From 4b59112af649a00e17d6e5e0e927f5b972629ec9 Mon Sep 17 00:00:00 2001 From: Milos Backonja <35807060+milosbackonja@users.noreply.github.com> Date: Sun, 9 Jun 2024 15:46:03 +0200 Subject: [PATCH] fix: Helm chart refactor (#1160) Signed-off-by: Milos Backonja --- .../charts/agent/templates/_helpers.tpl | 20 +++++++-- .../agent/templates/apisixconsumer.yaml | 4 +- .../charts/agent/templates/apisixroute.yaml | 42 +++++++++---------- .../charts/agent/templates/apisixtls.yaml | 2 +- .../charts/agent/templates/certificate.yaml | 2 +- .../charts/agent/templates/configmap.yaml | 4 ++ .../charts/agent/templates/deployment.yaml | 12 +++--- .../agent/templates/externalsecret.yaml | 9 ++-- .../charts/agent/templates/postgresql.yaml | 6 +-- .../charts/agent/templates/service.yaml | 10 ++--- .../stringsecret-agent-admin-token.yaml | 2 + .../stringsecret-agent-api-key-salt.yaml | 2 + .../stringsecret-agent-keycloak-secret.yaml | 4 +- .../stringsecret-agent-wallet-seed.yaml | 2 + .../charts/agent/templates/stringsecret.yaml | 3 +- .../charts/agent/templates/vault-unseal.yaml | 3 +- 16 files changed, 76 insertions(+), 51 deletions(-) diff --git a/infrastructure/charts/agent/templates/_helpers.tpl b/infrastructure/charts/agent/templates/_helpers.tpl index be61b40c10..f042db805e 100644 --- a/infrastructure/charts/agent/templates/_helpers.tpl +++ b/infrastructure/charts/agent/templates/_helpers.tpl @@ -30,6 +30,22 @@ Create chart name and version as used by the chart label. {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- end }} +{{/* +Common labels +*/}} +{{- define "labels.common" -}} +helm.sh/chart: {{ include "cloud-agent.chart" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/part-of: {{ include "cloud-agent.fullname" . }} +{{- end }} + + + + + {{- define "cors" }} {{- if .Values.ingress.cors.enabled }} - name: cors @@ -54,10 +70,6 @@ Create chart name and version as used by the chart label. {{- end }} {{- end -}} -{{- define "labels.common" -}} -{{- $fullname := include "cloud-agent.fullname" $ -}} -app.kubernetes.io/part-of: {{ $fullname }} -{{- end }} {{- define "headers.security" }} - name: response-rewrite diff --git a/infrastructure/charts/agent/templates/apisixconsumer.yaml b/infrastructure/charts/agent/templates/apisixconsumer.yaml index d11c212eef..f906867919 100644 --- a/infrastructure/charts/agent/templates/apisixconsumer.yaml +++ b/infrastructure/charts/agent/templates/apisixconsumer.yaml @@ -7,7 +7,7 @@ metadata: name: "{{ $consumer | lower }}" namespace: "{{ $root.Release.Namespace }}" labels: - {{ template "labels.common" . }} + {{- include "labels.common" $root | nindent 4 }} spec: authParameter: keyAuth: @@ -25,7 +25,7 @@ metadata: name: "{{ $consumer | lower }}" namespace: "{{ $root.Release.Namespace }}" labels: - {{ template "labels.common" . }} + {{- include "labels.common" $root | nindent 4 }} spec: authParameter: keyAuth: diff --git a/infrastructure/charts/agent/templates/apisixroute.yaml b/infrastructure/charts/agent/templates/apisixroute.yaml index 794f861c83..735a204ff7 100644 --- a/infrastructure/charts/agent/templates/apisixroute.yaml +++ b/infrastructure/charts/agent/templates/apisixroute.yaml @@ -5,7 +5,7 @@ metadata: name: agent-route namespace: "{{ .Release.Namespace }}" labels: - {{ template "labels.common" . }} + {{- include "labels.common" . | nindent 4 }} spec: http: - name: agent-rule @@ -33,10 +33,10 @@ spec: config: block_rules: ["_system/metrics"] rejected_message: "access to metrics resource is not allowed from an external location" - {{ template "cors" . }} - {{ template "consumer-restriction" . }} - {{ template "headers.requestId" . }} - {{ template "headers.security" . }} + {{- template "cors" . }} + {{- template "consumer-restriction" . }} + {{- template "headers.requestId" . }} + {{- template "headers.security" . }} --- @@ -46,7 +46,7 @@ metadata: name: agent-didcomm-route namespace: "{{ .Release.Namespace }}" labels: - {{ template "labels.common" . }} + {{- include "labels.common" . | nindent 4}} spec: http: - name: agent-didcomm-rule @@ -66,9 +66,9 @@ spec: enable: true config: regex_uri: ["^/(prism-agent|{{ include "cloud-agent.fullname" . }})/didcomm(.*)", "/$2"] - {{ template "cors" . }} - {{ template "headers.requestId" . }} - {{ template "headers.security" . }} + {{- template "cors" . }} + {{- template "headers.requestId" . }} + {{- template "headers.security" . }} --- @@ -78,7 +78,7 @@ metadata: name: agent-schema-registry-route namespace: "{{ .Release.Namespace }}" labels: - {{ template "labels.common" . }} + {{- include "labels.common" . | nindent 4 }} spec: http: - name: agent-schema-registry-rule @@ -100,9 +100,9 @@ spec: enable: true config: regex_uri: ["^/(prism-agent|{{ include "cloud-agent.fullname" . }})/schema-registry/schemas/(.*)", "/schema-registry/schemas/$2"] - {{ template "cors" . }} - {{ template "headers.requestId" . }} - {{ template "headers.security" . }} + {{- template "cors" . }} + {{- template "headers.requestId" . }} + {{- template "headers.security" . }} --- @@ -112,7 +112,7 @@ metadata: name: agent-cred-def-registry-route namespace: "{{ .Release.Namespace }}" labels: - {{ template "labels.common" . }} + {{- include "labels.common" . | nindent 4 }} spec: http: - name: agent-cred-def-registry-rule @@ -134,9 +134,9 @@ spec: enable: true config: regex_uri: ["^/(prism-agent|{{ include "cloud-agent.fullname" . }})/credential-definition-registry/definitions/(.*)", "/credential-definition-registry/definitions/$2"] - {{ template "cors" . }} - {{ template "headers.requestId" . }} - {{ template "headers.security" . }} + {{- template "cors" . }} + {{- template "headers.requestId" . }} + {{- template "headers.security" . }} --- @@ -146,7 +146,7 @@ metadata: name: agent-docs-route namespace: "{{ .Release.Namespace }}" labels: - {{ template "labels.common" . }} + {{- include "labels.common" . | nindent 4 }} spec: http: - name: agent-docs-rule @@ -166,9 +166,9 @@ spec: enable: true config: regex_uri: ["^/(prism-agent|{{ include "cloud-agent.fullname" . }})/docs/(.*)","/docs/$2"] - {{ template "cors" . }} - {{ template "headers.requestId" . }} - {{ template "headers.security" . }} + {{- template "cors" . }} + {{- template "headers.requestId" . }} + {{- template "headers.security" . }} --- {{- end }} diff --git a/infrastructure/charts/agent/templates/apisixtls.yaml b/infrastructure/charts/agent/templates/apisixtls.yaml index bdfa30fb00..3968dd8671 100644 --- a/infrastructure/charts/agent/templates/apisixtls.yaml +++ b/infrastructure/charts/agent/templates/apisixtls.yaml @@ -5,7 +5,7 @@ metadata: name: "{{ include "cloud-agent.fullname" . }}-base-path-tls" namespace: "{{ .Release.Namespace }}" labels: - {{ template "labels.common" . }} + {{- include "labels.common" . | nindent 4}} spec: hosts: {{- range .Values.ingress.applicationUrls }} diff --git a/infrastructure/charts/agent/templates/certificate.yaml b/infrastructure/charts/agent/templates/certificate.yaml index 20fca71ca0..eff83b0281 100644 --- a/infrastructure/charts/agent/templates/certificate.yaml +++ b/infrastructure/charts/agent/templates/certificate.yaml @@ -5,7 +5,7 @@ metadata: name: "{{ include "cloud-agent.fullname" . }}-base-path-cert" namespace: "{{ .Release.Namespace }}" labels: - {{ template "labels.common" . }} + {{- include "labels.common" . | nindent 4}} annotations: argocd.argoproj.io/sync-wave: "-1" spec: diff --git a/infrastructure/charts/agent/templates/configmap.yaml b/infrastructure/charts/agent/templates/configmap.yaml index a344fb7c9a..830b768fd8 100644 --- a/infrastructure/charts/agent/templates/configmap.yaml +++ b/infrastructure/charts/agent/templates/configmap.yaml @@ -2,6 +2,8 @@ apiVersion: v1 kind: ConfigMap metadata: name: keycloak-bootstrap-script + labels: + {{- include "labels.common" . | nindent 4 }} data: init.sh: | #!/usr/bin/env bash @@ -82,6 +84,8 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ include "cloud-agent.fullname" . }}-realm-import + labels: + {{- include "labels.common" . | nindent 4}} data: {{ include "cloud-agent.fullname" . }}.json: | { diff --git a/infrastructure/charts/agent/templates/deployment.yaml b/infrastructure/charts/agent/templates/deployment.yaml index 9adccc43ce..b054a41e4f 100644 --- a/infrastructure/charts/agent/templates/deployment.yaml +++ b/infrastructure/charts/agent/templates/deployment.yaml @@ -4,7 +4,7 @@ metadata: name: {{ include "cloud-agent.fullname" . }}-server namespace: "{{ .Release.Namespace }}" labels: - {{ template "labels.common" . }} + {{- include "labels.common" . | nindent 4 }} spec: selector: matchLabels: @@ -14,14 +14,14 @@ spec: metadata: labels: app.kubernetes.io/name: {{ include "cloud-agent.fullname" . }}-server - {{ template "labels.common" . }} + {{- include "labels.common" . | nindent 8 }} spec: imagePullSecrets: - name: atala-prism-dev-deployments-github-docker-registry-key initContainers: - name: wait-postgress-ready image: busybox - command: ['sh', '-c', "until nc -z {{ .Values.database.postgres.managingTeam }}-{{ include "cloud-agent.fullname" . }}-postgres-cluster.{{.Release.Namespace}} 5432; do echo waiting for postgress-operator; sleep 2; done;"] + command: ['sh', '-c', "until nc -z {{ .Values.database.postgres.managingTeam }}-{{ include "cloud-agent.fullname" . }}-postgres-cluster.{{ .Release.Namespace }} 5432; do echo waiting for postgress-operator; sleep 2; done;"] {{- if .Values.server.keycloak.enabled }} - name: wait-keycloak-ready image: badouralix/curl-jq:ubuntu @@ -78,7 +78,7 @@ spec: key: salt optional: false - name: POLLUX_DB_HOST - value: "{{ .Values.database.postgres.managingTeam }}-{{ include "cloud-agent.fullname" . }}-postgres-cluster.{{.Release.Namespace}}" + value: "{{ .Values.database.postgres.managingTeam }}-{{ include "cloud-agent.fullname" . }}-postgres-cluster.{{ .Release.Namespace }}" - name: POLLUX_DB_PORT value: "5432" - name: POLLUX_DB_NAME @@ -108,7 +108,7 @@ spec: key: password optional: false - name: CONNECT_DB_HOST - value: "{{ .Values.database.postgres.managingTeam }}-{{ include "cloud-agent.fullname" . }}-postgres-cluster.{{.Release.Namespace}}" + value: "{{ .Values.database.postgres.managingTeam }}-{{ include "cloud-agent.fullname" . }}-postgres-cluster.{{ .Release.Namespace }}" - name: CONNECT_DB_PORT value: "5432" - name: CONNECT_DB_NAME @@ -138,7 +138,7 @@ spec: key: password optional: false - name: AGENT_DB_HOST - value: "{{ .Values.database.postgres.managingTeam }}-{{ include "cloud-agent.fullname" . }}-postgres-cluster.{{.Release.Namespace}}" + value: "{{ .Values.database.postgres.managingTeam }}-{{ include "cloud-agent.fullname" . }}-postgres-cluster.{{ .Release.Namespace }}" - name: AGENT_DB_PORT value: "5432" - name: AGENT_DB_NAME diff --git a/infrastructure/charts/agent/templates/externalsecret.yaml b/infrastructure/charts/agent/templates/externalsecret.yaml index 53b10f1cbd..186457edc3 100644 --- a/infrastructure/charts/agent/templates/externalsecret.yaml +++ b/infrastructure/charts/agent/templates/externalsecret.yaml @@ -4,11 +4,11 @@ metadata: name: "atala-prism-dev-deployments-github-docker-registry-key" namespace: {{ .Release.Namespace }} labels: - {{ template "labels.common" . }} + {{- include "labels.common" . | nindent 4 }} spec: refreshInterval: "0" secretStoreRef: - name: {{ .Values.secrets.secretStore }} + name: {{ .Values.secrets.secretStore | quote }} kind: ClusterSecretStore target: template: @@ -17,7 +17,7 @@ spec: .dockerconfigjson: "{{ `{{ .dockerconfigjson | b64dec }}` }}" dataFrom: - extract: - key: {{ .Values.secrets.dockerRegistryToken }} + key: {{ .Values.secrets.dockerRegistryToken | quote }} --- @@ -27,8 +27,9 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: "{{ $root.Values.ingress.auth.externalConsumerKeyPrefix }}-{{ $consumer | lower }}" + namespace: {{ $root.Release.Namespace }} labels: - {{ template "labels.common" . }} + {{- include "labels.common" $root | nindent 4 }} spec: refreshInterval: "0" secretStoreRef: diff --git a/infrastructure/charts/agent/templates/postgresql.yaml b/infrastructure/charts/agent/templates/postgresql.yaml index 153a62884e..180c7e382a 100644 --- a/infrastructure/charts/agent/templates/postgresql.yaml +++ b/infrastructure/charts/agent/templates/postgresql.yaml @@ -4,7 +4,7 @@ metadata: name: "{{ .Values.database.postgres.managingTeam }}-{{ include "cloud-agent.fullname" . }}-postgres-cluster" namespace: {{ .Release.Namespace }} labels: - {{ template "labels.common" . }} + {{- include "labels.common" . | nindent 4 }} spec: teamId: "{{ .Values.database.postgres.managingTeam }}" volume: @@ -41,14 +41,13 @@ spec: {{- if .Values.keycloak.enabled }} --- - apiVersion: "acid.zalan.do/v1" kind: postgresql metadata: name: "{{ .Values.database.postgres.managingTeam }}-keycloak-postgres-cluster" namespace: {{ .Release.Namespace }} labels: - {{ template "labels.common" . }} + {{- include "labels.common" . | nindent 4 }} spec: teamId: "{{ .Values.database.postgres.managingTeam }}" volume: @@ -63,5 +62,4 @@ spec: keycloak: keycloak-admin postgresql: version: "14" - {{- end }} diff --git a/infrastructure/charts/agent/templates/service.yaml b/infrastructure/charts/agent/templates/service.yaml index 20f30d1906..449ac1a6f1 100644 --- a/infrastructure/charts/agent/templates/service.yaml +++ b/infrastructure/charts/agent/templates/service.yaml @@ -6,7 +6,7 @@ metadata: labels: app.kubernetes.io/name: {{ include "cloud-agent.fullname" . }}-server app.kubernetes.io/service: {{ include "cloud-agent.fullname" . }}-server-main - {{ template "labels.common" . }} + {{- include "labels.common" . | nindent 4 }} spec: selector: app.kubernetes.io/name: {{ include "cloud-agent.fullname" . }}-server @@ -27,7 +27,7 @@ metadata: labels: app.kubernetes.io/name: {{ include "cloud-agent.fullname" . }}-server app.kubernetes.io/service: {{ include "cloud-agent.fullname" . }}-server-didcomm - {{ template "labels.common" . }} + {{- include "labels.common" . | nindent 4 }} spec: selector: app.kubernetes.io/name: {{ include "cloud-agent.fullname" . }}-server @@ -41,17 +41,17 @@ spec: --- {{- if .Values.ingress.enabled }} -kind: Service apiVersion: v1 +kind: Service metadata: - name: agent-domain-name-fake-service + name: agent-domain-name-fake-service namespace: "{{ .Release.Namespace }}" annotations: external-dns.alpha.kubernetes.io/hostname: "{{ join ", " .Values.ingress.applicationUrls }}" labels: app.kubernetes.io/name: {{ include "cloud-agent.fullname" . }}-server app.kubernetes.io/service: agent-server-domain-name-fake - {{ template "labels.common" . }} + {{- include "labels.common" . | nindent 4 }} spec: type: ExternalName externalName: {{ .Values.ingress.platformIngressUrl }} diff --git a/infrastructure/charts/agent/templates/stringsecret-agent-admin-token.yaml b/infrastructure/charts/agent/templates/stringsecret-agent-admin-token.yaml index 71bb5e515e..51f276a2bc 100644 --- a/infrastructure/charts/agent/templates/stringsecret-agent-admin-token.yaml +++ b/infrastructure/charts/agent/templates/stringsecret-agent-admin-token.yaml @@ -3,6 +3,8 @@ kind: StringSecret metadata: name: "agent-admin-token" namespace: {{ .Release.Namespace }} + labels: + {{- include "labels.common" . | nindent 4 }} spec: forceRegenerate: false fields: diff --git a/infrastructure/charts/agent/templates/stringsecret-agent-api-key-salt.yaml b/infrastructure/charts/agent/templates/stringsecret-agent-api-key-salt.yaml index d6ad64ad8b..8741a801d2 100644 --- a/infrastructure/charts/agent/templates/stringsecret-agent-api-key-salt.yaml +++ b/infrastructure/charts/agent/templates/stringsecret-agent-api-key-salt.yaml @@ -3,6 +3,8 @@ kind: StringSecret metadata: name: "agent-api-key-salt" namespace: {{ .Release.Namespace }} + labels: + {{- include "labels.common" . | nindent 4 }} spec: forceRegenerate: false fields: diff --git a/infrastructure/charts/agent/templates/stringsecret-agent-keycloak-secret.yaml b/infrastructure/charts/agent/templates/stringsecret-agent-keycloak-secret.yaml index 85d6045ee7..39880138a7 100644 --- a/infrastructure/charts/agent/templates/stringsecret-agent-keycloak-secret.yaml +++ b/infrastructure/charts/agent/templates/stringsecret-agent-keycloak-secret.yaml @@ -3,6 +3,8 @@ kind: StringSecret metadata: name: "agent-keycloak-client-secret" namespace: {{ .Release.Namespace }} + labels: + {{- include "labels.common" . | nindent 4 }} spec: forceRegenerate: false fields: @@ -18,7 +20,7 @@ metadata: name: "keycloak-admin-secret" namespace: {{ .Release.Namespace }} labels: - {{ template "labels.common" . }} + {{- include "labels.common" . | nindent 4 }} spec: forceRegenerate: false fields: diff --git a/infrastructure/charts/agent/templates/stringsecret-agent-wallet-seed.yaml b/infrastructure/charts/agent/templates/stringsecret-agent-wallet-seed.yaml index 600483f9e2..68cb4254c8 100644 --- a/infrastructure/charts/agent/templates/stringsecret-agent-wallet-seed.yaml +++ b/infrastructure/charts/agent/templates/stringsecret-agent-wallet-seed.yaml @@ -3,6 +3,8 @@ kind: StringSecret metadata: name: "agent-wallet-seed" namespace: {{ .Release.Namespace }} + labels: + {{- include "labels.common" . | nindent 4 }} spec: forceRegenerate: false fields: diff --git a/infrastructure/charts/agent/templates/stringsecret.yaml b/infrastructure/charts/agent/templates/stringsecret.yaml index b1d88d4b05..ade9d8e0e1 100644 --- a/infrastructure/charts/agent/templates/stringsecret.yaml +++ b/infrastructure/charts/agent/templates/stringsecret.yaml @@ -7,7 +7,7 @@ metadata: name: "{{ $root.Release.Namespace }}-{{ $consumer | lower }}" namespace: {{ $root.Release.Namespace }} labels: - {{ template "labels.common" . }} + {{- include "labels.common" $root | nindent 4 }} spec: forceRegenerate: false data: @@ -16,5 +16,6 @@ spec: - fieldName: "key" encoding: "base64" length: "32" +--- {{- end }} {{- end }} diff --git a/infrastructure/charts/agent/templates/vault-unseal.yaml b/infrastructure/charts/agent/templates/vault-unseal.yaml index ba858f0c52..f91b35ab25 100644 --- a/infrastructure/charts/agent/templates/vault-unseal.yaml +++ b/infrastructure/charts/agent/templates/vault-unseal.yaml @@ -1,9 +1,10 @@ -# https://github.com/omegion/vault-unseal/blob/master/examples/kubernetes/cronjob.yaml {{- if .Values.server.useVault }} apiVersion: batch/v1 kind: CronJob metadata: name: vault-unseal-cronjob + labels: + {{- include "labels.common" . | nindent 4 }} spec: schedule: "*/30 * * * *" successfulJobsHistoryLimit: 3