Helm chart

NOTICE

@@ -0,0 +1,52 @@
+-------------------------------------------------------------------------------
+Crown Copyright and Upstream Licensing
+Droit d'auteur de la Couronne et licences en amont
+-------------------------------------------------------------------------------
+
+English
+
+Contributions produced by GC and submitted to upstream open-source application
+repositories are provided under the licence of the upstream repository, in
+accordance with its contribution and governance model.
+
+Notwithstanding the above, Crown copyright is retained for the portions of code
+authored by public servants, in the form and state in which those contributions
+are submitted.
+
+This retention does not restrict or alter the rights granted to users under the
+applicable upstream open-source licence.
+
+Français
+
+Les contributions produites par le GC et soumises à des dépôts d'applications
+open source en amont sont diffusées sous la licence du dépôt en amont,
+conformément à ses règles de contribution et de gouvernance.
+
+Nonobstant ce qui précède, le droit d'auteur de la Couronne est conservé pour
+les portions de code rédigées par des fonctionnaires, dans la forme et l'état
+dans lesquels ces contributions sont soumises.
+
+Cette conservation n'a pas pour effet de restreindre ou de modifier les droits
+accordés aux utilisateurs par la licence open source en amont applicable.
+
+-------------------------------------------------------------------------------
+
+English
+
+Portions of this code were authored by the Government of Canada. These
+components, in the form contributed by the GC, are © His Majesty the King in
+Right of Canada, as represented by the Department of Agriculture and Agri-Food
+Canada. This attribution does not modify or replace the applicable licence,
+does not affect permissions, conditions, or disclaimers, and does not
+constitute an endorsement by the Government of Canada of the software, the
+repository, or any deployed application.
+
+Français
+
+Certaines portions de ce code ont été rédigées par le gouvernement du Canada.
+Ces composantes, dans la forme contribuée par le GC, sont © Sa Majesté le Roi
+du chef du Canada, représenté par le ministère de l'Agriculture et
+Agroalimentaire Canada. Cette mention ne modifie ni ne remplace la licence
+applicable, n'affecte pas les autorisations, conditions ou limitations de
+responsabilité, et ne constitue pas une approbation du logiciel, du dépôt ou
+des applications déployées par le gouvernement du Canada.

helm/Chart.yaml

@@ -0,0 +1,16 @@
+apiVersion: v2
+name: resourcespace
+description: >
+  Helm chart for deploying ResourceSpace (DAM) on OpenShift with
+  an in-cluster MariaDB StatefulSet
+type: application
+version: 0.1.0
+appVersion: "10.7"
+keywords:
+  - resourcespace
+  - dam
+  - media
+sources:
+  - https://github.com/resourcespace/docker
+maintainers:
+  - name: your-team

helm/LICENSE

@@ -0,0 +1,40 @@
+MIT License
+
+© His Majesty the King in Right of Canada, as represented by the Minister of
+Agriculture and Agri-Food Canada, 2026.
+
+© Sa Majesté le Roi du chef du Canada, représentée par le ministre de
+l'Agriculture et Agroalimentaire Canada, 2026.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+-------------------------------------------------------------------------------
+
+English
+
+Deployed applications are obtained from their respective upstream projects and
+are governed by their own, separate licenses, including but not limited to
+permissive, copyleft (GPL/AGPL), and proprietary licenses.
+
+Français
+
+Les applications déployées sont obtenues à partir de leurs projets amont
+respectifs et sont régies par leurs propres licences distinctes, y compris,
+sans s'y limiter, des licences permissives, à copyleft (GPL/AGPL) et
+propriétaires.

helm/README.md

@@ -0,0 +1,146 @@
+# ResourceSpace Helm Chart
+
+Deploys [ResourceSpace](https://www.resourcespace.com/) (Digital Asset Management) on
+OpenShift with:
+
+- **ResourceSpace** web app as a Kubernetes `Deployment`
+- **MariaDB** as an in-cluster `StatefulSet`
+- **External NFS storage** for both the filestore and MariaDB data
+- **OpenShift Route** with edge TLS termination
+
+---
+
+## Prerequisites
+
+| Requirement | Notes |
+|---|---|
+| OpenShift 4.x | Tested on 4.12+ |
+| Helm 3.x | `helm version` |
+| `oc` CLI logged in | `oc whoami` |
+
+---
+
+## Image Build
+ResourceSpace does not publish a pre-built image. The image must be built from the official source repository and pushed to an internal registry
+### Source
+```bash
+git clone git@github.com:resourcespace/docker.git # for SSH clone
+cd docker
+```
+### OpenShift Modifications
+The upstream image runs apache on port 80 as root, which OpenShift's `restricted-v2` SSC does not permit. Three files should be added/modified before building:
+`ports.conf` - Tells Apache to listen on port 8080 instead:
+```bash
+Listen 8080
+```
+`000-default.conf` - vhost on port 8080 with correct directory permissions:
+```bash
+ServerName resourcespace
+
+<VirtualHost *:8080>
+    DocumentRoot /var/www/html
+
+    <Directory /var/www/>
+        Options FollowSymLinks
+        AllowOverride All
+        Require all granted
+    </Directory>
+
+    ErrorLog ${APACHE_LOG_DIR}/error.log
+    CustomLog ${APACHE_LOG_DIR}/access.log combined
+</VirtualHost>
+```
+`entrypoint.sh` - skips cron (no `/var/run` write access), redirects apache runtime files to `/tmp` which is writable by any UID:
+```bash
+#!/bin/bash
+set -e
+
+mkdir -p /tmp/apache2/run /tmp/apache2/lock /tmp/apache2/log
+export APACHE_RUN_DIR=/tmp/apache2/run
+export APACHE_LOCK_DIR=/tmp/apache2/lock
+export APACHE_LOG_DIR=/tmp/apache2/log
+export APACHE_PID_FILE=/tmp/apache2/run/apache2.pid
+
+exec apachectl -D FOREGROUND
+```
+`Dockerfile` - additions to upstream:
+```bash
+# Replace Apache configs before the SVN checkout
+COPY ports.conf         /etc/apache2/ports.conf
+COPY 000-default.conf   /etc/apache2/sites-enabled/000-default.conf
+
+# Make runtime dirs world-writable for arbitrary UID
+RUN mkdir -p /var/run/apache2 /var/lock/apache2 /var/log/apache2 \
+    && chmod -R 777 /var/run/apache2 /var/lock/apache2 /var/log/apache2 \
+    && chmod -R 777 /var/www/html
+
+EXPOSE 8080
+```
+### Build and Push
+```bash
+docker build -t <your registry>/<your repository>:<tag> .
+docker push <your registry>/<your repository>:<tag>
+```
+
+## Helm Chart
+### Config before deploying
+In `values.yaml`:
+```yaml
+resourcespace:
+  image: <your-image-registry>/<image-repository>
+  tag: <image-tag>
+  pullPolicy:
+
+  hostname: <your-application-hostname> # Example: resourcespace.apps.mycluster.example.com
+mariadb:
+  auth:
+    rootPassword: "<secure-password>"
+    database: "resourcespace"
+    username: "resourcespace"
+    password: "<secure-password>"
+```
+### Install
+```bash
+oc new-project <namespace> # skip if namespace already exists
+helm install resourcespace . -n <namespace> # run in dir where values.yaml is
+```
+
+### Upgrade
+```bash
+helm upgrade resourcespace . -n <namespace> # also where values.yaml is
+```
+
+### Uninstall
+```bash
+helm uninstall resourcespace -n <namespace>
+```
+
+## Run Setup Wizard
+On first deployment, navigating to the route URL shows the ResourceSpace setup wizard
+### Known Issue - Base URL Check
+The wizard validates the base URL by fetching `license.txt` from it. This fails when using the public route URL because the pod cannot route back to itself through the external ingress. **Workaround:** Enter the internal service URL during setup:
+```
+http://resourcespace
+```
+### Database Settings
+| Field | Value |
+|---|---|
+| MySQL server | `resourcespace-mariadb |
+| MySQL port | `3306` |
+| MySQL database | values of `mariadb.auth.database` |
+| MySQL username | values of `mariadb.auth.username` |
+| MySQL password | values of `mariadb.auth.password` |
+| MySQL binary path | (leave empty) |
+| Filestore path | `/var/www/htlm/filestore` |
+
+### Fix Base URL after setup
+After completing the wizard, the internal URL will have been written to `config.php`. Fix it to the public route URL:
+```bash
+oc exec -n <namespace> deployment/resourcespace -- \
+  sed -i "s|<Route-URL>|g" \
+  /var/www/html/include/config.php
+
+# Verify
+oc exec -n <namespace> deployment/resourcespace -- \
+  grep baseurl /var/www/html/include/config.php
+```