From 871fc5994f5d1ad2a6f74b0b79e0ab0478e9ab43 Mon Sep 17 00:00:00 2001 From: Marcin Jasion Date: Fri, 13 Jan 2023 21:37:29 +0100 Subject: [PATCH 1/2] Refactor environment variables Environment variables are loaded by envFrom instead writing them in a Pod spec. In secret object the keys has been uppercased to easly load them and the postgres url has been put there. --- charts/studio/templates/NOTES.txt | 1 - charts/studio/templates/_env_vars.tpl | 288 ------------------ charts/studio/templates/_helpers.tpl | 6 + ...{configmap.yaml => configmap-ca-cert.yaml} | 0 charts/studio/templates/configmap-studio.yaml | 65 ++++ .../templates/deployment-studio-backend.yaml | 15 +- .../templates/deployment-studio-beat.yaml | 8 +- .../templates/deployment-studio-ui.yaml | 9 +- .../templates/deployment-studio-worker.yaml | 8 +- charts/studio/templates/secret-studio.yaml | 69 +++++ charts/studio/templates/secrets.yaml | 75 ----- charts/studio/values.yaml | 2 +- 12 files changed, 168 insertions(+), 378 deletions(-) delete mode 100644 charts/studio/templates/_env_vars.tpl rename charts/studio/templates/{configmap.yaml => configmap-ca-cert.yaml} (100%) create mode 100644 charts/studio/templates/configmap-studio.yaml create mode 100644 charts/studio/templates/secret-studio.yaml delete mode 100644 charts/studio/templates/secrets.yaml diff --git a/charts/studio/templates/NOTES.txt b/charts/studio/templates/NOTES.txt index c815347f..69d2df77 100644 --- a/charts/studio/templates/NOTES.txt +++ b/charts/studio/templates/NOTES.txt @@ -1,7 +1,6 @@ 1. Get the application URL by running these commands: {{- if .Values.studioUi.ingress.enabled }} http{{ if $.Values.studioUi.ingress.tlsEnabled }}s{{ end }}://{{ .Values.studioUi.ingress.host }}/ -{{- end }} {{- else if contains "NodePort" .Values.studioUi.service.type }} export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "studio.fullname" . }}) export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") diff --git a/charts/studio/templates/_env_vars.tpl b/charts/studio/templates/_env_vars.tpl deleted file mode 100644 index 6836c22d..00000000 --- a/charts/studio/templates/_env_vars.tpl +++ /dev/null @@ -1,288 +0,0 @@ -{{- define "studio.envvars" }} -- name: ALLOWED_HOSTS - value: "*" - -- name: API_URL -{{- if .Values.studioBackend.ingress.enabled }} - value: "http{{ if $.Values.studioBackend.ingress.tlsEnabled }}s{{ end }}://{{ .Values.studioBackend.ingress.host }}/" -{{- else }} - value: "http://studio-backend.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.studioBackend.service.port }}" -{{- end }} - -- name: UI_URL -{{- if .Values.studioUi.ingress.enabled }} - value: "http{{ if $.Values.studioUi.ingress.tlsEnabled }}s{{ end }}://{{ .Values.studioUi.ingress.host }}/" -{{- else }} - value: "http://studio-ui.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.studioUi.service.port }}" -{{- end }} - -- name: BITBUCKET_URL -{{- if .Values.global.scmProviders.bitbucket.url }} - value: {{ .Values.global.scmProviders.bitbucket.url }} -{{- else }} - value: "" -{{- end }} - -- name: BITBUCKET_API_URL -{{- if .Values.global.scmProviders.bitbucket.apiUrl }} - value: {{ .Values.global.scmProviders.bitbucket.apiUrl }} -{{- else }} - value: "" -{{- end }} - -- name: BITBUCKET_WEBHOOK_URL -{{- if .Values.global.scmProviders.bitbucket.webhookUrl }} - value: {{ .Values.global.scmProviders.bitbucket.webhookUrl }} -{{- else }} - value: "" -{{- end }} - -- name: BITBUCKET_CLIENT_ID -{{- if .Values.global.scmProviders.bitbucket.clientId }} - valueFrom: - secretKeyRef: - name: studio - key: bitbucketClientId -{{- else }} - value: "" -{{- end }} - -- name: BITBUCKET_SECRET_KEY -{{- if .Values.global.scmProviders.bitbucket.secretKey }} - valueFrom: - secretKeyRef: - name: studio - key: bitbucketSecretKey -{{- else }} - value: "" -{{- end }} - -- name: ENABLE_BLOBVAULT - value: "True" - -- name: BLOBVAULT_AWS_ACCESS_KEY_ID -{{- if .Values.global.blobvault.accessKeyId }} - valueFrom: - secretKeyRef: - name: studio - key: blobvaultAccessKeyId -{{- else }} - value: "" -{{- end }} - -- name: BLOBVAULT_AWS_SECRET_ACCESS_ID -{{- if .Values.global.blobvault.secretAccessKeyId }} - valueFrom: - secretKeyRef: - name: studio - key: blobvaultSecretAccessKeyId -{{- else }} - value: "" -{{- end }} - -- name: BLOBVAULT_ENDPOINT_URL -{{- if .Values.global.blobvault.endpointUrl }} - value: {{ .Values.global.blobvault.endpointUrl }} -{{- else }} - value: "{{ .Values.minio.fullnameOverride }}.{{ .Release.Namespace }}.svc.cluster.local:9000" -{{- end }} - -- name: BLOBVAULT_ENDPOINT_URL_FE -{{- if .Values.global.blobvault.endpointUrlFe }} - value: {{ .Values.global.blobvault.endpointUrlFe }} -{{- else }} - value: "{{ .Values.minio.fullnameOverride }}.{{ .Release.Namespace }}.svc.cluster.local:9000" -{{- end }} - -- name: BLOBVAULT_BUCKET -{{- if .Values.global.blobvault.bucket }} - value: {{ .Values.global.blobvault.bucket }} -{{- else }} - value: "" -{{- end }} - -- name: CELERY_BROKER_URL -{{- if .Values.global.celery.brokerUrl }} - value: {{ .Values.global.celery.brokerUrl }} -{{- else }} - value: "redis://{{ .Values.redis.fullnameOverride }}-master.{{ .Release.Namespace }}.svc.cluster.local:6379" -{{- end }} - -- name: CELERY_RESULT_BACKEND -{{- if .Values.global.celery.resultBackend }} - value: {{ .Values.global.celery.resultBackend }} -{{- else }} - value: "redis://{{ .Values.redis.fullnameOverride }}-master.{{ .Release.Namespace }}.svc.cluster.local:6379" -{{- end }} - -- name: REDIS_URL -{{- if .Values.global.celery.resultBackend }} - value: {{ .Values.global.celery.resultBackend }} -{{- else }} - value: "redis://{{ .Values.redis.fullnameOverride }}-master.{{ .Release.Namespace }}.svc.cluster.local:6379" -{{- end }} - -- name: DATABASE_URL - value: "psql://{{ .Values.global.postgres.databaseUser}}:{{ .Values.global.postgres.databasePassword }}@{{ .Values.global.postgres.databaseUrl }}" - -- name: SECRET_KEY - valueFrom: - secretKeyRef: - name: studio - key: secretKey - -- name: GITHUB_APP_ID -{{- if .Values.global.scmProviders.github.appId }} - valueFrom: - secretKeyRef: - name: studio - key: githubAppId -{{- else }} - value: "" -{{- end }} - -- name: GITHUB_APP_CLIENT_ID -{{- if .Values.global.scmProviders.github.clientId }} - valueFrom: - secretKeyRef: - name: studio - key: githubClientId -{{- else }} - value: "" -{{- end }} - -- name: GITHUB_APP_SECRET_KEY -{{- if .Values.global.scmProviders.github.appSecret }} - valueFrom: - secretKeyRef: - name: studio - key: githubAppSecret -{{- else }} - value: "" -{{- end }} - -- name: GITHUB_APP_PRIVATE_KEY_PEM -{{- if .Values.global.scmProviders.github.privateKey }} - valueFrom: - secretKeyRef: - name: studio - key: githubPrivateKey -{{- else }} - value: "" -{{- end }} - -- name: GITHUB_WEBHOOK_SECRET -{{- if .Values.global.scmProviders.github.webhookSecret }} - valueFrom: - secretKeyRef: - name: studio - key: githubWebhookSecret -{{- else }} - value: "" -{{- end }} - -- name: GITHUB_URL -{{- if .Values.global.scmProviders.github.url }} - value: {{ .Values.global.scmProviders.github.url }} -{{- else }} - value: "" -{{- end }} - -- name: GITHUB_API_URL -{{- if .Values.global.scmProviders.github.apiUrl }} - value: {{ .Values.global.scmProviders.github.apiUrl }} -{{- else }} - value: "" -{{- end }} - -- name: GITHUB_WEBHOOK_URL -{{- if .Values.global.scmProviders.github.webhookUrl }} - value: {{ .Values.global.scmProviders.github.webhookUrl }} -{{- else }} - value: "" -{{- end }} - -- name: GITLAB_CLIENT_ID -{{- if .Values.global.scmProviders.gitlab.clientId }} - valueFrom: - secretKeyRef: - name: studio - key: gitlabClientId -{{- else }} - value: "" -{{- end }} - -- name: GITLAB_SECRET_KEY -{{- if .Values.global.scmProviders.gitlab.secretKey }} - valueFrom: - secretKeyRef: - name: studio - key: gitlabSecretKey -{{- else }} - value: "" -{{- end }} - -- name: GITLAB_WEBHOOK_SECRET -{{- if .Values.global.scmProviders.gitlab.webhookSecret }} - valueFrom: - secretKeyRef: - name: studio - key: gitlabWebhookSecret -{{- else }} - value: "" -{{- end }} - -- name: GITLAB_URL -{{- if .Values.global.scmProviders.gitlab.url }} - value: {{ .Values.global.scmProviders.gitlab.url }} -{{- else }} - value: "" -{{- end }} - -- name: GITLAB_WEBHOOK_URL -{{- if .Values.global.scmProviders.gitlab.webhookUrl }} - value: {{ .Values.global.scmProviders.gitlab.webhookUrl }} -{{- else }} - value: "" -{{- end }} - -- name: MAX_VIEWS -{{- if .Values.global.maxViews }} - value: {{ .Values.global.maxViews | quote }} -{{- else }} - value: "" -{{- end }} - -- name: MAX_TEAMS -{{- if .Values.global.maxTeams }} - value: {{ .Values.global.maxTeams | quote }} -{{- else }} - value: "" -{{- end }} - - -{{- $scmProviders := list }} -{{- if .Values.global.scmProviders.gitlab.enabled }} -{{- $scmProviders = append $scmProviders "gitlab" }} -{{- end }} -{{- if .Values.global.scmProviders.github.enabled }} -{{- $scmProviders = append $scmProviders "github" }} -{{- end }} -{{- if .Values.global.scmProviders.bitbucket.enabled }} -{{- $scmProviders = append $scmProviders "bitbucket" }} -{{- end }} - -- name: SCM_PROVIDERS - value: {{ $scmProviders | join "," }} - -- name: SOCIAL_AUTH_REDIRECT_IS_HTTPS - value: "False" - -- name: SOCIAL_AUTH_ALLOWED_REDIRECT_HOSTS -{{- if .Values.studioUi.ingress.enabled }} - value: "studio-ui.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.studioUi.service.port }},studio-backend.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.studioBackend.service.port }},http{{ if $.Values.studioUi.ingress.tlsEnabled }}s{{ end }}://{{ .Values.studioUi.ingress.host }}/" -{{- else }} - value: "studio-ui.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.studioUi.service.port }},studio-backend.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.studioBackend.service.port }}" -{{- end }} - -{{- end }} \ No newline at end of file diff --git a/charts/studio/templates/_helpers.tpl b/charts/studio/templates/_helpers.tpl index fd246ae0..fee6bb69 100644 --- a/charts/studio/templates/_helpers.tpl +++ b/charts/studio/templates/_helpers.tpl @@ -118,3 +118,9 @@ Create the name of the service account to use {{- default "default" .Values.serviceAccount.name }} {{- end }} {{- end }} + +{{- define "studio.checkSum" }} +checksum/configmap-studio: {{ include (print $.Template.BasePath "/configmap-studio.yaml") . | sha256sum }} +checksum/configmap-ca-cert: {{ include (print $.Template.BasePath "/configmap-ca-cert.yaml") . | sha256sum }} +checksum/secret-studio: {{ include (print $.Template.BasePath "/secret-studio.yaml") . | sha256sum }} +{{- end }} diff --git a/charts/studio/templates/configmap.yaml b/charts/studio/templates/configmap-ca-cert.yaml similarity index 100% rename from charts/studio/templates/configmap.yaml rename to charts/studio/templates/configmap-ca-cert.yaml diff --git a/charts/studio/templates/configmap-studio.yaml b/charts/studio/templates/configmap-studio.yaml new file mode 100644 index 00000000..ac4ece0a --- /dev/null +++ b/charts/studio/templates/configmap-studio.yaml @@ -0,0 +1,65 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: studio +data: + ALLOWED_HOSTS: "*" + API_URL: "http{{ if $.Values.studioBackend.ingress.tlsEnabled }}s{{ end }}://{{ .Values.studioBackend.ingress.host }}/" + UI_URL: "http{{ if $.Values.studioUi.ingress.tlsEnabled }}s{{ end }}://{{ .Values.studioUi.ingress.host }}/" + + BITBUCKET_URL: {{.Values.global.scmProviders.bitbucket.url | default "" | quote }} + BITBUCKET_API_URL: {{ .Values.global.scmProviders.bitbucket.apiUrl | default "" | quote}} + BITBUCKET_WEBHOOK_URL: {{ .Values.global.scmProviders.bitbucket.webhookUrl | default "" | quote}} + + ENABLE_BLOBVAULT: "True" + {{- if .Values.global.blobvault.endpointUrl }} + BLOBVAULT_ENDPOINT_URL: {{ .Values.global.blobvault.endpointUrl }} + {{- else }} + BLOBVAULT_ENDPOINT_URL: "{{ .Values.minio.fullnameOverride }}.{{ .Release.Namespace }}.svc.cluster.local:9000" + {{- end }} + + {{- if .Values.global.blobvault.endpointUrlFe }} + BLOBVAULT_ENDPOINT_URL_FE: {{ .Values.global.blobvault.endpointUrlFe }} + {{- else }} + BLOBVAULT_ENDPOINT_URL_FE: "{{ .Values.minio.fullnameOverride }}.{{ .Release.Namespace }}.svc.cluster.local:9000" + {{- end }} + BLOBVAULT_BUCKET: {{.Values.global.blobvault.bucket | default "" | quote }} + {{- if .Values.global.celery.brokerUrl }} + CELERY_BROKER_URL: {{ .Values.global.celery.brokerUrl }} + {{- else }} + CELERY_BROKER_URL: "redis://{{ .Values.redis.fullnameOverride }}-master.{{ .Release.Namespace }}.svc.cluster.local:6379" + {{- end }} + {{- if .Values.global.celery.resultBackend }} + CELERY_RESULT_BACKEND: {{ .Values.global.celery.resultBackend }} + {{- else }} + CELERY_RESULT_BACKEND: "redis://{{ .Values.redis.fullnameOverride }}-master.{{ .Release.Namespace }}.svc.cluster.local:6379" + {{- end }} + {{- if .Values.global.celery.resultBackend }} + REDIS_URL: {{ .Values.global.celery.resultBackend }} + {{- else }} + REDIS_URL: "redis://{{ .Values.redis.fullnameOverride }}-master.{{ .Release.Namespace }}.svc.cluster.local:6379" + {{- end }} + GITHUB_API_URL: {{ .Values.global.scmProviders.github.apiUrl | default | quote }} + GITHUB_URL: {{ .Values.global.scmProviders.github.url | default "" | quote }} + GITHUB_WEBHOOK_URL: {{ .Values.global.scmProviders.github.webhookUrl | default "" | quote }} + GITLAB_URL: {{ .Values.global.scmProviders.gitlab.url | default "" | quote}} + GITLAB_WEBHOOK_URL: {{ .Values.global.scmProviders.gitlab.webhookUrl | default "" | quote }} + MAX_VIEWS: {{ .Values.global.maxViews | default "" | quote }} + MAX_TEAMS: {{ .Values.global.maxTeams | default "" | quote }} + {{- $scmProviders := list }} + {{- if .Values.global.scmProviders.gitlab.enabled }} + {{- $scmProviders = append $scmProviders "gitlab" }} + {{- end }} + {{- if .Values.global.scmProviders.github.enabled }} + {{- $scmProviders = append $scmProviders "github" }} + {{- end }} + {{- if .Values.global.scmProviders.bitbucket.enabled }} + {{- $scmProviders = append $scmProviders "bitbucket" }} + {{- end }} + SCM_PROVIDERS: {{ $scmProviders | join "," | quote}} + SOCIAL_AUTH_REDIRECT_IS_HTTPS: "False" + {{- if .Values.studioUi.ingress.enabled }} + SOCIAL_AUTH_ALLOWED_REDIRECT_HOSTS: "studio-ui.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.studioUi.service.port }},studio-backend.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.studioBackend.service.port }},http{{ if $.Values.studioUi.ingress.tlsEnabled }}s{{ end }}://{{ .Values.studioUi.ingress.host }}/" + {{- else }} + SOCIAL_AUTH_ALLOWED_REDIRECT_HOSTS: "studio-ui.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.studioUi.service.port }},studio-backend.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.studioBackend.service.port }}" + {{- end }} diff --git a/charts/studio/templates/deployment-studio-backend.yaml b/charts/studio/templates/deployment-studio-backend.yaml index 80b2d06d..bacfa1a4 100644 --- a/charts/studio/templates/deployment-studio-backend.yaml +++ b/charts/studio/templates/deployment-studio-backend.yaml @@ -14,10 +14,10 @@ spec: template: metadata: annotations: - checksum/studio: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} - {{- with .Values.studioBackend.podAnnotations }} - {{- toYaml . | nindent 8 }} - {{- end }} + {{- include "studio.checkSum" . | indent 8 }} +{{/* {{- with .Values.studioBackend.podAnnotations }}*/}} +{{/* {{- toYaml . | nindent 8 }}*/}} +{{/* {{- end }}*/}} labels: {{- include "studio-backend.selectorLabels" . | nindent 8 }} spec: @@ -53,8 +53,11 @@ spec: {{- end }} resources: {{- toYaml .Values.studioBackend.resources | nindent 12 }} - env: - {{ include "studio.envvars" . | indent 12 }} + envFrom: + - configMapRef: + name: studio + - secretRef: + name: studio {{- if .Values.global.customCaCert }} volumes: - name: studio-ca-certificates diff --git a/charts/studio/templates/deployment-studio-beat.yaml b/charts/studio/templates/deployment-studio-beat.yaml index 0e4e69b7..13904891 100644 --- a/charts/studio/templates/deployment-studio-beat.yaml +++ b/charts/studio/templates/deployment-studio-beat.yaml @@ -14,7 +14,7 @@ spec: template: metadata: annotations: - checksum/studio: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- include "studio.checkSum" . | indent 8 }} {{- with .Values.studioBeat.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -42,11 +42,15 @@ spec: resources: {{- toYaml .Values.studioBeat.resources | nindent 12 }} env: - {{ include "studio.envvars" . | indent 12 }} - name: "NO_MIGRATE_DB" value: "1" - name: "WAIT_FOR_MIGRATIONS" value: "1" + envFrom: + - configMapRef: + name: studio + - secretRef: + name: studio {{- if .Values.global.customCaCert }} volumeMounts: - name: studio-ca-certificates diff --git a/charts/studio/templates/deployment-studio-ui.yaml b/charts/studio/templates/deployment-studio-ui.yaml index 8adc3a0a..fb245b97 100644 --- a/charts/studio/templates/deployment-studio-ui.yaml +++ b/charts/studio/templates/deployment-studio-ui.yaml @@ -14,7 +14,7 @@ spec: template: metadata: annotations: - checksum/studio: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- include "studio.checkSum" . | indent 8 }} {{- with .Values.studioUi.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -50,8 +50,11 @@ spec: initialDelaySeconds: 5 periodSeconds: 25 timeoutSeconds: 10 - env: - {{ include "studio.envvars" . | indent 12 }} + envFrom: + - configMapRef: + name: studio + - secretRef: + name: studio {{- if .Values.global.customCaCert }} volumeMounts: - name: studio-ca-certificates diff --git a/charts/studio/templates/deployment-studio-worker.yaml b/charts/studio/templates/deployment-studio-worker.yaml index 9860e90c..cccbfc2b 100644 --- a/charts/studio/templates/deployment-studio-worker.yaml +++ b/charts/studio/templates/deployment-studio-worker.yaml @@ -14,7 +14,7 @@ spec: template: metadata: annotations: - checksum/studio: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- include "studio.checkSum" . | indent 8 }} {{- with .Values.studioWorker.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -42,11 +42,15 @@ spec: resources: {{- toYaml .Values.studioWorker.resources | nindent 12 }} env: - {{ include "studio.envvars" . | indent 12 }} - name: "NO_MIGRATE_DB" value: "1" - name: "WAIT_FOR_MIGRATIONS" value: "1" + envFrom: + - configMapRef: + name: studio + - secretRef: + name: studio {{- if .Values.global.customCaCert }} volumeMounts: - name: studio-ca-certificates diff --git a/charts/studio/templates/secret-studio.yaml b/charts/studio/templates/secret-studio.yaml new file mode 100644 index 00000000..217c93ef --- /dev/null +++ b/charts/studio/templates/secret-studio.yaml @@ -0,0 +1,69 @@ +apiVersion: v1 +kind: Secret +metadata: + name: studio + annotations: + "helm.sh/resource-policy": "keep" + labels: + {{- include "studio.labels" . | nindent 4 }} +type: Opaque +stringData: + DATABASE_URL: "psql://{{ .Values.global.postgres.databaseUser}}:{{ .Values.global.postgres.databasePassword }}@{{ .Values.global.postgres.databaseUrl }}" + + {{- if .Values.global.scmProviders.gitlab.clientId }} + GITLAB_CLIENT_ID: {{ .Values.global.scmProviders.gitlab.clientId }} + {{- end }} + + {{- if .Values.global.scmProviders.gitlab.secretKey }} + GITLAB_SECRET_KEY: {{ .Values.global.scmProviders.gitlab.secretKey }} + {{- end }} + + {{- if .Values.global.scmProviders.gitlab.webhookSecret }} + GITLAB_WEBHOOK_SECRET: {{ .Values.global.scmProviders.gitlab.webhookSecret }} + {{- end }} + + {{- if .Values.global.scmProviders.github.clientId }} + GITHUB_APP_CLIENT_ID: {{ .Values.global.scmProviders.github.clientId }} + {{- end }} + + {{- if .Values.global.scmProviders.github.appId }} + GITHUB_APP_ID: {{ .Values.global.scmProviders.github.appId }} + {{- end }} + + {{- if .Values.global.scmProviders.github.appSecret }} + GITHUB_APP_SECRET_KEY: {{ .Values.global.scmProviders.github.appSecret }} + {{- end }} + + {{- if .Values.global.scmProviders.github.privateKey }} + GITHUB_APP_PRIVATE_KEY_PEM: {{ .Values.global.scmProviders.github.privateKey }} + {{- end }} + + {{- if .Values.global.scmProviders.github.webhookSecret }} + GITHUB_WEBHOOK_SECRET: {{ .Values.global.scmProviders.github.webhookSecret }} + {{- end }} + + # Set secretKey to existing value or generate a random one + {{- if .Values.global.secretKey }} + SECRET_KEY: {{ .Values.global.secretKey }} + {{- else }} + {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "studio") | default dict }} + {{- $secretData := (get $secretObj "data") | default dict }} + {{- $secretKey := (get $secretData "secretKey") | default (randAscii 40) }} + SECRET_KEY: {{ $secretKey | quote }} + {{- end }} + + {{- if .Values.global.blobvault.accessKeyId }} + BLOBVAULT_AWS_ACCESS_KEY_ID: {{ .Values.global.blobvault.accessKeyId }} + {{- end }} + + {{- if .Values.global.blobvault.secretAccessKeyId }} + BLOBVAULT_AWS_SECRET_ACCESS_ID: {{ .Values.global.blobvault.secretAccessKeyId }} + {{- end }} + + {{- if .Values.global.scmProviders.bitbucket.secretKey }} + BITBUCKET_SECRET_KEY: {{ .Values.global.scmProviders.bitbucket.secretKey }} + {{- end }} + + {{- if .Values.global.scmProviders.bitbucket.clientId }} + BITBUCKET_CLIENT_ID: {{ .Values.global.scmProviders.bitbucket.clientId }} + {{- end }} diff --git a/charts/studio/templates/secrets.yaml b/charts/studio/templates/secrets.yaml deleted file mode 100644 index 9395c001..00000000 --- a/charts/studio/templates/secrets.yaml +++ /dev/null @@ -1,75 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: studio - annotations: - "helm.sh/resource-policy": "keep" - labels: - {{- include "studio.labels" . | nindent 4 }} -type: Opaque -data: - {{- if .Values.global.scmProviders.gitlab.clientId }} - gitlabClientId: {{ .Values.global.scmProviders.gitlab.clientId | b64enc }} - {{- end }} - - {{- if .Values.global.scmProviders.gitlab.secretKey }} - gitlabSecretKey: {{ .Values.global.scmProviders.gitlab.secretKey | b64enc }} - {{- end }} - - {{- if .Values.global.scmProviders.gitlab.webhookSecret }} - gitlabWebhookSecret: {{ .Values.global.scmProviders.gitlab.webhookSecret | b64enc }} - {{- end }} - - {{- if .Values.global.scmProviders.github.clientId }} - githubClientId: {{ .Values.global.scmProviders.github.clientId | b64enc }} - {{- end }} - - {{- if .Values.global.scmProviders.github.appId }} - githubAppId: {{ .Values.global.scmProviders.github.appId | b64enc }} - {{- end }} - - {{- if .Values.global.scmProviders.github.appSecret }} - githubAppSecret: {{ .Values.global.scmProviders.github.appSecret | b64enc }} - {{- end }} - - {{- if .Values.global.scmProviders.github.privateKey }} - githubPrivateKey: {{ .Values.global.scmProviders.github.privateKey | b64enc }} - {{- end }} - - {{- if .Values.global.scmProviders.github.webhookSecret }} - githubWebhookSecret: {{ .Values.global.scmProviders.github.webhookSecret | b64enc }} - {{- end }} - - # Set secretKey to existing value or generate a random one - {{- if .Values.global.secretKey }} - secretKey: {{ .Values.global.secretKey | b64enc }} - {{- else }} - {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "studio") | default dict }} - {{- $secretData := (get $secretObj "data") | default dict }} - {{- $secretKey := (get $secretData "secretKey") | default (randAscii 40 | b64enc) }} - secretKey: {{ $secretKey | quote }} - {{- end }} - - {{- if .Values.global.postgres.databaseUser }} - postgresDatabaseUser: {{ .Values.global.postgres.databaseUser | b64enc }} - {{- end }} - - {{- if .Values.global.postgres.databasePassword }} - postgresDatabasePassword: {{ .Values.global.postgres.databasePassword | b64enc }} - {{- end }} - - {{- if .Values.global.blobvault.accessKeyId }} - blobvaultAccessKeyId: {{ .Values.global.blobvault.accessKeyId | b64enc }} - {{- end }} - - {{- if .Values.global.blobvault.secretAccessKeyId }} - blobvaultSecretAccessKeyId: {{ .Values.global.blobvault.secretAccessKeyId | b64enc }} - {{- end }} - - {{- if .Values.global.scmProviders.bitbucket.secretKey }} - bitbucketSecretKey: {{ .Values.global.scmProviders.bitbucket.secretKey | b64enc }} - {{- end }} - - {{- if .Values.global.scmProviders.bitbucket.clientId }} - bitbucketClientId: {{ .Values.global.scmProviders.bitbucket.clientId | b64enc }} - {{- end }} diff --git a/charts/studio/values.yaml b/charts/studio/values.yaml index a2a085c9..8ee8a5c0 100644 --- a/charts/studio/values.yaml +++ b/charts/studio/values.yaml @@ -41,7 +41,7 @@ global: postgres: # -- Postgres database URL - databaseUrl: "studio-postgresql.studio.svc.cluster.local:5432/iterativeai" + databaseUrl: "studio-postgresql:5432/iterativeai" # -- Postgres database user databaseUser: "postgres" # -- Postgres database password From 26bb5f781d074fd61155949176feefafe73a24bd Mon Sep 17 00:00:00 2001 From: Marcin Jasion Date: Fri, 13 Jan 2023 21:28:43 +0100 Subject: [PATCH 2/2] Add Job for running migrations Closes #35 --- charts/studio/templates/_helpers.tpl | 1 + charts/studio/templates/configmap-studio.yaml | 2 + .../templates/deployment-studio-beat.yaml | 5 -- .../templates/deployment-studio-worker.yaml | 5 -- charts/studio/templates/job_db_migration.yaml | 54 +++++++++++++++++++ .../templates/secret-migration-job.yaml | 6 +++ 6 files changed, 63 insertions(+), 10 deletions(-) create mode 100644 charts/studio/templates/job_db_migration.yaml create mode 100644 charts/studio/templates/secret-migration-job.yaml diff --git a/charts/studio/templates/_helpers.tpl b/charts/studio/templates/_helpers.tpl index fee6bb69..a57cf3f3 100644 --- a/charts/studio/templates/_helpers.tpl +++ b/charts/studio/templates/_helpers.tpl @@ -123,4 +123,5 @@ Create the name of the service account to use checksum/configmap-studio: {{ include (print $.Template.BasePath "/configmap-studio.yaml") . | sha256sum }} checksum/configmap-ca-cert: {{ include (print $.Template.BasePath "/configmap-ca-cert.yaml") . | sha256sum }} checksum/secret-studio: {{ include (print $.Template.BasePath "/secret-studio.yaml") . | sha256sum }} +checksum/studio-migration-job-secret: {{ include (print $.Template.BasePath "/secret-migration-job.yaml") . | sha256sum }} {{- end }} diff --git a/charts/studio/templates/configmap-studio.yaml b/charts/studio/templates/configmap-studio.yaml index ac4ece0a..9ded2b22 100644 --- a/charts/studio/templates/configmap-studio.yaml +++ b/charts/studio/templates/configmap-studio.yaml @@ -3,6 +3,8 @@ kind: ConfigMap metadata: name: studio data: + NO_MIGRATE_DB: "1" + WAIT_FOR_MIGRATIONS: "1" ALLOWED_HOSTS: "*" API_URL: "http{{ if $.Values.studioBackend.ingress.tlsEnabled }}s{{ end }}://{{ .Values.studioBackend.ingress.host }}/" UI_URL: "http{{ if $.Values.studioUi.ingress.tlsEnabled }}s{{ end }}://{{ .Values.studioUi.ingress.host }}/" diff --git a/charts/studio/templates/deployment-studio-beat.yaml b/charts/studio/templates/deployment-studio-beat.yaml index 13904891..d32e4f4f 100644 --- a/charts/studio/templates/deployment-studio-beat.yaml +++ b/charts/studio/templates/deployment-studio-beat.yaml @@ -41,11 +41,6 @@ spec: protocol: TCP resources: {{- toYaml .Values.studioBeat.resources | nindent 12 }} - env: - - name: "NO_MIGRATE_DB" - value: "1" - - name: "WAIT_FOR_MIGRATIONS" - value: "1" envFrom: - configMapRef: name: studio diff --git a/charts/studio/templates/deployment-studio-worker.yaml b/charts/studio/templates/deployment-studio-worker.yaml index cccbfc2b..89cee4d3 100644 --- a/charts/studio/templates/deployment-studio-worker.yaml +++ b/charts/studio/templates/deployment-studio-worker.yaml @@ -41,11 +41,6 @@ spec: protocol: TCP resources: {{- toYaml .Values.studioWorker.resources | nindent 12 }} - env: - - name: "NO_MIGRATE_DB" - value: "1" - - name: "WAIT_FOR_MIGRATIONS" - value: "1" envFrom: - configMapRef: name: studio diff --git a/charts/studio/templates/job_db_migration.yaml b/charts/studio/templates/job_db_migration.yaml new file mode 100644 index 00000000..47f0b1b1 --- /dev/null +++ b/charts/studio/templates/job_db_migration.yaml @@ -0,0 +1,54 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: studio-database-migration + labels: + {{- include "studio-backend.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-rollback,pre-upgrade,post-install + "helm.sh/hook-weight": "10" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + annotations: + {{- with .Values.studioBackend.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "studio-backend.selectorLabels" . | nindent 8 }} + spec: + restartPolicy: OnFailure + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "studio.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.studioBackend.podSecurityContext | nindent 8 }} + containers: + - name: studio-backend + securityContext: + {{- toYaml .Values.studioBackend.securityContext | nindent 12 }} + image: "{{ .Values.studioBackend.image.repository }}:{{ .Values.studioBackend.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.studioBackend.image.pullPolicy }} + command: [ "/usr/local/bin/python" ] + args: [ "manage.py", "migrate", "--noinput" ] + resources: + {{- toYaml .Values.studioBackend.resources | nindent 12 }} + envFrom: + - secretRef: + name: studio-migration-job + {{- with .Values.studioBackend.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.studioBackend.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.studioBackend.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + diff --git a/charts/studio/templates/secret-migration-job.yaml b/charts/studio/templates/secret-migration-job.yaml new file mode 100644 index 00000000..fd168752 --- /dev/null +++ b/charts/studio/templates/secret-migration-job.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Secret +metadata: + name: studio-migration-job +data: + DATABASE_URL: "psql://{{ .Values.global.postgres.databaseUser}}:{{ .Values.global.postgres.databasePassword }}@{{ .Values.global.postgres.databaseUrl }}"