxy:5.23" + + # Name of the kubernetes service. This service should have the ports 7474 and 7687 open. + # This could be the admin service ex: "standalone-admin" or the loadbalancer service ex: "standalone" created via the neo4j helm chart + # serviceName , namespace , domain together will form the complete k8s service url. Ex: standalone-admin.default.svc.cluster.local + # When used against a cluster ensure the service being used is pointing to all the cluster instances. + # This could be the loadbalancer from neo4j helm chart or the headless service installed via neo4j-headless-service helm chart + serviceName: "" + # default is set to cluster.local + domain: "cluster.local" + + # securityContext defines privilege and access control settings for a Container. Making sure that we dont run Neo4j as root user. + containerSecurityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 7474 + runAsGroup: 7474 + capabilities: + drop: + - all + + podSecurityContext: + runAsNonRoot: true + runAsUser: 7474 + runAsGroup: 7474 + fsGroup: 7474 + fsGroupChangePolicy: "Always" diff --git a/applications/neo4j/docs/browser-login.png b/applications/neo4j/docs/browser-login.png new file mode 100644 index 00000000..86e1db1e Binary files /dev/null and b/applications/neo4j/docs/browser-login.png differ diff --git a/deployment-configuration/helm/templates/auto-database-neo4j.yaml b/deployment-configuration/helm/templates/auto-database-neo4j.yaml index d64d8b4c..bddbab24 100644 --- a/deployment-configuration/helm/templates/auto-database-neo4j.yaml +++ b/deployment-configuration/helm/templates/auto-database-neo4j.yaml @@ -21,4 +21,6 @@ value: {{ .app.harness.database.neo4j.memory.heap.max }} - name: NEO4J_dbms_security_auth__enabled value: {{ .app.harness.database.neo4j.dbms_security_auth_enabled | quote }} + - name: NEO4J_auth + value: {{ .app.harness.database.user }}/{{ .app.harness.database.pass }} {{- end }} \ No newline at end of file diff --git a/deployment-configuration/helm/templates/auto-database.yaml b/deployment-configuration/helm/templates/auto-database.yaml index 1399961a..582548b9 100644 --- a/deployment-configuration/helm/templates/auto-database.yaml +++ b/deployment-configuration/helm/templates/auto-database.yaml @@ -102,7 +102,7 @@ metadata: app: {{ .app.harness.deployment.name | quote }} {{ include "deploy_utils.labels" .root | indent 4 }} spec: - type: ClusterIP + type: {{ if .app.harness.database.expose }}LoadBalancer{{ else }}ClusterIP{{ end }} selector: app: {{ .app.harness.database.name | quote }} ports: diff --git a/deployment-configuration/value-template.yaml b/deployment-configuration/value-template.yaml index c04439a3..ff281466 100644 --- a/deployment-configuration/value-template.yaml +++ b/deployment-configuration/value-template.yaml @@ -75,6 +75,8 @@ harness: pass: metacell # -- image ref for referencing images from the build, e.g. image_ref: myownpgimage image_ref: + # -- expose database to the public with ingress + expose: false # -- settings for mongo database (for type==mongo) mongo: image: mongo:5 @@ -90,7 +92,7 @@ harness: port: 5432 # -- settings for neo4j database (for type==neo4j) neo4j: - image: neo4j:4.1.9 + image: neo4j:5 memory: size: 256M pagecache: diff --git a/docs/applications/databases.md b/docs/applications/databases.md index 89bd2868..96498f6c 100644 --- a/docs/applications/databases.md +++ b/docs/applications/databases.md @@ -35,6 +35,9 @@ harness: `image_ref`: Optional setting, used for referencing a base/static image from the build. The complete image name with tag will automagically being generated from the values.yaml file. This setting overrides the `image` setting specific for the database type (e.g. postgres/image). Note: the referenced image must be included as a build dependency in order to be built by the pipelines. +`expose`: This option allows you to expose the database port through a load balancer. +Do not use on production! + ### Specific database settings @@ -91,7 +94,24 @@ harness #### Neo4j -Not yet supported! +Defaults: +```yaml +harness + database: + neo4j: + dbms_security_auth_enabled: "false" + image: neo4j:5 + memory: + heap: { initial: 64M, max: 128M } + pagecache: { size: 64M } + size: 256M + ports: + - { name: http, port: 7474 } + - { name: bolt, port: 7687 } +``` + +Not that the default resource values are not optimized and increasing the default memory is recommended for production. +Mapping memory configuration with Kubernetes resource requests is also recommended. ## Programmatic API