cmu-sei · sei-mpriest · Oct 1, 2025 · Oct 1, 2025 · Oct 1, 2025 · Oct 1, 2025
diff --git a/charts/osticket/Chart.lock b/charts/osticket/Chart.lock
diff --git a/charts/osticket/Chart.yaml b/charts/osticket/Chart.yaml
@@ -15,11 +15,16 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.17.6
+version: 1.17.7
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
 appVersion: "1.17.5"
 
+dependencies:
+  - name: mysql
+    version: 0.0.0
+    condition: mysql.enabled
+
diff --git a/charts/osticket/charts/mysql/Chart.lock b/charts/osticket/charts/mysql/Chart.lock
diff --git a/charts/osticket/charts/mysql/Chart.yaml b/charts/osticket/charts/mysql/Chart.yaml
@@ -2,12 +2,6 @@ annotations:
   category: Database
 apiVersion: v2
 appVersion: 8.0.30
-dependencies:
-- name: common
-  repository: https://charts.bitnami.com/bitnami
-  tags:
-  - bitnami-common
-  version: 2.x.x
 description: MySQL is a fast, reliable, scalable, and easy to use open source relational
   database system. Designed to handle mission-critical, heavy-load production applications.
 home: https://github.com/bitnami/charts/tree/master/bitnami/mysql
@@ -25,4 +19,4 @@ name: mysql
 sources:
 - https://github.com/bitnami/containers/tree/main/bitnami/mysql
 - https://mysql.com
-version: 9.3.4
+version: 0.0.0
diff --git a/charts/osticket/charts/mysql/README.md b/charts/osticket/charts/mysql/README.md
@@ -302,12 +302,6 @@ The command removes all the Kubernetes components associated with the chart and
 | Name                                  | Description                                                                                                                       | Value                   |
 | ------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | ----------------------- |
 | `volumePermissions.enabled`           | Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup`              | `false`                 |
-| `volumePermissions.image.registry`    | Init container volume-permissions image registry                                                                                  | `docker.io`             |
-| `volumePermissions.image.repository`  | Init container volume-permissions image repository                                                                                | `bitnami/bitnami-shell` |
-| `volumePermissions.image.tag`         | Init container volume-permissions image tag (immutable tags are recommended)                                                      | `11-debian-11-r32`      |
-| `volumePermissions.image.digest`      | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""`                    |
-| `volumePermissions.image.pullPolicy`  | Init container volume-permissions image pull policy                                                                               | `IfNotPresent`          |
-| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array                                                                                  | `[]`                    |
 | `volumePermissions.resources`         | Init container volume-permissions resources                                                                                       | `{}`                    |
 
 

diff --git a/charts/osticket/charts/mysql/templates/_helpers.tpl b/charts/osticket/charts/mysql/templates/_helpers.tpl
@@ -26,18 +26,11 @@ Return the proper metrics image name
 {{- include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) }}
 {{- end -}}
 
-{{/*
-Return the proper image name (for the init container volume-permissions image)
-*/}}
-{{- define "mysql.volumePermissions.image" -}}
-{{- include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }}
-{{- end -}}
-
 {{/*
 Return the proper Docker Image Registry Secret Names
 */}}
 {{- define "mysql.imagePullSecrets" -}}
-{{- include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image) "global" .Values.global) }}
+{{- include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.metrics.image) "global" .Values.global) }}
 {{- end -}}
 
 {{/*
@@ -144,7 +137,6 @@ otherwise it generates a random value.
 {{- define "mysql.checkRollingTags" -}}
 {{- include "common.warnings.rollingTag" .Values.image }}
 {{- include "common.warnings.rollingTag" .Values.metrics.image }}
-{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }}
 {{- end -}}
 
 {{/*
@@ -159,3 +151,11 @@ Compile all warnings into a single message, and call fail.
 {{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Subpath prefix value to use for pvc mount points
+*/}}
+{{- define "mysql.subpathPrefix" -}}
+{{- $path := default (include "mysql.primary.fullname" .) .Values.primary.persistence.overrideSubpathPrefix -}}
+{{- ternary ($path | printf "%s/" ) "" .Values.primary.persistence.existingSubpathPrefix -}}
+{{- end }}
diff --git a/charts/osticket/charts/mysql/templates/configmap.yaml b/charts/osticket/charts/mysql/templates/configmap.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "common.names.fullname" . }}-scripts
+data:
+  vol-permissions.sh: |-
+{{- include "vol-permissions" . | nindent 4 }}
diff --git a/charts/osticket/charts/mysql/templates/primary/statefulset.yaml b/charts/osticket/charts/mysql/templates/primary/statefulset.yaml
@@ -73,15 +73,8 @@ spec:
       initContainers:
         {{- if and .Values.primary.podSecurityContext.enabled .Values.volumePermissions.enabled .Values.primary.persistence.enabled }}
         - name: volume-permissions
-          image: {{ include "mysql.volumePermissions.image" . }}
-          imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
-          command:
-            - /bin/bash
-            - -ec
-            - |
-              mkdir -p "/bitnami/mysql"
-              chown "{{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }}" "/bitnami/mysql"
-              find "/bitnami/mysql" -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R "{{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }}"
+          image: bash
+          command: ["bash", "-c", "/mnt/scripts/vol-permissions.sh /bitnami/mysql" ]
           securityContext:
             runAsUser: 0
           {{- if .Values.volumePermissions.resources }}
@@ -90,6 +83,12 @@ spec:
           volumeMounts:
             - name: data
               mountPath: /bitnami/mysql
+              {{- if include "mysql.subpathPrefix" . }}
+              subPath: {{ include "mysql.subpathPrefix" . | trimSuffix "/" }}
+              {{- end }}
+            - name: volume-permissions-scripts
+              mountPath: /mnt/scripts/vol-permissions.sh
+              subPath: vol-permissions.sh
         {{- end }}
         {{- if .Values.primary.initContainers }}
         {{- include "common.tplvalues.render" (dict "value" .Values.primary.initContainers "context" $) | nindent 8 }}
@@ -233,6 +232,9 @@ spec:
           volumeMounts:
             - name: data
               mountPath: /bitnami/mysql
+              {{- if include "mysql.subpathPrefix" . }}
+              subPath: {{ include "mysql.subpathPrefix" . | trimSuffix "/" }}
+              {{- end }}
             {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }}
             - name: custom-init-scripts
               mountPath: /docker-entrypoint-initdb.d
@@ -332,6 +334,10 @@ spec:
                 path: mysql-replication-password
               {{- end }}
         {{- end }}
+        - name: volume-permissions-scripts
+          configMap:
+            name:  {{ include "common.names.fullname" . }}-scripts
+            defaultMode: 0755
         {{- if .Values.primary.extraVolumes }}
         {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraVolumes "context" $) | nindent 8 }}
         {{- end }}

diff --git a/charts/osticket/charts/mysql/templates/scripts/vol-permissions.tpl b/charts/osticket/charts/mysql/templates/scripts/vol-permissions.tpl
@@ -0,0 +1,16 @@
+{{- define "vol-permissions" }}
+#!/bin/bash
+
+DIR="${1}"
+USER_ID="${2:-1001}"
+GROUP_ID="${3:-1001}"
+
+echo "Checking and updating ownership in: $DIR for UID:GID = $USER_ID:$GROUP_ID"
+
+if find "$DIR" \( \! -user "$USER_ID" -o \! -group "$GROUP_ID" \) -exec chown "$USER_ID:$GROUP_ID" {} +; then
+    echo "Ownership check/update completed successfully."
+else
+    echo "Error: Failed to update file ownership."
+    exit 1
+fi
+{{- end }}
diff --git a/charts/osticket/charts/mysql/values.yaml b/charts/osticket/charts/mysql/values.yaml
@@ -16,6 +16,9 @@ global:
   imagePullSecrets: []
   storageClass: ""
 
+## Flag indicating whether this subchart should be included or not
+enabled: true
+
 ## @section Common parameters
 
 ## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set)
@@ -73,7 +76,7 @@ diagnosticMode:
 image:
   registry: docker.io
   repository: bitnamilegacy/mysql
-  tag: 8.0.30-debian-11-r15
+  tag: "8.0.30-debian-11-r15" #  "5.7.43" is the latest tag for mysql v5
   digest: ""
   ## Specify a imagePullPolicy
   ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
@@ -180,12 +183,12 @@ primary:
     explicit_defaults_for_timestamp
     basedir=/opt/bitnami/mysql
     plugin_dir=/opt/bitnami/mysql/lib/plugin
+    bind_address=0.0.0.0
     port=3306
     socket=/opt/bitnami/mysql/tmp/mysql.sock
     datadir=/bitnami/mysql/data
     tmpdir=/opt/bitnami/mysql/tmp
     max_allowed_packet=16M
-    bind-address=*
     pid-file=/opt/bitnami/mysql/tmp/mysqld.pid
     log-error=/opt/bitnami/mysql/logs/mysqld.log
     character-set-server=UTF8
@@ -358,10 +361,10 @@ primary:
   ##
   startupProbe:
     enabled: true
-    initialDelaySeconds: 15
+    initialDelaySeconds: 45
     periodSeconds: 10
     timeoutSeconds: 1
-    failureThreshold: 10
+    failureThreshold: 20
     successThreshold: 1
   ## @param primary.customLivenessProbe Override default liveness probe for MySQL primary containers
   ##
@@ -402,6 +405,9 @@ primary:
     ## NOTE: When it's set the rest of persistence parameters are ignored
     ##
     existingClaim: ""
+
+    overrideSubpathPrefix: ""
+    existingSubpathPrefix: false  # If true, then volume mounts will use mysql.primary.fullname as a subpath prefix.
     ## @param primary.persistence.storageClass MySQL primary persistent volume storage Class
     ## If defined, storageClassName: <storageClass>
     ## If set to "-", storageClassName: "", which disables dynamic provisioning
@@ -944,27 +950,7 @@ volumePermissions:
   ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup`
   ##
   enabled: false
-  ## @param volumePermissions.image.registry Init container volume-permissions image registry
-  ## @param volumePermissions.image.repository Init container volume-permissions image repository
-  ## @param volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended)
-  ## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
-  ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy
-  ## @param volumePermissions.image.pullSecrets Specify docker-registry secret names as an array
   ##
-  image:
-    registry: docker.io
-    repository: bitnami/bitnami-shell
-    tag: 11-debian-11-r32
-    digest: ""
-    pullPolicy: IfNotPresent
-    ## Optionally specify an array of imagePullSecrets.
-    ## Secrets must be manually created in the namespace.
-    ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
-    ## e.g:
-    ## pullSecrets:
-    ##   - myRegistryKeySecretName
-    ##
-    pullSecrets: []
   ## @param volumePermissions.resources Init container volume-permissions resources
   ##
   resources: {}
@@ -986,7 +972,7 @@ metrics:
   ##
   image:
     registry: docker.io
-    repository: bitnami/mysqld-exporter
+    repository: bitnamilegacy/mysqld-exporter
     tag: 0.14.0-debian-11-r33
     digest: ""
     pullPolicy: IfNotPresent

diff --git a/charts/osticket/templates/_helpers.tpl b/charts/osticket/templates/_helpers.tpl
@@ -60,3 +60,14 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Default mysql host value
+*/}}
+{{- define "osticket.mysqlHostDefault" -}}
+{{- if .Values.mysql.enabled }}
+{{- include "osticket.fullname" . }}-mysql
+{{- else }}
+{{- printf "%s" "" }}
+{{- end }}
+{{- end }}
diff --git a/charts/osticket/templates/deployment.yaml b/charts/osticket/templates/deployment.yaml
@@ -1,7 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "osticket.name" . }}
+  name: {{ include "osticket.fullname" . }}
   labels:
     {{- include "osticket.labels" . | nindent 4 }}
 spec:
@@ -28,7 +28,7 @@ spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
-        - name: {{ .Chart.Name }}
+        - name: {{ include "osticket.fullname" . }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
@@ -38,7 +38,11 @@ spec:
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           envFrom:
             - secretRef:
-                name: {{ include "osticket.name" . }}
+                name: {{ include "osticket.fullname" . }}
+          {{- if .Values.existingSecret }}
+            - secretRef:
+                name: {{ (tpl .Values.existingSecret .) }}
+          {{- end }}
           ports:
             - name: http
               containerPort: 80

diff --git a/charts/osticket/templates/ingress.yaml b/charts/osticket/templates/ingress.yaml
@@ -20,7 +20,7 @@ metadata:
     {{- include "osticket.labels" . | nindent 4 }}
   {{- with .Values.ingress.annotations }}
   annotations:
-    {{- toYaml . | nindent 4 }}
+    {{- tpl (toYaml .) $ | nindent 4 }}
   {{- end }}
 spec:
   {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
@@ -31,14 +31,14 @@ spec:
     {{- range .Values.ingress.tls }}
     - hosts:
         {{- range .hosts }}
-        - {{ . | quote }}
+        - {{ (tpl . $) | quote }}
         {{- end }}
       secretName: {{ .secretName }}
     {{- end }}
   {{- end }}
   rules:
     {{- range .Values.ingress.hosts }}
-    - host: {{ .host | quote }}
+    - host: {{ (tpl .host $) | quote }}
       http:
         paths:
           {{- range .paths }}

diff --git a/charts/osticket/templates/secret.yaml b/charts/osticket/templates/secret.yaml
@@ -7,5 +7,5 @@ metadata:
 type: Opaque
 stringData:
 {{- range $key, $val := .Values.env }}
-  {{ $key }}: {{ $val | quote }}
+  {{ $key }}: {{ (tpl ($val | toString) $) | quote }}
 {{- end }}