Antora Docs (#68)

* Antora documentation: ASCIIDOC -> HTML/CSS/JS

* Test system adjustments to use a custom build container, and generate antora docs on every build

Co-authored-by: Adam Cowley <[email protected]>

Author: moxious

.circleci/config.yml

@@ -2,7 +2,8 @@ version: 2.1
 jobs:
   build:
     docker:
-      - image: debian:stretch
+      # Custom image; see tools/build/Dockerfile
+      - image: gcr.io/neo4j-helm/build:latest
 
     environment:
       PROJECT: neo4j-helm
@@ -21,26 +22,16 @@ jobs:
       - run:
           name: Tooling pre-requisites
           command: |
-            # Secure software install; required first in order to be able to process keys, packages, etc.
-            apt-get update && apt-get install -y apt-transport-https ca-certificates curl gnupg2 software-properties-common
-            
-            # Google Cloud stuff
-            echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] http://packages.cloud.google.com/apt cloud-sdk main" | tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
-            curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key --keyring /usr/share/keyrings/cloud.google.gpg add -
-            
-            # Docker stuff
-            curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
-            add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
-
-            apt-get update
-            EXTRA_NEEDED_TOOLS="wget make gettext-base jq"
-            apt-get install -y google-cloud-sdk $EXTRA_NEEDED_TOOLS
-
             # We will install local tools so add those to path.
             echo "export PATH=./tools:.:$PATH" >> $BASH_ENV
             mkdir -p $BUILD_ARTIFACTS
             mkdir -p tools
 
+      - restore_cache:
+          name: Restore NPM Package Cache
+          keys:
+            - npm-packages-{{ checksum "doc/package.json" }}
+
       - run: 
           name: Setup GCP Tooling
           command: |
@@ -49,30 +40,26 @@ jobs:
                 $GCLOUD_SERVICE_ACCOUNT \
                 --key-file=$SERVICE_KEY_FILE
             gcloud auth configure-docker
-
+               
       - run:
-          name: Kubectl Setup
+          name: Generate Docs
           command: |
-             cd tools
-             curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl
-             chmod +x kubectl
-             kubectl --help
-                
+             cd doc 
+             npm install
+             ./node_modules/.bin/antora --stacktrace docs.yml
+
+      - save_cache:
+          name: Save Yarn Package Cache
+          key: npm-packages-{{ checksum "doc/package.json" }}
+          paths:
+            - ~/.cache/npm
+
       - run:
           name: GKE Setup / Auth
           command: |
              echo "GKE SETUP"
              export CLUSTER_NAME=$CLUSTER-$CIRCLE_BUILD_NUM
              ./tools/test/provision-k8s.sh $CLUSTER_NAME
-
-      - run:
-          name: Install Helm Binaries
-          command: |
-             cd tools
-             curl -LO https://get.helm.sh/helm-v3.2.1-linux-amd64.tar.gz
-             tar zxvf helm-v3.2.1-linux-amd64.tar.gz
-             mv linux-amd64/helm .
-             helm version
       
       - run:
           name: Lint
@@ -215,4 +202,7 @@ jobs:
               --quiet
 
       - store_artifacts:
-          path: build
+          path: build
+      
+      - store_artifacts:
+          path: doc/build/site

.gitignore

@@ -42,6 +42,6 @@ k8s-poc
 *.log
 expanded.yaml
 
-package.json
-package-lock.json
 node_modules
+doc/node
+doc/build

.helmignore

@@ -4,3 +4,4 @@ k8s-poc
 *.log
 test
 node_modules
+doc

doc/docs.yml

@@ -0,0 +1,16 @@
+site:
+  title: Neo4j-Helm User Guide
+  url: /neo4j-helm-docs
+content:
+  sources:
+    - url: ../
+      start_path: doc/docs
+      branches: HEAD
+ui:
+  bundle:
+    url: https://github.com/neo4j-documentation/docs-refresh/raw/master/ui/build/ui-bundle.zip
+    snapshot: true
+asciidoc:
+  attributes:
+    page-theme: docs
+    page-cdn: /_/

doc/docs/antora.yml

@@ -0,0 +1,11 @@
+name: neo4j-helm
+version: 1.0.0
+title: Neo4j-Helm User Guide
+start_page: ROOT:index.adoc
+nav:
+  - modules/ROOT/nav.adoc
+
+asciidoc:
+  attributes:
+    docs-version: 1.0.0
+    copyright: Neo4j Inc.

doc/docs/modules/ROOT/attachments/LICENSE.txt

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

doc/docs/modules/ROOT/nav.adoc

@@ -0,0 +1,15 @@
+* xref::index.adoc[Neo4j Helm User Guide]
+* xref::prerequisites.adoc[Prerequisites]
+* xref::quickstart.adoc[Quick Start]
+* xref::installation.adoc[Installation]
+* xref::configreference.adoc[Configuration Reference]
+* xref::tooling.adoc[Tooling]
+* xref::operations.adoc[Operations]
+* xref::backup.adoc[Backup]
+* xref::restore.adoc[Restore]
+* xref::rolling-upgrades.adoc[Rolling Upgrades]
+* xref::externalexposure.adoc[External Exposure]
+* xref::hardware.adoc[Hardware & Machine Shape]
+* xref::networking.adoc[Networking & Security]
+* xref::troubleshooting.adoc[Troubleshooting]
+* xref::development.adoc[Local Development of the Chart]

doc/docs/modules/ROOT/pages/backup.adoc

@@ -0,0 +1,117 @@
+[#backup]
+# Backing up Neo4j Containers
+
+[NOTE]
+**This approach assumes you have Google Cloud credentials and wish to store your backups
+on Google Cloud Storage**.  If this is not the case, you will need to adjust the backup
+script for your desired cloud storage method, but the approach will work for any backup location.
+
+[NOTE]
+**This approach works only for Neo4j 4.0+**.   The backup tool and the
+DBMS itself changed quite a lot between 3.5 and 4.0, and the approach
+here will likely not work for older databases without substantial 
+modification.
+
+## Background & Important Information
+
+### Required Neo4j Config
+
+This is provided for you out of the box by the helm chart, but if you
+customize you should bear these requirements in mind:
+
+* `dbms.backup.enabled=true`
+* `dbms.backup.listen_address=0.0.0.0:6362`
+
+The default for Neo4j is to listen only on 127.0.0.1, which will not
+work as other containers would not be able to access the backup port.
+
+### Backup Pointers
+
+All backups will turn into .tar.gz files with date strings when they were taken, such as: `neo4j-2020-06-16-12:32:57.tar.gz`.  They are named after the database
+they are a backup of. 
+
+When you take a backup, you will get both the dated version, and a "latest" copy,
+e.g. the above file will also be copied to neo4j-latest.tar.gz in the same bucket.
+
+[NOTE]
+**Reminder: Each time you take a backup, the latest file will be overwritten**.
+
+The purpose of doing this is to have a stable name in storage where the latest
+backup can always be found, without losing any of the previous backups.
+
+### Neo4j Backs Up Databases, Not the DBMS
+
+In Neo4j 4.0, the system can be multidatabase; most systems have at least 2 DBs,
+"system" and "neo4j".  *These need to be backed up and restored individually*.
+
+## Steps to Take a Backup
+
+### Create a service key secret to access cloud storage
+
+First you want to create a kubernetes secret that contains the content of your account service key.  This key must have permissions to access the bucket and backup set that you're trying to restore. 
+
+```shell
+MY_SERVICE_ACCOUNT_KEY=$HOME/.google/my-service-key.json
+kubectl create secret generic neo4j-service-key \
+   --from-file=credentials.json=$MY_SERVICE_ACCOUNT_KEY
+```
+
+The backup container is going to take this kubernetes secret
+(named `neo4j-service-key`) and is going to mount it as a file
+inside of the backup container (`/auth/credentials.json`).  That
+file will then be used to authenticate the storage client that we
+need to upload the backupset to cloud storage when it's complete.
+
+### Running a Backup
+
+The backup method is itself a mini-helm chart, and so to run a backup, you just
+do this as a minimal required example:
+
+```shell
+helm install my-backup-deployment . \
+    --set neo4jaddr=my-neo4j.default.svc.cluster.local:6362 \
+    --set bucket=gs://my-bucket/ \
+    --set database="neo4j\,system" \
+    --set secretName=neo4j-service-key
+``` 
+
+from within the tools/backup directory
+where the chart resides.  You must have first created a `neo4j-service-key`
+secret in the same namespace as your Neo4j is running.
+
+If all goes well, after a period of time when the Kubernetes Job is complete, you
+will simply see the backup files appear in the designated bucket.
+
+[NOTE]
+**If your backup does not appear, consult the job container logs to find out
+why**
+
+**Required parameters**
+
+* `neo4jaddr` pointing to an address where your cluster is running, ideally the
+discovery address.
+* `bucket` where you want the backup copied to.  It should be `gs://bucketname`.  This parameter may include a relative path (`gs://bucketname/mycluster`)
+* `databases` a comma separated list of databases to back up.  The default is
+`neo4j,system`.  If your DBMS has many individual databases, you should change this.
+
+**Optional environment variables**
+
+All of the following variables mimic the command line options
+for https://neo4j.com/docs/operations-manual/current/backup/performing/#backup-performing-command[neo4j-admin backup documented here]
+
+* `pageCache`
+* `heapSize`
+* `fallbackToFull` (true/false), default=true
+* `checkConsistency` (true/false), default=true
+* `checkIndexes` (true/false) default=true
+* `checkGraph` (true/false), default=true
+* `checkLabelScanStore` (true/false), default=true
+* `checkPropertyOwners` (true/false), default=false
+
+### Exit Conditions
+
+If the backup of any of the individual databases mentioned in the database parameters
+fails, the entire container will exit with a non-zero exit code and fail.
+
+**Note**: it is possible for Neo4j backups to succeed, but with failed consistency checks.
+This will be noted in the logs, but will operationally behave as a successful backup.

doc/docs/modules/ROOT/pages/configreference.adoc

@@ -0,0 +1,234 @@
+= Configuration Reference
+
+[abstract]
+Reference tables with a list of all configurable parameters and their defaults.
+
+## General Configuration
+
+.General Configuration Reference
+|===
+|Parameter |Description| Default
+
+| `image`
+| Neo4j image
+| `neo4j`
+
+| `imageTag`
+| Neo4j version 
+| (The default matches the release version of the helm chart itself)
+
+| `imagePullPolicy`
+| Image pull policy
+| `IfNotPresent`
+
+| `podDisruptionBudget`
+| Pod disruption budget
+| `{}`
+
+| `authEnabled`
+| Is login/password required?
+| `true`
+
+| `plugins`
+| Plugins to automatically install. (syntax must be valid JSON array string) https://github.com/neo4j/docker-neo4j/blob/master/neo4jlabs-plugins.json[Valid plugins listed here]
+| `"[\"apoc\"]"`
+
+| `defaultDatabase`
+| The name of the default database to configure in Neo4j (dbms.default_database)
+| `neo4j`
+
+| `neo4jPassword`
+| Password to log in the Neo4J database if password is required
+| (random string of 10 characters)
+
+| `resources` 
+| Resources required (e.g. CPU, memory)
+| `{}` (no specific requests or limits)
+
+| `restoreSecret`
+| The name of the kubernetes secret to mount to `/creds` in the container.  Please see the [restore documentation](../tools/restore/README-RESTORE.md) for how to use this. 
+| (none)
+
+| `existingPasswordSecret`
+| The name of the kubernetes secret which contains the `neo4j-password` 
+| (none)
+
+| `podLabels`              
+| Extra / custom labels to apply to core & replica statefulset pods 
+| `{}`
+
+| `podAnnotations`
+| Extra / custom annotations to apply to core & replica statefulset pods. 
+| `{}`
+
+|===
+
+## Neo4j Core Members
+
+.Core Member Configuration Reference
+|===
+|Parameter |Description| Default
+| `core.configMap`
+| Configmap providing configuration for core cluster members.  If not specified, defaults that come with the chart will be used.
+| `$NAME-neo4j-core-config`
+
+| `core.standalone`
+| Whether to run in single-server STANDALONE mode.   When using standalone mode, core.numberOfServers is *ignored* and you will only get 1 Neo4j Pod.  The remainder of core configuration applies. 
+| false 
+
+| `core.numberOfServers`
+| Number of machines in CORE mode
+| `3`
+
+| `core.sideCarContainers`
+| Sidecar containers to add to the core pod. Example use case is a sidecar which identifies and labels the leader when using the http API 
+| `{}`
+
+| `core.initContainers`
+| Init containers to add to the core pod. Example use case is a script that installs custom plugins/extensions
+| `{}`
+
+| `core.persistentVolume.enabled`
+| Whether or not persistence is enabled
+| `true` 
+
+| `core.persistentVolume.storageClass`
+| Storage class of backing PVC
+| `standard` (uses beta storage class annotation)
+
+| `core.persistentVolume.size`
+| Size of data volume
+| `10Gi`
+
+| `core.persistentVolume.mountPath`
+| Persistent Volume mount root path 
+| `/data`
+
+| `core.persistentVolume.subPath`
+| Subdirectory of the volume to mount
+| `nil`
+
+| `core.persistentVolume.annotations`
+| Persistent Volume Claim annotations
+| `{}`
+
+| `core.additionalVolumes`
+| See the "Other Storage" section in the user guide for more information on this option.
+| `{}`
+
+| `core.additionalVolumeMounts`
+| See the "Other Storage" section in the user guide for more information on this option.
+| `{}`
+
+| `core.service.type` 
+| Service type 
+| `ClusterIP`
+
+| `core.service.annotations` 
+| Service annotations 
+| `{}` 
+
+| `core.service.labels`
+| Custom Service labels 
+| `{}`
+
+| `core.service.loadBalancerSourceRanges` 
+| List of IP CIDRs allowed access to LB (if `core.service.type: LoadBalancer`) 
+| `[]`
+
+| `core.discoveryService.type` 
+| Service type 
+| `ClusterIP`
+
+| `core.discoveryService.annotations` 
+| Service annotations 
+| `{}`
+
+| `core.discoveryService.labels` 
+| Custom Service labels 
+| `{}`
+
+| `core.discoveryService.loadBalancerSourceRanges` 
+| List of IP CIDRs allowed access to LB (if `core.discoveryService.type: LoadBalancer`) 
+| `[]`
+|===
+
+## Neo4j Read Replicas 
+
+.Read Replica Configuration Reference
+|===
+|Parameter |Description| Default
+| `readReplica.configMap`
+| Configmap providing configuration for RR cluster members.  If not specified, defaults that come with the chart will be used. 
+| `$NAME-neo4j-replica-config`
+
+| `readReplica.numberOfServers`
+| Number of machines in READ_REPLICA. May not be used with core.standalone=true mode
+| `0`
+
+| `readReplica.autoscaling.enabled`  
+| Enable horizontal pod autoscaler  
+| `false`
+
+| `readReplica.autoscaling.targetAverageUtilization`  
+| Target CPU utilization  
+| `70` 
+
+| `readReplica.autoscaling.minReplicas` 
+| Min replicas for autoscaling  
+| `1` 
+
+| `readReplica.autoscaling.maxReplicas`  
+| Max replicas for autoscaling  
+| `3`
+
+| `readReplica.initContainers`
+| Init containers to add to the replica pods. Example use case is a script that installs custom plugins/extensions
+| `{}`
+
+| `readReplica.persistentVolume.*`
+| See `core.persistentVolume.*` settings; they behave identically for read replicas
+| `N/A`  
+
+| `readReplica.additionalVolumes`
+| See the "Other Storage" section in the user guide for more information on this option.
+| `{}`
+
+| `readReplica.additionalVolumeMounts`
+| See the "Other Storage" section in the user guide for more information on this option.
+| `{}`
+
+| `readReplica.service.type`
+| Service type
+| `ClusterIP`
+
+| `readReplica.service.annotations` 
+| Service annotations 
+| `{}`
+
+| `readReplica.service.labels` 
+| Custom Service labels 
+| `{}`
+
+| `readReplica.service.loadBalancerSourceRanges` 
+| List of IP CIDRs allowed accessto LB (if `readReplica.service.type: LoadBalancer`) 
+| `[]`
+
+|===
+
+== Naming your Deploy
+
+This chart uses the `fullnameOverride` convention, to allow you to control the name of resources that get applied to the cluster. By default, when you install a release called mygraph you'll end up with resources named things like `mygraph-neo4j-core` and `mygraph-neo4j-replica` which is the release name, app name, and component name.
+
+If you would like to override this, you may specify any of these values:
+
+* fullnameOverride
+* fullnamePrefix
+* fullnameSuffix
+
+So for example if you set `fullnameOverride=graph` and `fullnamePrefix=marketing` then you will see the resources deployed named like:
+
+* `marketing-graph-core`
+* `marketing-graph-replica`
+
+(And so on) which would omit both the helm release name, and the app name (neo4j).

doc/docs/modules/ROOT/pages/development.adoc

@@ -0,0 +1,67 @@
+= Local Development
+
+[abstract]
+This chapter provides instructions for local development of the helm chart and how to make changes to it.
+
+
+== Template Expansion
+
+```shell
+helm template --name tester --set acceptLicenseAgreement=yes --set neo4jPassword=mySecretPassword . > expanded.yaml
+```
+
+== Full-Cycle Test
+
+The following mini-script will provision a test cluster, monitor it for rollout, test it, report results, and teardown/destroy PVCs.
+
+=== Provision K8S Cluster
+
+Please use `tools/test/provision-k8s.sh` and customize to your Google Cloud project ID
+
+=== Standalone
+
+Standalone forms faster so we can manually lower the liveness/readiness timeouts.
+
+```shell
+export NAME=a
+export NAMESPACE=default
+helm install $NAME . --set acceptLicenseAgreement=yes --set neo4jPassword=mySecretPassword --set core.standalone=true --set readinessProbe.initialDelaySeconds=20 --set livenessProbe.initialDelaySeconds=20 && \
+kubectl rollout status --namespace $NAMESPACE StatefulSet/$NAME-neo4j-core --watch && \
+helm test $NAME --logs | tee testlog.txt
+helm uninstall $NAME
+sleep 20
+for idx in 0 1 2 ; do
+  kubectl delete pvc datadir-$NAME-neo4j-core-$idx ;
+done
+```
+
+=== Causal Cluster
+
+```shell
+export NAME=a
+export NAMESPACE=default
+helm install $NAME . --set acceptLicenseAgreement=yes --set neo4jPassword=mySecretPassword --set readReplica.numberOfServers=1 && \
+kubectl rollout status --namespace $NAMESPACE StatefulSet/$NAME-neo4j-core --watch && \
+helm test $NAME --logs | tee testlog.txt
+helm uninstall $NAME
+sleep 20
+for idx in 0 1 2 ; do
+  kubectl delete pvc datadir-$NAME-neo4j-core-$idx ;
+done
+```
+
+== Internal Tooling
+
+This repo contains internal tooling containers for backup, restore, and test of the helm chart, found
+under the `tools` directory.
+
+== Building the Containers
+
+If you want to push your own docker containers, make sure the registry in the Makefile is set to some
+where you have permissions on.
+
+```shell
+cd tools
+make docker_build
+make docker_push
+```

doc/docs/modules/ROOT/pages/externalexposure.adoc

@@ -0,0 +1,249 @@
+[#externalexposure]
+# External Exposure of Neo4j Clusters
+
+[abstract]
+This chapter describes how to route traffic from the outside world or Internet to a Neo4j cluster running in Kubernetes.
+
+## Overview / Problem
+
+As described in the user guide, by default when you install Neo4j, each
+node in your cluster gets a private internal DNS address, which it advertises to its clients.
+
+This works "out of the box" without any knowledge of your local addressing or DNS situation.  The
+downside is that external clients cannot use the bolt+routing or neo4j protocols to connect to the cluster,
+because they cannot route traffic to strictly cluster internal DNS names.  With the default helm install,
+connections from the outside fail even with proper exposure of the pods, because:
+
+1. The client connects to Neo4j
+2. Fetches a routing table, which contains entries like `graph-neo4j-core-0.graph-neo4j.default.svc.cluster.local`
+3. External clients attempt and fail to connect to routing table entries
+4. Overall connection fails or times out.
+
+https://medium.com/neo4j/neo4j-considerations-in-orchestration-environments-584db747dca5[This article discusses these background issues] in depth.  These instructions are
+intended as a quick method of exposing Neo4j Clusters, but you may have to do additional work 
+depending on your configuration.
+
+## Solution Approach
+
+To fix external clients, we need two things:
+
+1. The `dbms.connector.*_address` settings inside of each Neo4j node set to the externally routable address
+2. An externally valid DNS name or IP address that clients can connect to, that routes traffic to the kubernetes pod
+
+Some visual diagrams about what's going on https://docs.google.com/presentation/d/14ziuwTzB6O7cp7fq0mA1lxWwZpwnJ9G4pZiwuLxBK70/edit?usp=sharing[can be found in the architectural documentation here].
+
+We're going to address point 1 with some special configuration of the Neo4j pods themselves.  I'll explain
+the Neo4j config bits first, and then we'll tie it together with the external.  The most complex bit of this
+is ensuring each pod has the right config.
+
+We're going to address point 2 with Kubernetes Load Balancers.  We will create one per pod in our Neo4j
+stateful set.  We will associate static IP addresses to those load balancers.  This enables packets to flow from
+outside of Kubernetes to the right pod / Neo4j cluster member.
+
+## Proper Neo4j Pod Config
+
+In the helm chart within this repo, Neo4j core members are part of a stateful set, and get indexes.  
+Given a deployment in a particular namespace, you end up with the following hostnames:
+
+* `<deployment>-neo4j-core-0.<deployment>-neo4j.<namespace>.svc.cluster.local`
+* `<deployment>-neo4j-core-1.<deployment>-neo4j.<namespace>.svc.cluster.local`
+* `<deployment>-neo4j-core-2.<deployment>-neo4j.<namespace>.svc.cluster.local`
+
+The helm chart in this repo can take a configurable ConfigMap for setting env vars on these pods.  So
+we can define our own configuration and pass it to the StatefulSet on startup.   The `custom-core-configmap.yml`
+file in this directory is an example of that.
+
+### Create Static IP addresses for inbound cluster traffic
+
+I'm using GCP, so it is done like this.  Important notes here, on GCP the region must match your GKE
+region, and the network tier must be premium.  On other clouds, the conceptual step here is the same,
+but the details will differ: you need to allocate 3 static IP addresses, which we'll use in a later
+step.
+
+```shell
+# Customize these next 2 for the region of your GKE cluster,
+# and your GCP project ID
+REGION=us-central1
+PROJECT=my-gcp-project-id
+
+for idx in 0 1 2 ; do 
+   gcloud compute addresses create \
+      neo4j-static-ip-$idx --project=$PROJECT \
+      --network-tier=PREMIUM --region=$REGION
+
+   echo "IP$idx:"
+   gcloud compute addresses describe neo4j-static-ip-$idx \
+      --region=$REGION --project=$PROJECT --format=json | jq -r '.address'
+done
+```
+
+**If you are doing this with Azure** please note that the static IP addresses must be in the same 
+resource group as your kubernetes cluster, and can be created with 
+[az network public-ip create](https://docs.microsoft.com/en-us/cli/azure/network/public-ip?view=azure-cli-latest#az-network-public-ip-create) like this (just one single sample):
+`az network public-ip create -g resource_group_name -n core01 --sku standard --dns-name neo4jcore01 --allocation-method Static`.  The Azure SKU used must be standard, and the resource group you need can be found in the kubernetes Load Balancer that [following the Azure Tutorial](https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough) sets up for you.
+
+For the remainder of this tutorial, let's assume that the core IP addresses I've allocated here are
+as follows; I'll refer to them as these environment variables:
+
+```shell
+export IP0=35.202.123.82
+export IP1=34.71.151.230
+export IP2=35.232.116.39
+```
+
+We will also need 3 exposure addresses that we want to advertise to the clients.  I'm going to set these
+to be the same as the IP addresses, but if you have mapped DNS, you could use DNS names instead here.
+
+It's important for later steps that we have *both* IPs *and* addresses, because they're used differently.
+
+```shell
+export ADDR0=$IP0
+export ADDR1=$IP1
+export ADDR2=$IP2
+```
+
+### Per-Host Configuration
+
+Recall that the Helm chart will let us configure core nodes with a custom config map.   That's good.
+But the problem with 1 configmap for all 3 cores is that each host needs *different config* for proper exposure.
+So in the helm chart, we've divided the neo4j settings into basic settings, and over-rideable settings.  In
+the custom configmap example, you'll see lines like this:
+
+```yaml
+$DEPLOYMENT_neo4j_core_0_NEO4J_dbms_default__advertised__address: $ADDR0
+$DEPLOYMENT_neo4j_core_1_NEO4J_dbms_default__advertised__address: $ADDR0
+```
+
+In a minute, after expanding $DEPLOYMENT to be "graph", 
+these variables have "host prefixes" - `graph_neo4j_core_0_*` settings will only apply to the host
+`graph-neo4j-core-0`.  (The dashes are changed to _ because dashes aren't supported in env var naming).
+Very important to notice that these override settings have the pod name/hostname already "baked into them",
+so it's important to know how you're planning to deploy Neo4j prior to setting this up.
+
+These "address settings" need to be changed to match the 3 static IPs that we allocated in the previous 
+step.  There are four critical env vars, all of which need to be configured, for each host:
+* `NEO4J_dbms_default__advertised__address`
+* `NEO4J_dbms_connector_bolt_advertised__address`
+* `NEO4J_dbms_connector_http_advertised__address`
+* `NEO4J_dbms_connector_https_advertised__address`
+
+With overrides, that's 12 special overrides (4 vars each for 3 containers)
+
+So using this "override approach" we can have *1 ConfigMap* that specifies all the config for 3 members
+of a cluster, while still allowing per-host configuration settings to differ.  The override approach in 
+question is implemented in a small amount of bash that is in the `core-statefulset.yaml` file.  It simply
+reads the environment and applies default values, permitting overrides if the override matches the host
+where the changes are being applied.
+
+In the next command, we'll apply the custom configmap.  Here you use the IP addresses from the previous
+step as ADDR0, ADDR1, and ADDR2.  Alternatively, if those IP addresses are associated with DNS entries,
+you can use those DNS names instead.  We're calling them addresses because they can be any address you
+want to advertise, and don't have to be an IP.  But these addresses must resolve to the static IPs we
+created in the earlier step.
+
+```shell
+export DEPLOYMENT=graph
+export NAMESPACE=default
+export ADDR0=35.202.123.82
+export ADDR1=34.71.151.230
+export ADDR2=35.232.116.39
+
+cat tools/external-exposure/custom-core-configmap.yaml | envsubst | kubectl apply -f -
+```
+
+Once customized, we now have a ConfigMap we can point our Neo4j deployment at, to advertise properly.
+
+### Installing the Helm Chart
+
+From the root of this repo, navigate to stable/neo4j and issue this command to install the helm chart 
+with a deployment name of "graph".  The deployment name *must match what you did in previous steps*,
+because remember we gave pod-specific overrides in the previous step.
+
+```shell
+export DEPLOYMENT=graph
+helm install $DEPLOYMENT . \
+  --set core.numberOfServers=3 \
+  --set readReplica.numberOfServers=0 \
+  --set core.configMap=$DEPLOYMENT-neo4j-externally-addressable-config \
+  --set acceptLicenseAgreement=yes \
+  --set neo4jPassword=mySecretPassword
+```
+
+Note the custom configmap that is passed.
+
+## External Exposure
+
+After a few minutes you'll have a fully-formed cluster whose pods show ready, and which you can connect
+to, *but* it will be advertising values that Kubernetes isn't routing yet. So what we need to do next is to
+create a load balancer *per Neo4j core pod*, and set the `loadBalancerIP` to be the static IP address we
+reserved in the earlier step, and advertised with the custom ConfigMap.
+
+A `load-balancer.yaml` file has been provided as a template, here's how to make 3 of them for given static
+IP addresses:
+
+```shell
+export DEPLOYMENT=graph
+
+# Reuse IP0, etc. from the earlier step here.
+# These *must be IP addresses* and not hostnames, because we're
+# assigning load balancer IP addresses to bind to.
+export CORE_ADDRESSES=($IP0 $IP1 $IP2)
+
+for x in 0 1 2 ; do 
+   export IDX=$x
+   export IP=${CORE_ADDRESSES[$x]}
+   echo $DEPLOYMENT with IDX $IDX and IP $IP ;
+
+   cat tools/external-exposure/load-balancer.yaml | envsubst | kubectl apply -f -
+done
+```
+
+You'll notice we're using 3 load balancers for 3 pods.  In a sense it's silly to "load balance" a single
+pod.  But without a lot of extra software and configuration, this is the best option, because LBs will
+support TCP connections (ingresses won't), and LBs can get their own independent IP addresses which can be
+associated with DNS later on.  Had we used NodePorts, we'd be at the mercy of more dynamic IP assignment,
+and also have to worry about a Kubernetes cluster member itself falling over.  ClusterIPs aren't suitable
+at all, as they don't give you external addresses.
+
+There are other fancier options, such as the [nginx-ingress controller](https://kubernetes.github.io/ingress-nginx/)
+but in this config we're shooting for something as simple as possible that you can do with existing
+kubernetes primities without installing new packages you might not already have.
+
+[NOTE]
+**Potential Trip-up point**: On GKE, the only thing needed to associate the static IP to the 
+load balancer is this `loadBalancerIP` field in the YAML.  On other clouds, there may be additional steps 
+to allocate the static IP to the Kubernetes cluster.  Consult your local cloud documentation.
+
+## Putting it All Together
+
+We can verify our services are running nicely like this:
+
+```
+$ kubectl get service | grep neo4j-external
+zeke-neo4j-external-0   LoadBalancer   10.0.5.183   35.202.123.82     7687:30529/TCP,7474:30843/TCP,7473:30325/TCP   115s
+zeke-neo4j-external-1   LoadBalancer   10.0.9.182   34.71.151.230     7687:31059/TCP,7474:31288/TCP,7473:31009/TCP   115s
+zeke-neo4j-external-2   LoadBalancer   10.0.12.38   35.232.116.39     7687:30523/TCP,7474:30844/TCP,7473:31732/TCP   114s
+```
+
+After all of these steps, you should end up with a cluster properly exposed.   We can recover our password
+like so, and connect to any of the 3 static IPs.
+
+```shell
+export NEO4J_PASSWORD=$(kubectl get secrets graph-neo4j-secrets -o yaml | grep password | sed 's/.*: //' | base64 -d)
+cypher-shell -a neo4j://34.66.183.174:7687 -u neo4j -p "$NEO4J_PASSWORD"
+```
+
+Additionally, since we exposed port 7474, you can go to any of the static IPs on port 7474 and end up with
+Neo4j browser and be able to connect.
+
+## Where to Go Next
+
+* If you have static IPs, you can of course associate DNS with them, and obtain signed
+certificates.
+* This in turn will let you expose signed cert HTTPS using standard Neo4j techniques, and
+will also permit advertising DNS instead of a bare IP if you wish.
+
+## References
+
+* For background on general Kubernetes network exposure issues, I'd recommend this article:
+https://medium.com/google-cloud/kubernetes-$TYPE-vs-loadbalancer-vs-ingress-when-should-i-use-what-922f010849e0[Kubernetes $TYPE vs. LoadBalancer vs. Ingress?  When should I use what?]

doc/docs/modules/ROOT/pages/hardware.adoc

@@ -0,0 +1,12 @@
+= Hardware and Machine Shape
+
+[abstract]
+How to size memory, CPU, and disk for Neo4j in Kubernetes
+
+
+In order to ensure that Neo4j is deployable on basic/default K8S clusters, the default values for hardware requests have been made fairly low, and can be found in https://github.com/neo4j-contrib/neo4j-helm/blob/master/values.yaml[values.yaml].
+
+Sizing databases is ultimately something that should be done with the workload in mind. Consult Neo4j's https://neo4j.com/developer/guide-performance-tuning/?ref=googlemarketplace[Performance Tuning Documentation] for more information. In general, heap size and page cache sizing are the most important places to start when tuning performance.
+
+It is strongly recommended that you choose request and limit values for CPU and memory prior to deploying in important environments.
+

doc/docs/modules/ROOT/pages/index.adoc

@@ -0,0 +1,32 @@
+
+= Neo4j Helm Chart Overview 
+
+== Project Overview
+
+Neo4j-helm allows users to deploy multi-node Neo4j Enterprise Causal Clusters to Kubernetes instances, with configuration options for the most common scenarios. It represents a very rapid way to get started running the world leading native graph database on top of Kubernetes.
+
+This guide is intended only as a supplement to the Neo4j Operations Manual. Neo4j-helm is essentially a docker container based deploy of Neo4j Causal Cluster. As such, all of the information in the Operations Manual applies to its operation, and this guide will focus only on kubernetes-specific concerns.
+
+[NOTE]
+**In addition to the information in this user guide, a set of slides is available on the deployment architecture and chart structure of this repository. https://docs.google.com/presentation/d/14ziuwTzB6O7cp7fq0mA1lxWwZpwnJ9G4pZiwuLxBK70/edit?usp=sharing:[Neo4j Helm Chart Structure]**
+
+== Versioning
+
+The versioning of this helm chart will follow Neo4j versions for simplicity.
+
+* Version 4.0.X-Y of the helm chart is compatible with Neo4j EE v4.0.*
+* Version 4.1.X-Y of the helm chart is compatible with Neo4j EE v4.1.*
+* (and so on)
+
+The charts in this repository are for Neo4j 4.0 going forward. There are previous available charts for the Neo4j 3.5 series, but there are substantial differences between the two versions. Careful upgrade planning is advised before attempting to upgrade an existing chart.
+
+Consult the https://neo4j.com/docs/operations-manual/current/upgrade/[upgrade guide] and expect that additional configuration of this chart will be necessary.
+
+== Licensing
+
+The source code to neo4j-helm is available under the terms of the Apache License, version 2.0.  See the LICENSE.txt file in the source code repository for full terms and conditions.
+
+This documentation is licensed under link:{attachmentsdir}/LICENSE.txt[Creative Commons 4.0]
+
+[NOTE]
+The documentation version is v{docs-version}

doc/docs/modules/ROOT/pages/installation.adoc

@@ -0,0 +1,51 @@
+= Installation
+
+[abstract]
+Explore the options for installing neo4j-helm, and how to configure advanced scenarios
+
+
+This is a helm chart, and it is installed by running https://helm.sh/docs/helm/helm_install/[helm install] with various parameters used to customize the deploy.
+
+The default for this chart is to install https://neo4j.com/docs/operations-manual/current/clustering/[Neo4j Causal Cluster]*, with 3 core members and zero replicas, but standalone is also supported.
+
+== Causal Cluster Example
+
+```shell
+helm install my-neo4j \
+    --set core.numberOfServers=3,readReplica.numberOfServers=3,acceptLicenseAgreement=yes,neo4jPassword=mySecretPassword .
+```
+
+The above command creates a cluster containing 3 core servers and 3 read replicas.
+
+Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
+
+```shell
+helm install neo4j-helm -f values.yaml .
+```
+
+[NOTE]
+*Tip*: You can copy the default https://github.com/neo4j-contrib/neo4j-helm/blob/master/values.yaml[values.yaml] file as an example to edit, with full access to all options.
+
+== Standalone (Single Machine) Command Line Example
+
+```shell
+helm install my-neo4j --set core.standalone=true,acceptLicenseAgreement=yes,neo4jPassword=mySecretPassword .
+```
+
+Important notes about standalone mode:
+
+* When running in standalone mode, core.numberOfServers is ignored and you will get 1 server.
+* Read replicas may only be used with causal cluster. When running standalone, all read replica arguments are ignored.
+* All other core settings (persistent volume size, annotations, etc) will still apply to your single instance.
+* Standalone instances installed in this way cannot be scaled into clusters.
+If you attempt to scale a standalone system, you will get multiple independent DBMSes, you will not get 1 causal cluster.
+
+== Deployment Scenarios
+
+See the https://github.com/neo4j-contrib/neo4j-helm/blob/master/deployment-scenarios[deployment-scenarios folder] in the repo for example YAML values files. These are example configurations that show settings necessary to launch the helm chart in different configurations.
+
+Each of these scenario files is launched the same way:
+
+```shell
+helm install mygraph -f deployment-scenarios/my-scenario.yaml . 
+```

doc/docs/modules/ROOT/pages/networking.adoc

@@ -0,0 +1,44 @@
+= Networking & Security
+
+[abstract]
+How to work with Neo4j networking & security concepts
+
+
+== Exposed Services
+
+For security reasons, we have not enabled access to the database cluster from outside of Kubernetes by default, instead choosing to leave this to users to configure appropriate network access policies for their usage. If this is desired, please look at the external exposure instructions found in this repository.
+
+By default, each node will expose:
+
+* HTTP on port 7474
+* HTTPS on port 7473
+* Bolt on port 7687
+
+Exposed services and port mappings can be configured by referencing neo4j’s docker documentation. See the advanced configuration section in this document for how to change the way the docker containers in each pod are configured.
+
+Refer to the Neo4j operations manual for information on the ports that Neo4j needs to function. Default port numbers in the helm chart exactly follow default ports in other installations.
+
+== Service Address
+
+Additionally, a service address inside of the cluster will be available as follows - to determine your service address, simply substitute `$APP_INSTANCE_NAME` with the name you deployed neo4j under, and `$NAMESPACE` with the kubernetes namespace where neo4j resides.
+
+`$NAME-neo4j.$NAMESPACE.svc.cluster.local`
+
+Any client may connect to this address, as it is a DNS record with multiple entries pointing to the nodes which back the cluster. For example, bolt+routing clients can use this address to bootstrap their connection into the cluster, subject to the items in the limitations section.
+
+== Cluster Formation
+
+Immediately after deploying Neo4j, as the pods are created the cluster begins to form. This may take up to 5 minutes, depending on a number of factors including how long it takes pods to get scheduled, and how many resources are associated with the pods. While the cluster is forming, the Neo4j REST API and Bolt endpoints may not be available. After a few minutes, bolt endpoints become available inside of the kubernetes cluster.
+
+== Password
+
+After installing, your cluster will start with the password you supplied as the neo4jPassword setting. This is stored in a kubernetes secret that is attached to your deployment. Given a deployment named “my-graph”, you can find the password as the “neo4j-password” key under the mygraph-neo4j-secrets configuration item in Kubernetes. The password is base64 encoded, and can be recovered as plaintext by authorized users with this command:
+
+```shell
+export NEO4J_PASSWORD=$(kubectl get secrets {{ template "neo4j.secrets.fullname" . }} -o yaml | grep password | sed 's/.*: //' | base64 -d)
+```
+
+Alternatively: if you set `existingPasswordSecret` that secret name should be used instead.
+
+This password applies for the base administrative user named “neo4j”.
+

doc/docs/modules/ROOT/pages/operations.adoc

@@ -0,0 +1,152 @@
+= Operations
+
+[abstract]
+How to perform a variety of Neo4j system operations in Kubernetes
+
+
+## Logging
+
+Neo4j logs that would normally be stored as the `neo4j.log` file are pod logs in Kubernetes. As a result, they are not written directly as a file to disk, but are accessible by just issuing `kubectl logs podname`.
+
+The debug.log file is a regular file written to disk inside of the pod. As of the 4.1.0-4 release and later, the default log path has been changed to place logs on persistent storage. They will typically be found at `/data/logs` inside the container, and are set to the path specified by the `dbms.directories.logs` configuration parameter in Neo4j.
+
+The same locations apply for other Neo4j log files such as `security.log` and `query.log`.
+
+## Memory Management
+
+The chart follows the same memory configuration settings as described in the https://neo4j.com/docs/operations-manual/current/performance/memory-configuration/[Memory Configuration] section of the Operations manual.
+
+### Default Approach
+Neo4j-helm behaves just like the regular Neo4j product. No explicit heap or page cache is set. Memory grows dynamically according to what the JVM can allocate.
+
+### Recommended Approach
+
+You may use the setting `dbms.memory.use_memrec=true` and this will run https://neo4j.com/docs/operations-manual/current/tools/neo4j-admin-memrec/[neo4j-admin memrec] and use its recommendations. This use_memrec setting is an option for the helm chart, it is not a Neo4j configuration option.
+
+It's very important that you also specify CPU and memory resources on launch that are adequate to support the recommendations. Crashing pods, "unscheduleable" errors, and other problems will result if the recommended amounts of memory are higher than the Kubernetes requests/limits.
+
+### Custom Explicit Settings
+
+You may set any of the following settings. The helm chart accepts these settings, mirroring the names used in the neo4j.conf file.
+
+* `dbms.memory.heap.initial_size`
+* `dbms.memory.heap.max_size`
+* `dbms.memory.pagecache.size`
+
+Their meanings, formats, and defaults are the same as found in the operations manual. See the section "Passing Custom Configuration as a ConfigMap" for how to set these settings for your database.
+
+To see an example of this custom configuration in use with a single instance, please see the https://github.com/neo4j-contrib/neo4j-helm/blob/master/deployment-scenarios/standalone-custom-memory-config.yaml[standalone custom memory config deployment scenario].
+
+## Monitoring
+
+This chart supports the same monitoring configuration settings as described in the Neo4j Operations Manual. These have been ommitted from the table above because they are documented in the operational manual, but here are three quick examples:
+
+* To publish prometheus metrics, `--set metrics.prometheus.enabled=true,metrics.prometheus.endpoint=localhost:2004`
+* To publish graphite metrics, `--set metrics.graphite.enabled=true,metrics.graphite.server=localhost:2003,metrics.graphite.interval=3s`
+* To adjust CSV metrics (enabled by default) use `metrics.csv.enabled` and `metrics.csv.interval`.
+* To disable JMX metrics (enabled by default) use `metrics.jmx.enabled=false`.
+
+## Data Persistence
+
+The most important data is kept in the `/data` volume attached to each of the core cluster members. These in turn are mapped to `Per`sistentVolumeClaims` (PVCs) in Kubernetes, and they are not deleted when you run `helm uninstall mygraph`.
+
+It is recommended that you investigate the `storageClass` option for persistent volume claims, and to choose low-latency SSD disks for best performance with Neo4j.  The `storageClass` name you need to choose will vary with different distributions of Kubernetes.
+
+[NOTE]
+**Important**: PVCs retain data between Neo4j installs. If you deploy a cluster under the name 'mygraph', later uninstall it and then re-install it a second time under the same name, the new instance will inherit all of the old data from the pre-existing PVCs. This would include things like usernames, passwords, roles, and so forth.
+
+For further durability of data, xref::backup.adoc[regularly scheduled backups] are recommended.
+
+## Other Storage
+
+The helm chart supports values for `additionalVolumes` and `additionalVolumeMounts` for both core and read replica sets. These can be used to set up arbitrary extra mounted drives inside of the containers. Exactly how to specify this is left to the user, because it depends on whether you want to use an existing PVC, mount a configmap, or other setup. This feature is intended to provide storage flexibility to inject files such as `apoc.conf`, initialization scripts, or imports directories.
+
+Use of additional volumes and mounts is not supported though, and in order to use this feature you must be very comfortable with filesystem basics in Kubernetes and Neo4j directory configuration.
+
+## Fabric
+
+In Neo4j 4.0+, https://neo4j.com/docs/operations-manual/current/fabric/introduction/[fabric] is a feature that can be enabled with regular configuration in `neo4j.conf`. All of the fabric configuration that is referenced in the manual can be done via custom ConfigMaps described in this documentation.
+
+### Simple Usage
+
+https://github.com/neo4j-contrib/neo4j-helm/blob/master/deployment-scenarios/fabric[A simple worked example of this approach can be found here.]
+
+Using Neo4j Fabric in kubernetes boils down to configuring the product as normal, but with the “docker style".
+In the neo4j operations manual, it might tell you to set `fabric.database.name=myfabric` and in kubernetes that would be `NEO4J_fabric_database_name: myfabric` and so forth.
+
+So that is fairly straightforward. But this is only one half of the story. The other half is, what is the fabric deployment topology?
+
+### Fabric Topology
+
+https://neo4j.com/docs/operations-manual/current/fabric/introduction/#_multi_cluster_deployment[Fabric enables some very complex setups]. If you have a *single DBMS* you can do it with pure configuration and it will work. If you have multiple DBMSs, then the way this works behind the scenes is via account/role coordination, and bolt connections between clusters.
+
+That in turn means that you would need to have network routing bits set up so that cluster A could talk to cluster B (referring to the diagram linked above). This would mostly be kubernetes networking stuff, nothing too exotic, but this would need to be carefully planned for.
+
+Where this gets complicated is when the architecture gets big/complex. Suppose you’re using fabric to store shards of a huge “customer graph”. The shard of US customers exists in one geo region, and the shard of EU customers in another geo region. You can use fabric to query both shards and have a logical view of the “customer graph” over all geos. To do this in kubernetes though would imply kubernetes node pools in two different geos, and almost certainly 2 different neo4j clusters. To enable bolt between them (permitting fabric to work) would get into a more advanced networking setup for kubernetes specifically. But to neo4j as a product, it’s all the same. Can I make a neo4j/bolt connection to the remote source? Yes? Then it should be fine.
+
+How Fabric Works
+What fabric needs to work are 3 things:
+
+1. A user/role (neo4j/admin for example) that is the same on all databases subject to the fabric query
+2. The ability to make a bolt connection to all cluster members participating in the fabric query
+3. Some configuration.
+
+Custom configmaps (which are discussed in this section) cover #3. Your security configuration (whatever you choose) would cover #1 and isn’t kubernetes specific. And #2 is where kubernetes networking may or may not come in, depending on your deployment topology. In the simplest single DBMS configurations, I think it will work out of the box.
+
+## Custom Neo4j Configuration with ConfigMaps
+
+Neo4j cluster pods are divided into two groups: cores and replicas. Those pods can be configured with ConfigMaps, which contain environment variables. Those environment variables, in turn, are used as configuration settings to the underlying Neo4j Docker Container, according to the Neo4j environment variable configuration.
+
+As a result, you can set any custom Neo4j configuration by creating your own Kubernetes configmap, and using it like this:
+
+```
+--set core.configMap=myConfigMapName --set readReplica.configMap=myReplicaConfigMap
+```
+
+[NOTE]
+Configuration of some networking specific settings is still done at container start time, and this very small set of variables may still be overridden by the helm chart, in particular advertised addresses & hostnames for the containers.
+
+## Scaling
+
+The following section describes considerations about changing the size of a cluster at runtime to handle more requests. Scaling only applies to causal cluster, and standalone instances cannot be scaled in this way.
+
+### Planning
+
+Before scaling a database running on kubernetes, make sure to consult in depth the Neo4j documentation on clustering architecture, and in particular take care to choose carefully between whether you want to add core nodes or read replicas. Additionally, this planning process should take care to include details of the kubernetes layer, and where the node pools reside. Adding extra core nodes to protect data with additional redundancy may not provide extra guarantees if all kubernetes nodes are in the same zone, for example.
+
+For many users and use cases, careful planning on initial database sizing is preferable to later attempts to rapidly scale the cluster.
+
+When adding new nodes to a neo4j cluster, upon the node joining the cluster, it will need to replicate the existing data from the other nodes in the cluster. As a result, this can create a temporary higher load on the remaining nodes as they replicate data to the new member. In the case of very large databases, this can cause temporary unavailability under heavy loads. We recommend that when setting up a scalable instance of Neo4j, you configure pods to restore from a recent backup set before starting. Instructions on how to restore are provided in this repo. In this way, new pods are mostly caught up before entering the cluster, and the "catch-up" process is minimal both in terms of time spent and load placed on the rest of the cluster.
+
+Because of the data intensive nature of any database, careful planning before scaling is highly recommended. Storage allocation for each new node is also needed; as a result, when scaling the database, the kubernetes cluster will create new persistent volume claims and GCE volumes.
+
+Because Neo4j's configuration is different in single-node mode (dbms.mode=SINGLE) you should not scale a deployment if it was initially set to 1 coreServer. This will result in multiple independent databases, not one cluster.
+
+### Execution (Manual Scaling)
+
+Neo4j-Helm consists of a StatefulSet for core nodes, and a Deployment for replicas. In configuration, even if you chose zero replicas, you will see a Deployment with zero members.
+
+Scaling the database is a matter of scaling one of these elements.
+
+Depending on the size of your database and how busy the other members are, it may take considerable time for the cluster topology to show the presence of the new member, as it connects to the cluster and performs catch-up. Once the new node is caught up, you can execute the cypher query CALL dbms.cluster.overview(); to verify that the new node is operational.
+
+### Execution (Automated Scaling)
+
+The helm chart provides settings which provide for a https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/[HorizontalPodAutoscaler] for read replicas, which can automatically scale according to the CPU utilization of the underlying pods. For usage of this feature, please see the `readReplica.autoscaling.*` settings documented in the supported settings above.
+
+For further details about how this works and what it entails, please consult the https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/[kubernetes documentation on horizontal pod autoscalers].
+
+[NOTE]
+*Automated scaling applies only to read replicas*. At this time we do not recommend automatic scaling of core members of the cluster at all, and core member scaling should be limited to special operations such as rolling upgrades, documented separately.
+
+### Warnings and Indications
+
+Scaled pods inherit their configuration from their statefulset. For neo4j, this means that items like configured storage size, hardware limits, and passwords apply to scale up members.
+
+If scaling down, do not scale below three core nodes; this is the minimum necessary to guarantee a properly functioning cluster with data redundancy. Consult the neo4j clustering documentation for more information. Neo4j-Helm uses PVCs, and so if you scale up and then later scale down, this may orphan an underlying PVC, which you may want to manually delete at a later date.
+
+## Anti-Affinity Rules
+
+For productionized installs, anti-affinity rules are recommended, where pod deployment is intentionally spread out among Kubernetes worker nodes. This improves Neo4j's failure characteristics. If Kubernetes inadvertently deploys all 3 core Neo4j pods to a single worker node, and the underlying worker node VM fails -- then the entire cluster will go down. For this reason, anti-affinity rules are recommended to "spread the deployment out".
+
+An example of how to configure this with references to documentation is provided in the deployment scenarios directory.

doc/docs/modules/ROOT/pages/prerequisites.adoc

@@ -0,0 +1,18 @@
+= Prerequisites
+
+[abstract]
+This chapter provides the tools you need to have installed before using neo4j-helm.
+
+
+== Required Software
+
+* Kubernetes 1.6+ with Beta APIs enabled
+* Docker and kubectl installed locally
+* Helm >= 3.1 installed
+* PV provisioner support in the underlying infrastructure
+* Requires the following variables You must add acceptLicenseAgreement in the values.yaml file and set it to yes or include `--set acceptLicenseAgreement=yes` in the command line of helm install to accept the license.
+* This chart requires that you have a license for Neo4j Enterprise Edition. Trial licenses https://neo4j.com/lp/enterprise-cloud/?utm_content=kubernetes[can be obtained here]
+
+== Licensing & Cost
+
+Neo4j Enterprise Edition (EE) is available to any existing enterprise license holder of Neo4j in a Bring Your Own License (BYOL) arrangement. Neo4j EE is also available under evaluation licenses, contact Neo4j in order to obtain one. There is no hourly or metered cost associated with using Neo4j EE for current license holders.

doc/docs/modules/ROOT/pages/quickstart.adoc

@@ -0,0 +1,44 @@
+
+= Quick Start
+
+[abstract]
+Get started fast for common scenarios
+
+== Download a Release
+
+Find the URL of a https://github.com/neo4j-contrib/neo4j-helm/releases[copy of a release]; it will be named `neo4j-$RELEASEVERSION.tgz`
+
+[NOTE]
+You must set `acceptLicenseAgreement=yes` to accept the license, or your deployment will not succeed.
+
+== Standalone (Single Server)
+
+```shell
+helm install mygraph RELEASE_URL \
+    --set core.standalone=true \
+    --set acceptLicenseAgreement=yes \
+    --set neo4jPassword=mySecretPassword
+```
+
+== Causal Cluster
+
+```shell
+helm install mygraph RELEASE_URL \
+    --set acceptLicenseAgreement=yes \
+    --set neo4jPassword=mySecretPassword \
+    --set core.numberOfServers=3 \
+    --set readReplica.numberOfServers=0
+```
+
+== Uninstalling
+
+```shell
+helm uninstall mygraph
+```
+
+== Where to Go For Help
+
+If you have a question not covered in this user guide in the other sections, the 
+https://community.neo4j.com/c/neo4j-graph-platform/cloud/76[Neo4j Community Site] is a great place
+to ask for help.
+

doc/docs/modules/ROOT/pages/quickstart_writer.adoc

@@ -0,0 +1,218 @@
+=== Getting Started
+
+The following section will cover the DataSource Writer aspects this means about how to transfer,
+the Spark's Dataset content into Neo4j.
+
+Given the following Scala Program:
+
+[source,scala]
+----
+import org.apache.spark.sql.{SaveMode, SparkSession}
+
+import scala.util.Random
+
+val sparkSession = SparkSession.builder().getOrCreate()
+import sparkSession.implicits._
+
+case class Point3d(`type`: String = "point-3d",
+                   srid: Int,
+                   x: Double,
+                   y: Double,
+                   z: Double)
+
+case class Person(name: String, surname: String, age: Int, livesIn: Point3d)
+
+val total = 10
+val rand = Random
+val ds = (1 to total)
+  .map(i => Person(name = "Andrea " + i, "Santurbano " + i, rand.nextInt(100),
+    Point3d(srid = 4979, x = 12.5811776, y = 41.9579492, z = 1.3))).toDS()
+
+ds.write
+  .format("org.neo4j.spark.DataSource")
+  .mode(SaveMode.ErrorIfExists)
+  .option("url", "bolt://localhost:7687")
+  .option("labels", ":Person:Customer")
+  .save()
+----
+
+Will insert 10 nodes into Neo4j via Spark, and each of these will have:
+* 2 `labels`: `Person` and `Customer`
+* 4 `properties`: `name`, `surname`, `age` and `livesIn`
+
+==== Save Mode
+
+In order to persist data into Neo4j the Spark Connector supports two save mode that will
+work only if `UNIQUE` or `NODE KEY` constraints are defined into Neo4j for the given properties:
+
+* `SaveMode.ErrorIfExists`: this will build a `CREATE` query
+* `SaveMode.Overwrite`: this will build a `MERGE` query
+
+==== Options
+
+The DataSource Writer has several options in order to connect and persist data into Neo4j.
+
+.Most Common Needed Configuration Settings
+|===
+|Setting Name |Description |Default Value |Required
+
+|`labels`
+|: separated list of the labels to attach to the node.
+|_(none)_
+|No
+
+|`batch.size`
+|The number of the rows sent to Neo4j as batch.
+|5000
+|No
+
+|`node.keys`
+|The comma separated list of properties considered as node keys in case of you're using
+`SaveMode.Overwrite`
+|_(none)_
+|No
+
+|`transaction.codes.fail`
+|Comma separated list of Neo4j
+|_(none)_
+|No
+
+|===
+
+==== How the Spark Connector persist the data
+
+[NOTE]
+As the Neo4j Spark Connector provide batch writes in order to speed-up the ingestion process
+so if in the process at some point fails all the previous data is already persisted.
+
+===== Nodes
+
+In case you use the option `labels` the Spark Connector will persist the entire Dataset as nodes.
+Depending on the `SaveMode` it will `CREATE` or `MERGE` nodes (in the last case using the `node.keys`
+properties).
+The nodes will be sent to Neo4j in a batch of rows defined in the `batch.size` property and we will
+perform the under the hood un `UNWIND` operation over the batch.
+
+I.e. given the following script:
+
+[source,scala]
+----
+import org.apache.spark.sql.{SaveMode, SparkSession}
+
+import scala.util.Random
+
+val sparkSession = SparkSession.builder().getOrCreate()
+import sparkSession.implicits._
+
+case class Point3d(`type`: String = "point-3d",
+                   srid: Int,
+                   x: Double,
+                   y: Double,
+                   z: Double)
+
+case class Person(name: String, surname: String, age: Int, livesIn: Point3d)
+
+val total = 10
+val rand = Random
+val ds = (1 to total)
+  .map(i => Person(name = "Andrea " + i, "Santurbano " + i, rand.nextInt(100),
+    Point3d(srid = 4979, x = 12.5811776, y = 41.9579492, z = 1.3))).toDS()
+
+ds.write
+  .format("org.neo4j.spark.DataSource")
+  .mode(SaveMode.ErrorIfExists)
+  .option("url", "bolt://localhost:7687")
+  .option("labels", ":Person:Customer")
+  .save()
+----
+
+Under the hod the Spark Connector will perform the following Cypher query:
+
+[source,cypher]
+----
+UNwIND $events AS event
+CREATE (n:`Person`:`Customer`) SET n += event.properties
+----
+
+For the same script as above except for this part
+
+----
+ds.write
+  .format("org.neo4j.spark.DataSource")
+  .mode(SaveMode.Overwrite)
+  .option("url", "bolt://localhost:7687")
+  .option("labels", ":Person:Customer")
+  .option("node.keys", "name,surname")
+  .save()
+----
+
+Under the hod the Spark Connector will perform the following Cypher query:
+
+[source,cypher]
+----
+UNwIND $events AS event
+MERGE (n:`Person`:`Customer` {name: event.keys.name, surname: event.keys.surname})
+SET n += event.properties
+----
+
+In case of the column value is a Map<String, `Value`> (where value can be any supported
+https://neo4j.com/docs/cypher-manual/current/syntax/values/[Neo4j Type]) the Connector will automatically
+try to flatten it, so if you have the follwing Dataset:
+
+|===
+|id |name |lives_in
+
+|1
+|Andrea Santurbano
+|{address: 'Times Square, 1', city: 'NY', state: 'NY'}
+
+|1
+|Davide Fantuzzi
+|{address: 'Statue of Liberty, 10', city: 'NY', state: 'NY'}
+
+|===
+
+Under the hod the Spark Connector will flatten the data in this way:
+
+|===
+|id |name |`lives_in.address` |`lives_in.address` |`lives_in.city` |`lives_in.state`
+
+|1
+|Andrea Santurbano
+|Times Square, 1
+|NY
+|NY
+
+|1
+|Davide Fantuzzi
+|Statue of Liberty, 10
+|NY
+|NY
+
+|===
+
+===== Query
+
+In case you use the option `query` the Spark Connector will persist the entire Dataset by using the provided query.
+The nodes will be sent to Neo4j in a batch of rows defined in the `batch.size` property and we will
+perform the under the hood un `UNWIND` operation over the batch.
+
+So given the following simple Spark program:
+
+----
+ds.write
+  .format("org.neo4j.spark.DataSource")
+  .option("url", "bolt://localhost:7687")
+  .option("query", "CREATE (n:Person{fullName: event.name + event.surname})")
+  .save()
+----
+
+Under the hod the Spark Connector will perform the following Cypher query:
+
+[source,cypher]
+----
+UNwIND $events AS event
+CREATE (n:Person{fullName: event.name + event.surname})
+----
+
+Where `event` represents each Dataset row.

doc/docs/modules/ROOT/pages/restore.adoc

@@ -0,0 +1,120 @@
+[#restore]
+# Restoring Neo4j Containers
+
+[NOTE]
+**This approach assumes you have Google Cloud credentials and wish to store your backups
+on Google Cloud Storage**.  If this is not the case, you will need to adjust the restore
+script for your desired cloud storage method, but the approach will work for any backup location.
+
+[NOTE]
+**This approach works only for Neo4j 4.0+**.   The tools and the
+DBMS itself changed quite a lot between 3.5 and 4.0, and the approach
+here will likely not work for older databases without substantial 
+modification.
+
+## Approach
+
+The restore container is used as an `initContainer` in the main cluster.  Prior to
+a node in the Neo4j cluster starting, the restore container copies down the backup
+set, and restores it into place.  When the initContainer terminates, the regular
+Neo4j docker instance starts, and picks up where the backup left off.
+
+This container is primarily tested against the backup .tar.gz archives produced by
+the `backup` container in this same code repository.  We recommend you use that approach.  If you tar/gz your own backups using a different approach, be careful to
+inspect the `restore.sh` script, because it needs to make certain assumptions about
+directory structure that come out of archived backups in order to restore properly.
+
+
+### Create a service key secret to access cloud storage
+
+First you want to create a kubernetes secret that contains the content of your account service key.  This key must have permissions to access the bucket and backup set that you're trying to restore. 
+
+```shell
+MY_SERVICE_ACCOUNT_KEY=$HOME/.google/my-service-key.json
+kubectl create secret generic neo4j-service-key \
+   --from-file=credentials.json=$MY_SERVICE_ACCOUNT_KEY
+```
+
+The restore container is going to take this kubernetes secret
+(named `neo4j-service-key`) and is going to mount it as a file
+inside of the backup container (`/auth/credentials.json`).  That
+file will then be used to authenticate the storage client that we
+need to upload the backupset to cloud storage when it's complete.
+
+In `values.yaml`, then configure the secret you set here like so:
+
+```yaml
+restoreSecret: neo4j-service-key
+```
+
+This allows the core and read replica nodes to access that service key
+as a volume.  That volume being present within the containers is necessary for the
+next step, and will be mounted as `/auth/credentials.json` inside the container.
+
+If this service key secret is not in place, the auth information will not be able to be mounted as
+a volume in the initContainer, and your pods may get stuck/hung at "ContainerCreating" phase.
+
+### Configure the initContainer for Core and Read Replica Nodes
+
+Refer to the single instance restore deploy scenario to see how the initContainers are configured.
+
+What you will need to customize and ensure:
+* Ensure you have created the appropriate secret and set its name
+* Ensure that the volume mount to /auth matches the secret name you created above.
+* Ensure that your BUCKET, and GOOGLE_APPLICATION_CREDENTIALS are
+set correctly given the way you created your secret.
+
+The example scenario above creates the initContainer just for core nodes.  It's strongly recommended you do the same for `readReplica.initContainers` if you are using read replicas. If you restore only to core nodes and not to read replicas, when they start the core nodes will replicate the data to the read replicas.   This will work just fine, but may result in longer startup times and much more bandwidth.
+
+## Restore Environment Variables for the Init Container
+
+### Required
+
+- `GOOGLE_APPLICATION_CREDENTIALS` - path to a file with a JSON service account key (see credentials below).   Defaults to /auth/credentials.json
+- `BUCKET` - the storage bucket where backups are located, e.g. `gs://bucketname`.   This parameter may include a relative path (`gs://bucketname/mycluster`)
+- `DATABASE` - comma-separated list of databases to restore, e.g. neo4j,system
+* `TIMESTAMP` - this defaults to "latest".  See the backup container's documentation
+on the latest pointer.  But you may set this to a particular timestamp to restore
+that exact moment in time.   This timestamp must match the filename in storage.
+So if you want to restore the backup set at `neo4j-2020-06-16-12:32:57.tar.gz	` then
+the TIMESTAMP would be `2020-06-16-12:32:57`.
+
+### Optional
+
+- `PURGE_ON_COMPLETE` (defaults to true).  If this is set to the value "true", the restore process will remove the restore artifacts from disk.  With any other 
+value, they will be left in place.  This is useful for debugging restores, to 
+see what was copied down from cloud storage and how it was expanded.
+- `FORCE_OVERWRITE` if this is the value "true", then the restore process will overwrite and
+destroy any existing data that is on the volume.  Take care when using this in combination with
+persistent volumes.  The default is false; if data already exists on the drive, the restore operation will fail but preserve your data.  **You must set this to true
+if you want restore to work over-top of an existing database**.
+
+## Warnings 
+
+A common way you might deploy Neo4j would be restore from last backup when a container initializes.  This would be good for a cluster, because it would minimize how much catch-up
+is needed when a node is launched.  Any difference between the last backup and the rest of the
+cluster would be provided via catch-up.
+
+[NOTE]
+For single nodes, take extreme care here.  
+
+If a node crashes, and you automatically restore from
+backup, and force-overwrite what was previously on the disk, you will lose any data that the
+database captured between when the last backup was taken, and when the crash happened.  As a
+result, for single node instances of Neo4j you should either perform restores manually when you
+need them, or you should keep a very regular backup schedule to minimize this data loss.  If data
+loss is under no circumstances acceptable, do not automate restores for single node deploys.
+
+## Running the Restore
+
+With the initContainer in place and properly configured, simply deploy a new cluster 
+using the regular approach.  Prior to start, the restore will happen, and when the 
+cluster comes live, it will be populated with the data.
+
+## Limitations
+
+- If you want usernames, passwords, and permissions to be restored, you must include
+a restore of the system graph.
+- Container has not yet been tested with incremental backups
+- For the time being, only google storage as a cloud storage option is implemented, 
+but adapting this approach to S3 or other storage should be fairly straightforward with modifications to `restore.sh`

doc/docs/modules/ROOT/pages/rolling-upgrades.adoc

@@ -0,0 +1,169 @@
+# Rolling Upgrades
+
+[NOTE]
+This document expands on the Neo4j Operations Manual entry
+https://neo4j.com/docs/operations-manual/current/upgrade/causal-cluster/[Upgrade a Causal Cluster] with information about approaches on rolling upgrades in Kubernetes.
+
+## Before you Begin
+
+1. Read all of that documentation before attempting rolling upgrades. Not all relevant concepts will be described in this document.  Familiarity with the other pages will be assumed.
+2. Perform a test upgrade on a production-like environment to get information on the duration of the downtime, if any, that may be necessary.
+
+## When is this needed?
+
+* When you have a Neo4j Causal Cluster (standalone does not apply)
+* When you need to upgrade to a new minor or patch version of Neo4j
+* When you must maintain the cluster online with both read and write capabilities during the course of the upgrade process.
+
+## What This Approach Doesn't Cover
+
+Moving between major versions of Neo4j (for example, 3.5 and 4.0).  
+This requires more planning, due to these factors:
+
+* Substantial configuration changes needed on the pods between 3.5 and 4.0
+* Major changes in product features which impact what clients can rely upon.
+* Changes in the helm charts used, and their structure; if you're using an old
+3.5 helm chart, the differences between what you're using and this repo may be substantial.
+* The need for a store upgrade operation to change the format of Neo4j data on disk
+
+Neo4j 4.0 is not backwards compatible with 3.5. Additional planning and offline upgrade is recommended.
+
+If you are in the situation of migrating from Neo4j 3.5 -> 4.0, please consult
+https://neo4j.com/docs/migration-guide/current/[the Neo4j Migration Guide].
+
+If this won't work for your constraints, please check "Alternatives to Rolling Upgrades" 
+at the very bottom of this document.
+
+## High-Level Approach
+
+1. Take a backup
+2. Scale the core statefulset up, to maintain high availability. 
+3. Choose and apply your UpdateStrategy.
+4. Patch the statefulset to apply the new Neo4j version
+5. Monitor the process
+6. (Optional/If Applicable) Apply the above process to the read replica StatefulSet as well.
+7. Scale back down on success to the original size.
+
+We will now describe each step, how to do it, and why.
+
+## Take a Backup
+
+Before doing any major system maintenance operation, it's crucial to have an up-to-date backup, ensuring that if anything goes wrong, there is a point in time to return to for the database's state.
+
+In addition, all operations should be tested on a staging or a production-like environment as a "dry run" before attempting this on application-critical systems.   Performing backups is covered in the user guide in this repository.
+
+## Scale the Core Statefulset Up
+
+If you'd normally have 3 core members in your statefulset, they are providing a valuable 
+https://neo4j.com/docs/operations-manual/current/clustering/introduction/#causal-clustering-introduction-operational[high availability purpose, and a quorum].
+
+In a rolling upgrade operation, we are going to take each server *down* in its turn.  And while one is stopping/restarting, we're (temporarily) damaging the HA characteristics of the
+cluster, reducing it's ability to serve queries.   To mitigate this, before doing
+a rolling upgrade we scale the cluster *up*, from say 3 cores to 5.  We will then roll
+changes through - we will at any given moment have 4 of 5 cores available.
+
+Given a cluster deployment named "mygraph", you can scale it to 5 cores like so:
+
+```shell
+kubectl scale statefulsets mygraph-neo4j-core --replicas=5
+```
+
+This should immediately schedule 2 new pods with the same configuration (and the *old* version of Neo4j) to start up and join the cluster.  It is recommended that you scale by 2, not by 1,
+to ensure that the number of cores in the cluster is always odd.
+
+[NOTE]
+**Remember** when new members join the cluster, before the cluster is stable, they
+need to pull current transactional state.  Having members restore from a recent
+backup first is strongly recommended, to minimize the load of the 
+https://neo4j.com/docs/operations-manual/current/clustering-advanced/lifecycle/#causal-clustering-catchup-protocol[catch-up process].
+
+If you do not restore from backups on each pod, it will still work, but the cluster may take
+substantial time for the new members to catch up, particularly if you have a lot of data or
+transactional history.
+
+Consult https://kubernetes.io/docs/tasks/run-application/scale-stateful-set/#scaling-statefulsets[scaling statefulsets] in the kubernetes documentation for more information.
+
+## Choose and Apply your Update Strategy
+
+For more details, consult the Kubernetes https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies[Update strategies for statefulsets].
+
+In the next steps, we're going to tell the statefulset to change versions of Neo4j that it is
+running.  Before we do, we need to give it a strategy of how the rolling upgrade should proceed.
+You basically have 2 key options, `RollingUpdate` and `OnDelete`.  This document assumes the
+`RollingUpdate` strategy.  In this situation, Kubernetes does the following:
+
+* Starting from the end (the highest core number) it shuts a pod down, and restarts it.  Because
+we're going to patch the version, when that pod restarts, it will come up with the new version.
+* Kubernetes waits for the pod to get to the Ready state.
+* The rolling update proceeds with the next lowest index.
+
+### Criticality of Readiness / Liveness Checks
+
+Kubernetes doesn't know much about Neo4j.  It needs to be provided a definiton of what it
+means for Neo4j to be "ready".   If the new pod isn't ready before the next one rolls, you
+could get into a situation where the cluster doesn't have time to stabilize before losing
+more members.  
+
+The readiness checks described in the user manual cover this purpose.  Review them for
+adequacy and appropriateness for your deployment, and revise if necessary *before* performing
+a rolling upgrade.
+
+## Patch the StatefulSet
+
+Up until now, everything we're doing was just preparation, but this step actually affects the
+change.  If you run this, then subject to the `UpdateStrategy` you specified above, Kubernetes
+will start killing & restarting pods.
+
+```shell
+NEW_VERSION=neo4j:4.1.0-enterprise
+kubectl patch statefulset mygraph-neo4j-core --type='json' \
+    -p='[{"op": "replace", "path": "/spec/template/spec/containers/0/image", "value":"'$NEW_VERSION'"}]'
+```
+
+## Monitor the Process
+
+What we're looking for:
+* Only one pod at a time stopping/restarting
+* Consistent ability to maintain a connection to the cluster, with both read & write ability throughout.
+* Monitor the `debug.log` file and container output to make sure the process is proceeding correctly
+
+## (Optional) Apply the Process to the Read Replicas
+
+Read replicas are handled in a second StatefulSet.  The process of applying an update
+strategy, patching the statefulset, and monitoring is the same though.
+
+**Recommended:** make sure you have a fully migrated & happy core cluster member set
+before working with read replicas.  Do not roll both sets at once.
+
+## Scale Back Down
+
+If everything was completed correctly, you should end up with a 5 member cluster with
+the new version, 100% online.  After success, the extra members are no longer needed,
+and you may scale back down to the original size of the cluster.
+
+```shell
+kubectl scale statefulsets mygraph-neo4j-core --replicas=3
+```
+
+## Alternatives to Rolling Upgrades
+
+If you can tolerate a period of write-unavailabilty while maintaining full read-availability,
+Kubernetes provides a secondary option to a rolling upgrade.  This document will focus on
+how to do rolling upgrades, but as a sketch of the main alternative:
+
+1. Configure your current cluster to be backed by a single DNS record (mycluster.company.com)
+2. Take a backup of your current cluster.
+3. Launch a second cluster running the new version of Neo4j (mycluster-updated).  Restore
+this cluster from the last backup of `mycluster`.
+4. Hot swap the DNS record to point to the second cluster (mycluster-updated)
+5. Shut down the original cluster (mycluster)
+
+[NOTE]
+If you adopt this approach, you will need a maintenance window where you are
+not accepting writes, as of the point of backup.  The period of write unavailability should
+be between steps 2 and the readiness of DNS in step 4.  If writes come in during this time
+period to the original cluster, they will be missing form the updated cluster.
+
+This approach should maintain read availability throughout, and it is reasonably safe; i.e.
+if the new cluster fails to migrate properly or there is a data issue, this does not compromise
+the availability of the running production system.

doc/docs/modules/ROOT/pages/tooling.adoc

@@ -0,0 +1,47 @@
+= Tooling
+
+[abstract]
+How to use Neo4j Tooling in conjunction with Kubernetes
+
+
+## Neo4j Browser
+
+[NOTE]
+In order to use Neo4j Browser you must follow the xref::externalexposure.adoc[external exposure instructions] which provide a walk-through of how to make your cluster available on the Internet.
+
+Neo4j browser is available on port 7474 of any of the hostnames described above. However, because of the network environment that the cluster is in, hosts in the neo4j cluster advertise themselves with private internal DNS that is not resolvable from outside of the cluster.
+
+Additionally, to use secure communications, configuration of HTTPS and SSL certificates is recommended.
+
+## Cypher Shell
+
+Upon deploying the helm chart, you will be given a command that can be used to connect to the cluster. This will schedule a new Neo4j pod to run called "cypher-shell" and invoke that command to connect. See NOTES.txt for an example.
+
+Please consult standard Neo4j documentation on the many other usage options present, once you have a basic bolt client and cypher shell capability.
+
+## Neo4j-Admin Import
+
+Matt Cockayne has published the following blog post about how to use kubernetes initContainers to run `neo4j-admin import` and https://phpboyscout.uk/pre-populating-neo4j-using-kubernetes-init-containers-and-neo4j-admin-import/[pre-load data in images from CSV, rather than backup sets].
+
+More generally - the technique he uses is the one that's recommended for any and all other Neo4j shell utilities. Rather than building a custom Docker image, it's recommended that you run a shell script inside of an initContainer to do whatever shell operations are necessary to prepare the data volume prior to the Neo4j's container start.
+
+## Plugins
+
+The Neo4j Docker container can take an extra environment variable NEO4JLABS_PLUGINS that pre-installs the most common plugins. The helm chart in turn has a parameter plugins that lets you specify this value.
+
+The value must be a valid JSON array of plugin names. https://github.com/neo4j/docker-neo4j/blob/master/neo4jlabs-plugins.json[The list of valid names can be found here] but include APOC, Graph Data Science, Neo4j Streams (Kafka integration) and others.
+
+The way this mechanism works is that each plugin publishes a versions.json file that allows the Neo4j Docker container to determine at runtime which version of the plugin JAR to download and put in place.
+
+APOC is included by default; comment out the plugins parameter or set it to the empty string to disable APOC. By adding other plugin names to the default shown below, you can use multiple plugins.
+
+```yaml
+plugins: "[\"apoc\"]"
+```
+
+[NOTE]
+Take care to use proper syntax and escaping: YAML can interpret JSON, and we are aiming to specify a string of JSON.
+
+An example configuration has been provided in the deployment scenarios folder that shows installation of a standalone instance using Neo4j's Graph Data Science plugin.
+
+Other/custom plugins still require the use of initContainers to download and install the plugin at runtime.

doc/docs/modules/ROOT/pages/troubleshooting.adoc

@@ -0,0 +1,22 @@
+[#troubleshooting]
+= Neo4j-Helm Troubleshooting
+
+== Are you starting with empty disks?
+
+The most common issue associated with the helm chart is persistent volume claim reuse. For example, if you deploy `mygraph`, delete this instance, and then redeploy a new, different `mygraph`, it will not get clean empty PVCs, but will reuse the old PVCs from the previous deployment. 
+
+[NOTE]
+**When you uninstall a helm distribution it does not remove persistent volume claims.**
+
+Make sure to ensure the disks you're starting with are empty to avoid file permissioning and other issues.
+
+== Have you checked debug.log?
+
+Neo4j comes with a built-in `debug.log` file that is stored in the logs directory.  This is the place
+to check when you run into trouble.  Inspect this file and look for `Exception` error messages, and often
+the product logs will tell you what the issue is.
+
+== Something Else?
+
+The https://community.neo4j.com/c/neo4j-graph-platform/cloud/76[Neo4j Community Site] is a great place
+to ask for help.

doc/package-lock.json

@@ -0,0 +1,19 @@
+{
+  "name": "@neo4j/docs",
+  "version": "1.0.0",
+  "description": "Neo4j Docs builder",
+  "main": "index.js",
+  "scripts": {
+    "start": "node server.js",
+    "build": "npm run build:developer && npm run build:labs && npm run build:labs-docs && npm run build:docs",
+    "build:docs": "antora --fetch --stacktrace docs.yml"
+  },
+  "license": "ISC",
+  "dependencies": {
+    "@antora/cli": "^2.3.3",
+    "@antora/site-generator-default": "^2.3.3"
+  },
+  "devDependencies": {
+    "express": "^4.17.1"
+  }
+}

doc/package.json

@@ -0,0 +1,7 @@
+const express = require('express')
+const app = express()
+app.use(express.static('./build/site'))
+app.get('/', (req, res) => res.redirect('/neo4j-helm/1.0.0'))
+app.listen(8000, () => console.log('📘 http://localhost:8000'))
+
+

doc/server.js

@@ -2,6 +2,7 @@ default: docker_build
 REGISTRY = gcr.io/neo4j-helm
 TEST_IMAGE ?= $(REGISTRY)/tester
 BACKUP_IMAGE ?= $(REGISTRY)/backup
+BUILD_IMAGE ?= $(REGISTRY)/build
 RESTORE_IMAGE ?= $(REGISTRY)/restore
 DOCKER_TAG ?= `cat ../Chart.yaml | grep version | sed 's/.*: //'`
 
@@ -12,11 +13,12 @@ docker_build:
 	  -t $(TEST_IMAGE):$(DOCKER_TAG) -f test/Dockerfile .
 
 	docker build -t $(BACKUP_IMAGE):$(DOCKER_TAG) -f backup/Dockerfile .
-
+	docker build -t $(BUILD_IMAGE):latest -f build/Dockerfile .
 	docker build -t $(RESTORE_IMAGE):$(DOCKER_TAG) -f restore/Dockerfile .
 
 docker_push:
 	# Push to DockerHub
 	docker push $(TEST_IMAGE):$(DOCKER_TAG)
 	docker push $(BACKUP_IMAGE):$(DOCKER_TAG)
-	docker push $(RESTORE_IMAGE):$(DOCKER_TAG)
+	docker push $(RESTORE_IMAGE):$(DOCKER_TAG)
+	docker push $(BUILD_IMAGE):latest 

tools/Makefile

@@ -0,0 +1,37 @@
+FROM debian:stretch
+
+# Tools needed
+# gcloud
+# helm
+# kubectl
+# node
+# npm
+
+# Secure software install; required first in order to be able to process keys, packages, etc.
+RUN apt-get update && apt-get install -y apt-transport-https ca-certificates curl gnupg2 software-properties-common
+
+# Google Cloud stuff
+RUN echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] http://packages.cloud.google.com/apt cloud-sdk main" | tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
+RUN curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key --keyring /usr/share/keyrings/cloud.google.gpg add -
+
+# Docker stuff
+RUN curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
+RUN add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
+
+# Will run apt-get update for us.
+RUN curl -sL https://deb.nodesource.com/setup_14.x | bash -
+
+RUN apt-get install -y google-cloud-sdk wget make gettext-base jq nodejs npm
+
+# Install helm
+RUN curl -LO https://get.helm.sh/helm-v3.2.1-linux-amd64.tar.gz
+RUN tar zxvf helm-v3.2.1-linux-amd64.tar.gz
+RUN mv linux-amd64/helm /usr/bin
+RUN /usr/bin/helm version
+
+# Kubectl
+RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl
+RUN chmod +x kubectl
+RUN mv kubectl /usr/bin
+RUN /usr/bin/kubectl --help
+

tools/build/Dockerfile

@@ -0,0 +1,3 @@
+This directory contains a dockerfile used to build the container that runs in the
+CI pipeline.   As such, it needs kubernetes, google, and docker tools to interact
+with the repo itself.