Weblate: Template to run weblate on Kubernetes

Would that fit into https://github.com/WeblateOrg/docker repository? I'm definitely not against it.

PS: The Docker setup will change quite a lot soon (hopefully today), see https://github.com/WeblateOrg/docker/pull/13

Yeah, looks like it could work in https://github.com/WeblateOrg/docker, as it should just be some additional YAML files.

After thinking about this for a bit, I'm actually wondering what it might take to run on an even more managed service like Heroku or Google App Engine, though that'd be a separate issue. I'm thinking I might want to work on that first. I want to be as serverless as I can be.

Hi, I would like to help on this, please help me get started, this is my first issue, Thankyou

Hi @HimanshuJanbandhu, I am working on this too on my side.

I created a deployment yaml for weblate, and I try to use the stable charts for Postgresql and redis.

But weblate complains about redis not found. Stuck here.

kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: weblate-data
  namespace: common
spec:
  accessModes:
    - ReadWriteMany
  storageClassName: default
  resources:
    requests:
      storage: 10Gi
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: redis-data
  namespace: common
spec:
  accessModes:
    - ReadWriteMany
  storageClassName: default
  resources:
    requests:
      storage: 10Gi
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: weblate
  labels:
    app: weblate
  namespace: common
spec:
  replicas: 1
  revisionHistoryLimit: 1
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
  minReadySeconds: 5
  template:
    metadata:
      labels:
        app: weblate
    spec:
      containers:
      - image: weblate/weblate
        name: weblate
        ports:
          - containerPort: 80
            name: http
            protocol: TCP
        env:
        - name: WEBLATE_LOGLEVEL
          value: "debug"
        - name: WEBLATE_SITE_TITLE
          value: "Dekra translations"
        - name: WEBLATE_ADMIN_NAME
          value: "Weblate Admin"
        - name: WEBLATE_ADMIN_EMAIL
          value: "myemail"
        - name: WEBLATE_ADMIN_PASSWORD
          value: "mypwd"
        - name: WEBLATE_SERVER_EMAIL
          value: "myemail"
        - name: WEBLATE_DEFAULT_FROM_EMAIL
          value: "[email protected]"
        - name: WEBLATE_ALLOWED_HOSTS
          value: "*"
        - name: WEBLATE_REGISTRATION_OPEN
          value: "0"
        - name: POSTGRES_HOST
          value: "postgresql-postgresql"
        - name: REDIS_HOST
          value: "redis-master"
        - name: REDIS_PORT
          value: "6379"
        - name: WEBLATE_EMAIL_HOST
          value: 
        - name: WEBLATE_EMAIL_USER
          value: 
        - name: WEBLATE_EMAIL_PASSWORD
          value: 
        resources:
          requests:
            cpu: 10m
            memory: 200Mi
          limits:
            cpu: 100m
            memory: 1Gi
        volumeMounts:
        - mountPath: /app/data
          name: weblate-data
      volumes:
        - name: weblate-data
          persistentVolumeClaim:
           claimName: weblate-data
---
apiVersion: v1
kind: Service
metadata:
  name: weblate
  labels:
    app: weblate
  namespace: common
spec:
  selector:
    app: weblate
  ports:
  - name: http
    port: 80
  type: ClusterIP

helm install stable/redis --namespace common --name redis --set rbac.create=true,password="mypwd",persistence.enabled=true,persistence.existingClaim="redis-data",master.resources.requests.memory=256Mi,master.resources.requests.cpu=10m,master.resources.requests.memory=1Gi,master.resources.requests.cpu=100m,master.persistence.storageClass=default
helm install stable/postgresql --namespace common --name postgresql --set postgresqlUsername=weblate,postgresqlPassword=weblate,postgresqlDatabase=weblate,persistence.storageClass=default,resources.requests.cpu=10m,image.tag=9.6

redis is unavailable - sleeping
-NOAUTH Authentication required.
+OK
redis not running!

redis is expected to run as separate Docker container.

Do we need to set the redis password in a weblate configuration somewhere ? Can't find an env variable for this.

The Weblate docker container is not currently accepting Redis password, that's why it doesn't work. I've drafted how it could work in https://github.com/WeblateOrg/docker/pull/166, testing is welcome.

@nijel I used the new edge build you made 3h ago, and I think including https://github.com/WeblateOrg/docker/pull/166, but I still have the Redis error.

Containers:
  weblate:
    Container ID:   docker://c7f44260dd292f3dd6f55a6c2b96307b7db39a44f613831de447707da9bcc41d
    Image:          weblate/weblate:edge
    Image ID:       docker-pullable://weblate/weblate@sha256:3488748ba9839069f659992aa3f5c2ce5d95ca2a6c7c0dbb74573865efe5a6ee
...
Environment:
      WEBLATE_LOGLEVEL:              debug
      WEBLATE_SITE_TITLE:           Weblate
      WEBLATE_ADMIN_NAME:            Weblate Admin
      WEBLATE_ADMIN_EMAIL:           redated
      WEBLATE_ADMIN_PASSWORD:        redated
      WEBLATE_SERVER_EMAIL:          redated
      WEBLATE_DEFAULT_FROM_EMAIL:    redated
      WEBLATE_ALLOWED_HOSTS:         *
      WEBLATE_REGISTRATION_OPEN:     0
      POSTGRES_HOST:                 postgresql-postgresql
      REDIS_HOST:                    redis-master
      REDIS_PORT:                    6379
      REDIS_PASSWORD:                redated

redis is unavailable - sleeping
-NOAUTH Authentication required.
+OK
redis not running!

redis is expected to run as separate Docker container.

I did only test that it doesn't break the no password case, that's why I've said that testing is welcome :-). Might be caused by using environment which is not supported by the redis-cli version used as it was introduced quite recently in https://github.com/antirez/redis/commit/f24ad5d83140eee04bd1cda8ee19bced0de26c11

PS: If that is really the case, it will get fixed once https://github.com/WeblateOrg/docker/pull/152 is merged, because that brings in more recent redis-cli as well.

Here you can find a working helm chart: https://github.com/denyo/docker-compose/tree/master/k8s
To deploy it simply run helm upgrade weblate ./k8s --install

working, thanks. The usePassword: false did the trick :)

The password should work fine with latest Weblate Docker, I've just merged https://github.com/WeblateOrg/docker/pull/152

Helm chart is available here: https://github.com/WeblateOrg/docker-compose/pull/8

For those who land on this, here's a template that worked for me (after hours of debugging...)

0-pvc.yml

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: weblate-data
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi

1-deploy.yml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: weblate
  labels:
    app: weblate
spec:
  replicas: 1
  revisionHistoryLimit: 0
  selector:
    matchLabels:
      app: weblate
  template:
    metadata:
      labels:
        app: weblate
        redis-client: "true"
    spec:
      securityContext:
        fsGroup: 1000
      restartPolicy: Always
      containers:
      - image: weblate/weblate
        name: weblate
        ports:
          - name: http
            containerPort: 8080
            protocol: TCP
        env:
        - name: WEBLATE_DEBUG
          value: "0"
        - name: WEBLATE_LOGLEVEL
          value: "INFO"
        - name: WEBLATE_SITE_TITLE
          value: "Weblate translations"
        - name: WEBLATE_ADMIN_NAME
          value: "Admin"
        - name: WEBLATE_ADMIN_EMAIL
          value: "[email protected]"
        - name: WEBLATE_ADMIN_PASSWORD
          value: "********"
        - name: WEBLATE_SERVER_EMAIL
          value: "[email protected]"
        - name: WEBLATE_DEFAULT_FROM_EMAIL
          value: "[email protected]"
        - name: WEBLATE_ALLOWED_HOSTS
          value: "*"
        - name: WEBLATE_REGISTRATION_OPEN
          value: "0"
        - name: POSTGRES_HOST
          value: "postgres"
        - name: POSTGRES_USER
          value: "weblate"
        - name: POSTGRES_PORT
          value: "5432"
        - name: POSTGRES_PASSWORD
          value: "****"
        - name: POSTGRES_DATABASE
          value: "weblate"
        - name: REDIS_HOST
          value: "redis-master"
        - name: REDIS_PASSWORD
          value: "******"
        - name: "REDIS_DB"
          value: "2"
        - name: WEBLATE_EMAIL_HOST
          value: "smtp.sendgrid.net"
        - name: WEBLATE_EMAIL_HOST_USER
          value: "apikey"
        - name: WEBLATE_EMAIL_HOST_PASSWORD
          value: "*******"
        - name: WEBLATE_IP_PROXY_HEADER
          value: "HTTP_X_FORWARDED_FOR"
        resources:
          requests:
            cpu: 10m
            memory: 500Mi
          limits:
            cpu: 400m
            memory: 2000Mi
        volumeMounts:
        - mountPath: /app/data
          name: weblate-data
      volumes:
        - name: weblate-data
          persistentVolumeClaim:
           claimName: weblate-data

2-svc.yml

apiVersion: v1
kind: Service
metadata:
  name: weblate
spec:
  ports:
  - port: 8080
    targetPort: 8080
    name: http
  selector:
    app: weblate

Thanks @melalj, can you please contribute it as pull request to Weblate? I'm not sure where would be place people would be looking for this...

Here is mine on Azure AKS with Azure Redis and Keycloak. Had to stick to 3.8.5 due to communication problem with Azure Redis with higher versions.

kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: weblate-data
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: default
  resources:
    requests:
      storage: 10Gi
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: weblate
  labels:
    app: weblate
spec:
  replicas: 1
  revisionHistoryLimit: 1
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
  minReadySeconds: 5
  template:
    metadata:
      labels:
        app: weblate
    spec:
      containers:
      - image: weblate/weblate:3.8-5
        name: weblate
        imagePullPolicy: IfNotPresent
        ports:
          - containerPort: 8080
            name: http
            protocol: TCP
        env:
        - name: WEBLATE_DEBUG
          value: "False"
        - name: WEBLATE_LOGLEVEL
          value: "INFO"
        - name: WEBLATE_SITE_TITLE
          value: "Weblate"
        - name: WEBLATE_ADMIN_NAME
          value: "Weblate Admin"
        - name: WEBLATE_ADMIN_EMAIL
          value: "[email protected]"
        - name: WEBLATE_ADMIN_PASSWORD
          value: "xxx"
        - name: WEBLATE_SERVER_EMAIL
          value: "[email protected]"
        - name: WEBLATE_DEFAULT_FROM_EMAIL
          value: "[email protected]"
        - name: WEBLATE_ALLOWED_HOSTS
          value: "*"
        - name: WEBLATE_ENABLE_HTTPS
          value: "True"
        - name: POSTGRES_HOST
          value: "xxx.postgres.database.azure.com"
        - name: POSTGRES_USER
          value: "[email protected]"
        - name: POSTGRES_DATABASE
          value: "weblate"
        - name: POSTGRES_PORT
          value: "5432"
        - name: POSTGRES_PASSWORD
          valueFrom:
            secretKeyRef:
              key: password
              name: keycloak-db
        - name: REDIS_HOST
          value: xxx.redis.cache.windows.net
        - name: REDIS_PORT
          value: "6379"
        - name: REDIS_PASSWORD
          value: "xxx"
        - name: REDIS_TLS
          value: "false"
        - name: REDIS_VERIFY_SSL
          value: "true"
        - name: WEBLATE_EMAIL_HOST
          value: xxx
        - name: WEBLATE_EMAIL_USER
          value: xxx
        - name: WEBLATE_EMAIL_PASSWORD
          value: "xxx"
        - name: WEBLATE_SOCIAL_AUTH_KEYCLOAK_KEY 
          value: weblate
        - name: WEBLATE_SOCIAL_AUTH_KEYCLOAK_SECRET 
          value: "xxx"
        - name: WEBLATE_SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY 
          value: "xxx"
        - name: WEBLATE_SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL 
          value: https://keycloak.company.com/auth/realms/develop/protocol/openid-connect/auth
        - name: WEBLATE_SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL 
          value: https://keycloak.company.com/auth/realms/develop/protocol/openid-connect/token
        resources:
          requests:
            cpu: 100m
            memory: 800Mi
          limits:
            cpu: 1000m
            memory: 1Gi
        volumeMounts:
        - mountPath: /app/data
          name: weblate-data
        - mountPath: /app/data/ssl
          name: certificates
        - mountPath: /app/data/settings-override.py
          subPath: settings-override.py
          name: settings-override
      volumes:
        - name: weblate-data
          persistentVolumeClaim:
           claimName: weblate-data
        - name: certificates
          secret:
            secretName: tls-secret-is4
        - configMap:
            name: weblate-configmap
          name: settings-override
      securityContext:
        runAsUser: 1000
        fsGroup: 1000
---
apiVersion: v1
kind: Service
metadata:
  name: weblate
  labels:
    app: weblate
spec:
  selector:
    app: weblate
  ports:
  - name: http
    port: 80
    targetPort: 8080
  type: ClusterIP
---
apiVersion: v1
data:
  settings-override.py: |
    SOCIAL_AUTH_VERIFY_SSL = False
    SECURE_HSTS_SECONDS = 1209600
kind: ConfigMap
metadata:
  labels:
    application: weblate
  name: weblate-configmap

I also added liveness and readiness probe. I found this reference here https://docs.weblate.org/en/weblate-3.10/admin/install.html#monitoring-weblate

lifecycle:
  preStop:
    exec:
      command:
        - sh
        - -c
        - "sleep 5"
livenessProbe:
  httpGet:
    path: /healthz/
    port: http
  initialDelaySeconds: 90
  periodSeconds: 20
readinessProbe:
  httpGet:
    path: /healthz/
    port: http

Unfortunately I had to make a compromise.. which was to set the variable ALLOWED_HOSTS to *

- name: WEBLATE_ALLOWED_HOSTS
   value: "*"

I started creating a new chart with the input of the various attempts here and trying to follow general best practices. I also updated to the latest versions of the dependencies (postgresql and redis).

I created a new repository and added some github actions that help with testing the chart and creating releases automatically (so basically people can then directly install without having to git clone a repository or anything).

The github repository is currently here: https://github.com/tarioch/weblate-helm
The helm repository is here: https://tarioch.github.io/weblate-helm

Current status
Automatic checks on PR

• lint and additional checks using helm-chart-testing
• ensure README is up to date

Automatic release on master

• uses github pages to host

Manual Testing

• Tested on two different clusters, once with helm2 and once with helm3

Work in Progress

• Automated testing of helm chart using kubernetes in cluster
• Some more cleanups (values documentation, allow to configure settings which are not exposed as env variables)

If possible I would like to get this moved into the WeblateOrg umbrella.

I would be glad to receive some feedback on this and also would like to know what your thoughts about moving this into the WeblateOrg umbrella would be.

Update, got the two work in progress items sorted out.

Automatic testing of the helm chart (installing and running a test to verify that weblate is running) is now working on Pull Requests :)

It's now also possible to specify settings overrides and key properties are now described.

So from my side, it's waiting for feedback and moving this under the WeblateOrg umbrella.

Sounds great. Given that it receives some positive feedback (my experience with this is exactly zero), I'll happily accept this under WeblateOrg.

Just quick question: Is using Bitnami charts a good practice? As mentioned before, I have no expertise in this area, so I'm just curious. The reason I ask is that I know that the Weblate appliance from them shows some bad good design choices (see https://github.com/WeblateOrg/weblate/issues/3078).

Yes, looks like now most of the "default" stuff is moving over to bitnami e.g. see https://github.com/helm/charts/tree/master/stable/postgresql

With the new helm 3 the standard/stable charts will dissappear and it will only be individual maintained chart repositories and then aggregated via helm hub https://hub.helm.sh/
Once we have this chart moved, I would then also get the repo added to helm hub, so people can easily find it.

Good to know, thanks for explaining.

As there is no other feedback, let's get this under WeblateOrg. Things can be still improved there ;-).

Absolutely, can you give me some permissions to transfer it or how should we do it? When I try to do it, it fails with missing permissions.

I've sent you an invitation and that should allow you to create repos. Hopefully, it is good enough for the transfer. In case it doesn't work, you can add me to your repo as admin, I should be able to transfer it then.

I moved it over. As I don't have access to the settings anymore, can you check the following two things:

• Check that github pages are enabled and let me know what the url is so I can adjust the readme (if you want and you could even make this as helm.weblate.org or something like that)
• Ensure that there is a secret CR_TOKEN with a a proper personal access token defined, see https://github.com/helm/chart-releaser-action

Created #3855 for updating the docs

Release job runs, so I think my token is still properly configured. Currently is uses the default github pages url at https://weblateorg.github.io/weblate-helm/ do you want to change this something like https://helm.weblate.org (see https://help.github.com/en/github/working-with-github-pages/managing-a-custom-domain-for-your-github-pages-site)

• I've just added https://helm.weblate.org, it will probably take some time to be alive

• I've switched to using GITHUB_TOKEN in https://github.com/WeblateOrg/weblate-helm/commit/6dcd7e27a847149ca338721ee916dcd2b2b767e0, it is supposed to work now

• I've renamed the repo to strip weblate prefix to https://github.com/WeblateOrg/helm/issues
• I've made you admin of the Helm repo, so that you can check everything is set up correctly there.

Let's close this and discuss possible other things in separate issues.

Thank you for your report, the issue you have reported has just been fixed.

• In case you see a problem with the fix, please comment on this issue.
• In case you see similar problem, please open separate issue.
• If you are happy with the outcome, consider supporting Weblate by donating.