Add SAPL chart v0.3.0 - set podSecurityContext

4 weeks ago · b17c303c61
17 changed files with 836 additions and 0 deletions
--- a/charts/sapl/v0.3.0/Chart.lock
+++ b/charts/sapl/v0.3.0/Chart.lock
@ -0,0 +1,6 @@
+dependencies:
+- name: postgresql
+  repository: https://charts.bitnami.com/bitnami
+  version: 9.8.4
+digest: sha256:3971751901a998e73edfb56f21e48287bd4c3f9ce1351cd4f73c8d5070bd60ac
+generated: "2020-10-16T15:51:42.303487-03:00"
--- a/charts/sapl/v0.3.0/Chart.yaml
+++ b/charts/sapl/v0.3.0/Chart.yaml
@ -0,0 +1,24 @@
+apiVersion: v2
+name: sapl
+description: Sistema de Apoio ao Processo Legislativo (SAPL)
+
+# A chart can be either an 'application' or a 'library' chart.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.3.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+appVersion: 3.1.164-RC5
+
+icon: https://git.interlegis.leg.br/SEIT/rancher-charts/raw/master/images/sapl.png
+
+dependencies:
+- name: postgresql
+  version: 9.8.4
+  repository: https://charts.bitnami.com/bitnami
+  condition: postgresql.internal
--- a/charts/sapl/v0.3.0/app-readme.md
+++ b/charts/sapl/v0.3.0/app-readme.md
@ -0,0 +1,3 @@
+# Sistema de Apoio ao Processo Legislativo
+
+Utilize o formulário abaixo para configurar seu SAPL.
--- a/charts/sapl/v0.3.0/charts/postgresql-9.8.4.tgz
+++ b/charts/sapl/v0.3.0/charts/postgresql-9.8.4.tgz
--- a/charts/sapl/v0.3.0/questions.yaml
+++ b/charts/sapl/v0.3.0/questions.yaml
@ -0,0 +1,196 @@
+labels:
+  io.cattle.role: project
+categories:
+- Processo Legislativo
+questions:
+# Informações Básicas
+- variable: sapl.hostname
+  default: "sapl.teste.df.leg.br"
+  description: "Endereço para acesso ao SAPL"
+  label: "URL do SAPL"
+  type: string
+  group: Básico
+  required: true
+- variable: sapl.adminEmail
+  default: "contato@admin.email"
+  description: "E-mail de contato do SAPL"
+  label: Contato
+  type: string
+  group: Básico
+  required: true
+- variable: sapl.adminPassword
+  default: "altereme"
+  description: "Senha do usuário administrativo do SAPL"
+  label: Senha Admin
+  type: password
+  group: Básico
+  required: true
+
+# Ingress
+- variable: ingress.tls.enabled
+  default: true
+  type: boolean
+  description: "Habilitar criptografia do protocolo HTTP (HTTPS)?"
+  label: "Habilitar TLS?"
+  required: false
+  group: Ingress
+  show_subquestion_if: true
+  subquestions:
+    - variable: ingress.tls.provider
+      default: letsencrypt
+      type: enum
+      description: "Qual provedor de certificados utilizar?"
+      label: "Provedor de certificados"
+      required: false
+      group: Ingress
+      options:
+        - letsencrypt
+        - aws
+
+- variable: ingress.class
+  default: nginx
+  type: enum
+  description: "Qual o Ingress Controller?"
+  label: "Classe Ingress"
+  required: false
+  group: Ingress
+  options:
+    - nginx
+    - alb
+
+# Correio
+- variable: sapl.emailSendUser
+  default: "no-reply@interlegis.leg.br"
+  description: "Remetente dos e-mails enviados pelo SAPL"
+  label: "Remetente"
+  type: string
+  group: Correio
+  required: false
+- variable: sapl.useTls
+  default: "False"
+  description: "Usar TLS ao conectar no servidor SMTP?"
+  label: "Usar TLS"
+  type: enum
+  group: Correio
+  options: 
+    - "True"
+    - "False"
+  required: false
+- variable: sapl.emailPort
+  default: 25
+  description: "Porta de envio de E-mail (SMTP)"
+  type: int
+  label: "Porta SMTP"
+  required: false
+  group: Correio
+- variable: sapl.emailHost
+  default: "smtp.interlegis.leg.br"
+  description: "Servidor de envio de e-mail (SMTP)"
+  label: "Servidor SMTP"
+  type: string
+  group: Correio
+  required: false
+
+# Solr
+- variable: sapl.useSolr
+  default: "True"
+  description: "Usar Solr para indexação de documentos?"
+  label: "Usar Solr?"
+  type: enum
+  group: Solr
+  options:
+    - "True"
+    - "False"
+  required: true
+- variable: sapl.solrCollection
+  default: "sapl"
+  description: "Nome da coleção do Solr"
+  label: "Coleção"
+  type: string
+  group: Solr
+  required: false
+- variable: sapl.solrUrl
+  default: "http://solr:8983"
+  description: "URL de conexão ao Solr"
+  label: "URL Solr"
+  type: string
+  group: Solr
+  required: true
+- variable: sapl.solrNumShards
+  default: 1
+  description: "Número de Shards do Solr"
+  label: "Shards"
+  type: int
+  group: Solr
+  required: false
+- variable: sapl.solrReplFactor
+  default: 2
+  description: "Fator de replicação do Solr"
+  label: "ReplFactor"
+  type: int
+  group: Solr
+  required: false
+- variable: sapl.solrMaxShardsPerNode
+  default: 1
+  description: "Número máximo de Shards por nó Solr"
+  label: "MaxShardsPerNode"
+  type: int
+  group: Solr
+  required: false
+
+# PostgreSQL
+- variable: postgresql.internal
+  default: true
+  description: "Fazer o deploy do Postgres?"
+  label: "Postgres Interno?"
+  type: boolean
+  group: PostgreSQL
+  required: false
+- variable: postgresql.postgresqlPassword
+  default: "altereme"
+  description: "Senha do banco de dados Postgres"
+  label: "Senha do Postgres"
+  type: password
+  group: PostgreSQL
+  required: true 
+
+# Avançado
+- variable: sapl.debug
+  default: "False"
+  description: "Habilitar mensagens de Debug?"
+  label: "Debug?"
+  type: enum
+  group: Avançado
+  options:
+    - "True"
+    - "False"
+- variable: sapl.timeZone
+  default: "America/Sao_Paulo"
+  description: "Fuso Horário do SAPL"
+  type: enum
+  label: "Fuso"
+  options:
+    - "America/Sao_Paulo"
+    - "America/Fortaleza"
+    - "America/Belem"
+    - "America/Araguaina"
+    - "America/Bahia"
+    - "America/Boa_Vista"
+    - "America/Campo_Grande"
+    - "America/Cuiaba"
+    - "America/Maceio"
+    - "America/Manaus"
+    - "America/Porto_Velho"
+    - "America/Recife"
+    - "America/Rio_Branco"
+    - "America/Sao_Paulo"
+  required: true
+  group: Avançado
+
+- variable: velero.backup.enabled
+  default: true
+  type: boolean
+  label: "Habilitar backup com Velero?"
+  description: "Criar ou não os objetos para backup com o Velero."
+  required: false
+  group: Avançado
--- a/charts/sapl/v0.3.0/templates/NOTES.txt
+++ b/charts/sapl/v0.3.0/templates/NOTES.txt
@ -0,0 +1,10 @@
+1. Seu SAPL pode ser acessado através da URL:
+{{- if .Values.ingress.enabled }}
+  http{{ if .Values.ingress.tls.enabled }}s{{ end }}://{{ .Values.sapl.hostname }}
+{{- end }}
+2. Utilize as seguintes credenciais para acesso inicial:
+   Usuario: admin
+   Senha: {{ .Values.sapl.adminPassword }}
+3. Usuario de administração do Postgres:
+   Usuario: sapl
+   Senha: {{ .Values.postgresql.postgresqlPassword }}
--- a/charts/sapl/v0.3.0/templates/_helpers.tpl
+++ b/charts/sapl/v0.3.0/templates/_helpers.tpl
@ -0,0 +1,58 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "sapl.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "sapl.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "sapl.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "sapl.labels" -}}
+helm.sh/chart: {{ include "sapl.chart" . }}
+{{ include "sapl.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "sapl.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "sapl.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name for postgresql.
+*/}}
+{{- define "postgresql.fullname" -}}
+{{- printf "%s-%s" .Release.Name "postgresql" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
--- a/charts/sapl/v0.3.0/templates/deployment.yaml
+++ b/charts/sapl/v0.3.0/templates/deployment.yaml
@ -0,0 +1,148 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "sapl.fullname" . }}
+  labels:
+    {{- include "sapl.labels" . | nindent 4 }}
+spec:
+{{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+{{- end }}
+  selector:
+    matchLabels:
+      {{- include "sapl.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+    {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+      labels:
+        {{- include "sapl.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+          env:
+            - name: DATABASE_URL
+              value: {{ printf "postgresql://%s:%s@%s:5432/%s" .Values.postgresql.postgresqlUsername .Values.postgresql.postgresqlPassword (include "postgresql.fullname" .) .Values.postgresql.postgresqlDatabase| quote }}
+            - name: ADMIN_PASSWORD
+              value: "{{ .Values.sapl.adminPassword }}"
+            - name: ADMIN_EMAIL
+              value: "{{ .Values.sapl.adminEmail }}"
+            - name: EMAIL_SEND_USER
+              value: "{{ .Values.sapl.emailSendUser }}"
+            - name: DEBUG
+              value: "{{ .Values.sapl.debug }}"
+            - name: USE_TLS
+              value: "{{ .Values.sapl.useTls }}"
+            - name: EMAIL_PORT
+              value: "{{ .Values.sapl.emailPort }}"
+            - name: EMAIL_HOST
+              value: "{{ .Values.sapl.emailHost }}"
+            - name: TZ
+              value: "{{ .Values.sapl.timeZone }}"
+            - name: USE_SOLR
+              value: "{{ .Values.sapl.useSolr }}"
+            - name: SOLR_COLLECTION
+              value: "{{ .Values.sapl.solrCollection }}"
+            - name: SOLR_URL
+              value: "{{ .Values.sapl.solrUrl }}"
+            - name: NUM_SHARDS
+              value: "{{ .Values.sapl.solrNumShards }}"
+            - name: RF
+              value: "{{ .Values.sapl.solrReplFactor }}"
+            - name: MAX_SHARDS_PER_NODE
+              value: "{{ .Values.sapl.solrMaxShardsPerNode }}"
+          volumeMounts:
+            - mountPath: /var/interlegis/sapl/data
+              name: data
+            - mountPath: /var/interlegis/sapl/media
+              name: media
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 60
+            failureThreshold: 3
+            periodSeconds: 60
+            successThreshold: 1
+            timeoutSeconds: 5
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 60
+            failureThreshold: 3
+            periodSeconds: 30
+            successThreshold: 1
+            timeoutSeconds: 5      
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      volumes:
+      - name: data
+        secret:
+          defaultMode: 440
+          secretName: {{ include "sapl.fullname" . }}-secretkey
+      - name: media
+      {{- if .Values.persistence.enabled }}
+        persistentVolumeClaim:
+          claimName: {{ include "sapl.fullname" . }}-media
+      {{- else }}
+        emptyDir: {}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      affinity:
+        podAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          {{- if eq .Values.persistence.accessMode "ReadWriteOnce" }}
+            - weight: 100
+              podAffinityTerm:
+                labelSelector:
+                  matchExpressions:
+                  - key: app.kubernetes.io/name
+                    operator: In
+                    values:
+                    - {{ include "sapl.name" . }}
+                  - key: app.kubernetes.io/instance
+                    operator: In
+                    values:
+                    - {{ .Release.Name }}
+                topologyKey: kubernetes.io/hostname
+          {{- end }}
+            - weight: 50
+              podAffinityTerm:
+                labelSelector:
+                  matchExpressions:
+                  - key: app.kubernetes.io/name
+                    operator: In
+                    values:
+                    - postgresql
+                  - key: app.kubernetes.io/instance
+                    operator: In
+                    values:
+                    - {{ .Release.Name }}
+                topologyKey: kubernetes.io/hostname
+      {{- with .Values.affinity }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
--- a/charts/sapl/v0.3.0/templates/hpa.yaml
+++ b/charts/sapl/v0.3.0/templates/hpa.yaml
@ -0,0 +1,28 @@
+{{- if .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "sapl.fullname" . }}
+  labels:
+    {{- include "sapl.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "sapl.fullname" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+  {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+  {{- end }}
+  {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+  {{- end }}
+{{- end }}
--- a/charts/sapl/v0.3.0/templates/ingress.yaml
+++ b/charts/sapl/v0.3.0/templates/ingress.yaml
@ -0,0 +1,69 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "sapl.fullname" . -}}
+{{- $hostName := .Values.sapl.hostname -}}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{- include "sapl.labels" . | nindent 4 }}
+  annotations:
+  {{- if .Values.ingress.tls.enabled }}
+    # USE TLS
+    {{- if contains "letsencrypt" .Values.ingress.tls.provider }}
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    {{- end }}
+    {{- if contains "alb" .Values.ingress.class }}
+    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
+    {{- end }}
+  {{- else }}
+    # DO NOT USE TLS
+    {{- if contains "alb" .Values.ingress.class }}
+    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}]'
+    {{- end }}
+  {{- end }}
+  {{- if contains "alb" .Values.ingress.class }}
+    alb.ingress.kubernetes.io/group.name: sapl
+    alb.ingress.kubernetes.io/scheme: internet-facing
+    alb.ingress.kubernetes.io/target-type: ip
+    kubernetes.io/ingress.class: alb
+  {{- end }}
+  {{- with .Values.ingress.annotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.ingress.tls.enabled }}
+  tls:
+    - hosts:
+        - "{{ $hostName }}"
+      secretName: {{ $hostName | replace "." "-" }}-tls
+  {{- end }}
+  rules:
+    - host: "{{ $hostName }}"
+      http:
+        paths:
+          {{- if contains "nginx" .Values.ingress.class }}
+          - path: /
+          {{- else }}
+          - path: /*
+          {{- end }}
+          {{- if semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion }}
+            pathType: ImplementationSpecific
+          {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: 80
+              {{- else }}
+              serviceName: {{ $fullName }}
+              servicePort: http
+              {{- end }}
+{{- end }}
--- a/charts/sapl/v0.3.0/templates/pvc-media.yaml
+++ b/charts/sapl/v0.3.0/templates/pvc-media.yaml
@ -0,0 +1,21 @@
+{{- if .Values.persistence.enabled }}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ include "sapl.fullname" . }}-media
+  labels:
+    {{- include "sapl.labels" . | nindent 4 }}
+spec:
+  accessModes:
+  - {{ .Values.persistence.accessMode }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.size }}
+{{- if .Values.persistence.storageClass }}
+{{- if (eq "-" .Values.persistence.storageClass) }}
+  storageClassName: ""
+{{- else }}
+  storageClassName: "{{ .Values.persistence.storageClass }}"
+{{- end }}
+{{- end }}
+{{- end }}
--- a/charts/sapl/v0.3.0/templates/secretkey.yaml
+++ b/charts/sapl/v0.3.0/templates/secretkey.yaml
@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "sapl.fullname" . }}-secretkey
+  labels:
+    {{- include "sapl.labels" . | nindent 4 }}
+type: Opaque
+data:
+{{- if .Release.IsUpgrade }}
+  secret.key:  {{ index (lookup "v1" "Secret" .Release.Namespace (printf "%s-secretkey" (include "sapl.fullname" .))).data "secret.key" }}
+{{ else }} # install operation
+  secret.key: {{ randAscii 50 | b64enc }} 
+{{ end }}
--- a/charts/sapl/v0.3.0/templates/service.yaml
+++ b/charts/sapl/v0.3.0/templates/service.yaml
@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "sapl.fullname" . }}
+  labels:
+    {{- include "sapl.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "sapl.selectorLabels" . | nindent 4 }}
--- a/charts/sapl/v0.3.0/templates/velero-schedule-monthly.yaml
+++ b/charts/sapl/v0.3.0/templates/velero-schedule-monthly.yaml
@ -0,0 +1,39 @@
+{{- if .Values.velero.backup.enabled }}
+apiVersion: velero.io/v1
+kind: Schedule
+metadata:
+  name: {{ include "sapl.fullname" . }}-monthly
+  namespace: {{ .Values.velero.namespace }}
+spec:
+  # generate a random backup time between 1 and 5 AM on first day of every month
+  schedule: {{ mod (randNumeric 2) 60 }} {{ mod (randNumeric 1) 6 }} 1 * *
+  template:
+    includedNamespaces:
+    - {{ .Release.Namespace }}
+    {{- with .Values.velero.backup.excludedResources }}
+    excludedResources:
+      {{- toYaml . | nindent 8 }}
+    {{- end }}
+    snapshotVolumes: false
+    # every monthly backup is good for the 6 months (~180 days)
+    ttl: 4380h0m0s
+    defaultVolumesToFsBackup: true
+    hooks:
+      resources:
+      - name: pgdump
+        includedResources:
+          - pods
+        labelSelector:
+          matchLabels:
+              app.kubernetes.io/instance: {{ .Release.Name }}
+              app.kubernetes.io/name: postgresql
+        pre:
+          - exec:
+              command: 
+                - "/bin/bash"
+                - "-c"
+                - "PGPASSWORD=$POSTGRES_PASSWORD /opt/bitnami/postgresql/bin/pg_dump -U sapl -d sapl > /bitnami/postgresql/sapl.dump" 
+              timeout: 360s
+              onError: Continue
+  useOwnerReferencesInBackup: false
+{{- end }}
--- a/charts/sapl/v0.3.0/templates/velero-schedule-weekdays.yaml
+++ b/charts/sapl/v0.3.0/templates/velero-schedule-weekdays.yaml
@ -0,0 +1,39 @@
+{{- if .Values.velero.backup.enabled }}
+apiVersion: velero.io/v1
+kind: Schedule
+metadata:
+  name: {{ include "sapl.fullname" . }}-weekdays
+  namespace: {{ .Values.velero.namespace }}
+spec:
+  # generate a random backup time between 1 and 5 AM on weekdays
+  schedule: {{ mod (randNumeric 2) 60 }} {{ mod (randNumeric 1) 6 }} * * MON,WED,FRI
+  template:
+    includedNamespaces:
+    - {{ .Release.Namespace }}
+    {{- with .Values.velero.backup.excludedResources }}
+    excludedResources:
+      {{- toYaml . | nindent 8 }}
+    {{- end }}
+    snapshotVolumes: false
+    # every weekday backup is good for the next week (7 days)
+    ttl: 168h0m0s
+    defaultVolumesToFsBackup: true
+    hooks:
+      resources:
+      - name: pgdump
+        includedResources:
+          - pods
+        labelSelector:
+          matchLabels:
+              app.kubernetes.io/instance: {{ .Release.Name }}
+              app.kubernetes.io/name: postgresql
+        pre:
+          - exec:
+              command: 
+                - "/bin/bash"
+                - "-c"
+                - "PGPASSWORD=$POSTGRES_PASSWORD /opt/bitnami/postgresql/bin/pg_dump -U sapl -d sapl > /bitnami/postgresql/sapl.dump" 
+              timeout: 360s
+              onError: Continue
+  useOwnerReferencesInBackup: false
+{{- end }}
--- a/charts/sapl/v0.3.0/templates/velero-schedule-weekly.yaml
+++ b/charts/sapl/v0.3.0/templates/velero-schedule-weekly.yaml
@ -0,0 +1,39 @@
+{{- if .Values.velero.backup.enabled }}
+apiVersion: velero.io/v1
+kind: Schedule
+metadata:
+  name: {{ include "sapl.fullname" . }}-weekly
+  namespace: {{ .Values.velero.namespace }}
+spec:
+  # generate a random backup time between 1 and 5 AM on sunday
+  schedule: {{ mod (randNumeric 2) 60 }} {{ mod (randNumeric 1) 6 }} * * 0
+  template:
+    includedNamespaces:
+    - {{ .Release.Namespace }}
+    {{- with .Values.velero.backup.excludedResources }}
+    excludedResources:
+      {{- toYaml . | nindent 8 }}
+    {{- end }}
+    snapshotVolumes: false
+    # every sunday backup is good for 30 days (aprox. 1 month)
+    ttl: 744h0m0s
+    defaultVolumesToFsBackup: true
+    hooks:
+      resources:
+      - name: pgdump
+        includedResources:
+          - pods
+        labelSelector:
+          matchLabels:
+              app.kubernetes.io/instance: {{ .Release.Name }}
+              app.kubernetes.io/name: postgresql
+        pre:
+          - exec:
+              command: 
+                - "/bin/bash"
+                - "-c"
+                - "PGPASSWORD=$POSTGRES_PASSWORD /opt/bitnami/postgresql/bin/pg_dump -U sapl -d sapl > /bitnami/postgresql/sapl.dump" 
+              timeout: 360s
+              onError: Continue
+  useOwnerReferencesInBackup: false
+{{- end }}
--- a/charts/sapl/v0.3.0/values.yaml
+++ b/charts/sapl/v0.3.0/values.yaml
@ -0,0 +1,128 @@
+# Default values for sapl.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+image:
+  repository: porto.interlegis.leg.br/spdt/sapl
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: ""
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+podAnnotations: {}
+
+podSecurityContext:
+  fsGroup: 101    # GID for the volume (nginx group)
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+service:
+  type: ClusterIP
+  port: 80
+
+persistence:
+  enabled: true
+  #storageClass: ""
+  accessMode: ReadWriteOnce
+  size: 2Gi
+
+sapl:
+  adminPassword: altereme
+  adminEmail: contato@tecnico.net
+  emailSendUser: no-reply@domain.net
+  debug: 'False'
+  useTls: 'False'
+  emailPort: 25
+  emailHost: smtp.domain.net
+  timeZone: 'America/Sao_Paulo'
+  useSolr: 'True'
+  solrCollection: 'sapl'
+  solrUrl: 'http://localhost:8983'
+  solrNumShards: 1
+  solrReplFactor: 2
+  solrMaxShardsPerNode: 1
+  hostname: 'sapl.domain.net'
+
+ingress:
+  enabled: true
+  class: nginx
+  # nginx - for default nginx ingress controller
+  # alb - for AWS ALB Load Balancer controller
+  tls:
+    enabled: true
+    provider: letsencrypt
+  # extra annotations only
+  annotations: {}
+
+velero:
+  namespace: velero
+  backup:
+    enabled: true
+    # cert-manager objects are usually blocked during backup
+    excludedResources: 
+      - certificates.cert-manager.io
+      - orders.acme.cert-manager.io
+      - certificaterequests.cert-manager.io
+      - challenges.acme.cert-manager.io
+
+postgresql:
+  internal: true
+  image:
+    repository: porto.interlegis.leg.br/bitnami/postgresql
+    tag: 9.6.23-debian-10-r61
+    pullPolicy: IfNotPresent
+  service:
+    type: ClusterIP
+    port: 5432
+  persistence:
+    enabled: true
+    size: 1Gi
+  postgresqlPassword: altereme
+  postgresqlUsername: sapl
+  postgresqlDatabase: sapl
+  resources:
+    requests:
+      cpu: 40m
+      memory: 64Mi
+
+
+resources:
+  limits:
+    cpu: 1000m
+    memory: 1Gi
+  requests:
+    cpu: 35m
+    memory: 500Mi
+
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 100
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}