diff --git a/charts/exivity/templates/_config.tpl b/charts/exivity/templates/_config.tpl deleted file mode 100644 index d0d02f51..00000000 --- a/charts/exivity/templates/_config.tpl +++ /dev/null @@ -1,71 +0,0 @@ -{{/* -# Generate a configmap to be mounted into any container using Merlin to run -# part of the applications. Takes a dict as an arg; -# Pass the raw helm `.Values`, -# for the benefit of Merlin the following three entries can also be passed: -# `appname`, `path` to the executable, and `queue` to sub on. -# -# E.g. -# {{- include "exivity.config" (dict "appname" "edify" "path" "/bin/edify" "queue" "REPORT") }} -*/}} -{{- define "exivity.config" }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "exivity.fullname" $ -}}-config-{{- $.data.appname | default "shared" }} - labels: - app.kubernetes.io/component: {{ $.data.appname | default "shared" }} - {{- include "exivity.labels" $ | indent 4 }} -data: - config.json: |- - { - "db": { - "driver": "postgres", - "parameters": { - "host": {{ $.Values.postgresql.host | default (printf "%s-postgresql" (include "exivity.fullname" $ )) | quote }}, - "port": {{ $.Values.postgresql.port | default 5432 }}, - "sslmode": {{ $.Values.postgresql.sslmode | default "disable" | quote }}, - "dbname": {{ $.Values.postgresql.global.postgresql.auth.database | quote }}, - "user": {{ $.Values.postgresql.global.postgresql.auth.username | quote }}, - "password": {{ $.Values.postgresql.global.postgresql.auth.password | quote }}, - "connect_timeout": 10 - } - }, - "mq": { - "servers": [ - { - "host": {{ if $.Values.rabbitmq.host }}{{ $.Values.rabbitmq.host | quote }}{{ else if $.Values.rabbitmq.nameOverride }}{{ printf "%s-%s" (include "exivity.fullname" $) $.Values.rabbitmq.nameOverride | quote }}{{ else }}{{ printf "%s-rabbitmq" (include "exivity.fullname" $) | quote }}{{ end }}, - "port": {{ $.Values.rabbitmq.port | default 5672 }}, - "secure": {{ $.Values.rabbitmq.secure | default false }} - } - ], - "user": {{ $.Values.rabbitmq.auth.username | quote }}, - "password": {{ $.Values.rabbitmq.auth.password | quote }}, - "vhost": {{ $.Values.rabbitmq.vhost | default "/" | quote }}, - "redialPeriod": 5 - }, - "chronos": { - "TTL": 60 - }, - "griffon": { - "TTL": 10 - {{ if $.data.appname }} - }, - "merlin": { - "reservedCPU": 0, - "programs": { - "{{ $.data.appname }}": { - "component": "{{ $.data.appname }}", - "path": "{{ $.data.path }}", - "queue": "{{ $.data.queue}}", - "CPU": 0, - {{- if eq $.data.appname "use" }} - "params": "${params}", - {{- end }} - "RAM": 0 - } - } - {{ end }} - } - } -{{- end }} diff --git a/charts/exivity/templates/_init_config.tpl b/charts/exivity/templates/_init_config.tpl new file mode 100644 index 00000000..18c6cecf --- /dev/null +++ b/charts/exivity/templates/_init_config.tpl @@ -0,0 +1,88 @@ +{{- define "exivity.initConfigContainer" -}} +{{- $appname := .appname -}} +{{- $path := .path -}} +{{- $queue := .queue -}} +- name: generate-config + image: linuxserver/yq:latest + command: ["/bin/sh"] + args: ["/scripts/generate-config.sh"] + env: + {{- if $appname }} + - name: APPNAME + value: "{{ $appname }}" + - name: PATH_VAR + value: "{{ $path }}" + - name: QUEUE + value: "{{ $queue }}" + {{- end }} + volumeMounts: + - name: config-generated + mountPath: /exivity/home/system + - name: config-generator-script + mountPath: /scripts + readOnly: true + - name: postgres-config + mountPath: /config/postgres + readOnly: true + - name: postgres-secret + mountPath: /secrets/postgres + readOnly: true + - name: rabbitmq-config + mountPath: /config/rabbitmq + readOnly: true + - name: rabbitmq-secret + mountPath: /secrets/rabbitmq + readOnly: true +{{- end }} + +{{- define "exivity.configGeneratedVolume" -}} +- name: config-generated + emptyDir: {} +- name: config-generator-script + configMap: + name: {{ printf "%s-config-generator" (include "exivity.fullname" .) }} + defaultMode: 0755 +- name: postgres-config + configMap: + name: {{ printf "%s-postgres-config" (include "exivity.fullname" .) }} +- name: postgres-secret + secret: + secretName: {{ printf "%s-postgres-secret" (include "exivity.fullname" .) }} +- name: rabbitmq-config + configMap: + name: {{ printf "%s-rabbitmq-config" (include "exivity.fullname" .) }} +- name: rabbitmq-secret + secret: + secretName: {{ printf "%s-rabbitmq-secret" (include "exivity.fullname" .) }} +{{- end }} + +{{- define "exivity.configGeneratedVolumeMount" -}} +- name: config-generated + mountPath: /exivity/home/system/config.json + subPath: config.json +{{- end }} + +{{- define "exivity.initPigeonConfigContainer" -}} +- name: generate-config + image: linuxserver/yq:latest + command: ["/bin/sh"] + args: ["/scripts/generate-pigeon-config.sh"] + volumeMounts: + - name: config-generated + mountPath: /exivity/home/system + - name: config-generator-script + mountPath: /scripts + readOnly: true + - name: postgres-config + mountPath: /config/postgres + readOnly: true + - name: postgres-secret + mountPath: /secrets/postgres + readOnly: true + - name: rabbitmq-config + mountPath: /config/rabbitmq + readOnly: true + - name: rabbitmq-secret + mountPath: /secrets/rabbitmq + readOnly: true +{{- end }} diff --git a/charts/exivity/templates/_secret.tpl b/charts/exivity/templates/_secret.tpl new file mode 100644 index 00000000..d4ec3ee9 --- /dev/null +++ b/charts/exivity/templates/_secret.tpl @@ -0,0 +1,45 @@ +{{/* Check if a value is a secret reference. */}} + +{{- define "exivity.isSecretRef" -}} +{{- if kindIs "map" . -}} + {{- if and .secretName .key -}} +true + {{- end -}} +{{- end -}} +{{- end -}} + +------------------------------------------ + +{{/* If the value is a secretRef, returns the referenced secret name. */}} + +{{- define "exivity.secretRefName" -}} +{{- $value := .value -}} +{{- $defaultName := .defaultName -}} +{{- if kindIs "map" $value -}} + {{- if and $value.secretName $value.key -}} + {{- $value.secretName -}} + {{- else -}} + {{- $defaultName -}} + {{- end -}} +{{- else -}} + {{- $defaultName -}} +{{- end -}} +{{- end -}} + +------------------------------------------ + +{{/* If the value is a secretRef, returns the key. */}} + +{{- define "exivity.secretRefKey" -}} +{{- $value := .value -}} +{{- $defaultKey := .defaultKey -}} +{{- if kindIs "map" $value -}} + {{- if and $value.secretName $value.key -}} + {{- $value.key -}} + {{- else -}} + {{- $defaultKey -}} + {{- end -}} +{{- else -}} + {{- $defaultKey -}} +{{- end -}} +{{- end -}} diff --git a/charts/exivity/templates/chronos/deployment.yaml b/charts/exivity/templates/chronos/deployment.yaml index a178c25c..e7fdc3cf 100644 --- a/charts/exivity/templates/chronos/deployment.yaml +++ b/charts/exivity/templates/chronos/deployment.yaml @@ -16,15 +16,11 @@ spec: labels: app.kubernetes.io/component: chronos {{- include "exivity.labels" $ | indent 8 }} - annotations: - checksum/{{- include "exivity.fullname" $ -}}-config-shared: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} spec: securityContext: {{- include "exivity.securityContext" (dict "root" . "component" "chronos") | indent 8 }} volumes: - - name: config-file - configMap: - name: {{ include "exivity.fullname" $ -}}-config-shared + {{- include "exivity.configGeneratedVolume" . | nindent 8 }} - name: config persistentVolumeClaim: claimName: {{ include "exivity.fullname" $ -}}-chronos-config @@ -32,7 +28,9 @@ spec: persistentVolumeClaim: claimName: {{ include "exivity.fullname" $ -}}-chronos-log {{- include "exivity.permissionScriptVolume" . | nindent 8 }} - {{- include "exivity.initPermissions" (dict "root" . "component" "chronos" "volumes" (list "config" "log")) | nindent 6 }} + initContainers: + {{- include "exivity.initConfigContainer" (dict "root" . "appname" "" "path" "" "queue" "") | nindent 8 }} + {{- include "exivity.initPermissionsContainer" (dict "root" . "component" "chronos" "volumes" (list "config" "log")) | nindent 8 }} containers: - name: chronos image: {{ include "exivity.image" (set $ "name" "chronos") }} @@ -47,8 +45,7 @@ spec: volumeMounts: - name: config mountPath: /exivity/home/system/config - - name: config-file - mountPath: /exivity/home/system + {{- include "exivity.configGeneratedVolumeMount" . | nindent 12 }} - name: log mountPath: /exivity/home/log/chronos {{- include "exivity.probes" $ | indent 10}} diff --git a/charts/exivity/templates/config-generator-script.yaml b/charts/exivity/templates/config-generator-script.yaml new file mode 100644 index 00000000..1ed48c3a --- /dev/null +++ b/charts/exivity/templates/config-generator-script.yaml @@ -0,0 +1,205 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "exivity.fullname" . }}-config-generator + labels: + app.kubernetes.io/component: config-generator + {{- include "exivity.labels" . | nindent 4 }} +data: + generate-config.sh: | + #!/bin/sh + set -e + + # Export all config values from mounted configmap and secret files + export DB_HOST=$(cat /config/postgres/POSTGRES_HOST) + export DB_PORT=$(cat /config/postgres/POSTGRES_PORT) + export DB_SSLMODE=$(cat /config/postgres/POSTGRES_SSLMODE) + export DB_NAME=$(cat /config/postgres/POSTGRES_DB) + export DB_USER=$(cat /config/postgres/POSTGRES_USER) + export DB_PASSWORD=$(cat /secrets/postgres/POSTGRES_PASSWORD) + export MQ_HOST=$(cat /config/rabbitmq/RABBITMQ_HOST) + export MQ_PORT=$(cat /config/rabbitmq/RABBITMQ_PORT) + export MQ_SECURE=$(cat /config/rabbitmq/RABBITMQ_SECURE) + export MQ_VHOST=$(cat /config/rabbitmq/RABBITMQ_VHOST) + export MQ_USER=$(cat /secrets/rabbitmq/RABBITMQ_USERNAME) + export MQ_PASSWORD=$(cat /secrets/rabbitmq/RABBITMQ_PASSWORD) + + # Build base config from exported env vars + jq -n \ + --arg db_host "$DB_HOST" \ + --arg db_port "$DB_PORT" \ + --arg db_sslmode "$DB_SSLMODE" \ + --arg db_name "$DB_NAME" \ + --arg db_user "$DB_USER" \ + --arg db_pass "$DB_PASSWORD" \ + --arg mq_host "$MQ_HOST" \ + --arg mq_port "$MQ_PORT" \ + --arg mq_secure "$MQ_SECURE" \ + --arg mq_vhost "$MQ_VHOST" \ + --arg mq_user "$MQ_USER" \ + --arg mq_pass "$MQ_PASSWORD" \ + '{ + db: { + driver: "postgres", + parameters: { + host: $db_host, + port: ($db_port | tonumber), + sslmode: $db_sslmode, + dbname: $db_name, + user: $db_user, + password: $db_pass, + connect_timeout: 10 + } + }, + mq: { + servers: [{ + host: $mq_host, + port: ($mq_port | tonumber), + secure: ($mq_secure == "true") + }], + user: $mq_user, + password: $mq_pass, + vhost: $mq_vhost, + redialPeriod: 5 + }, + chronos: { + TTL: 60 + }, + griffon: { + TTL: 10 + } + }' > /tmp/base-config.json + + # Add merlin configuration if parameters provided + if [ -n "$APPNAME" ]; then + if [ "$APPNAME" = "use" ]; then + jq --arg appname "$APPNAME" \ + --arg path "$PATH_VAR" \ + --arg queue "$QUEUE" \ + '.merlin = { + reservedCPU: 0, + programs: { + ($appname): { + component: $appname, + path: $path, + queue: $queue, + CPU: 0, + params: "${params}", + RAM: 0 + } + } + }' /tmp/base-config.json > /exivity/home/system/config.json + else + jq --arg appname "$APPNAME" \ + --arg path "$PATH_VAR" \ + --arg queue "$QUEUE" \ + '.merlin = { + reservedCPU: 0, + programs: { + ($appname): { + component: $appname, + path: $path, + queue: $queue, + CPU: 0, + RAM: 0 + } + } + }' /tmp/base-config.json > /exivity/home/system/config.json + fi + else + mv /tmp/base-config.json /exivity/home/system/config.json + fi + + generate-pigeon-config.sh: | + #!/bin/sh + set -e + + # Export all config values from mounted configmap and secret files + export DB_HOST=$(cat /config/postgres/POSTGRES_HOST) + export DB_PORT=$(cat /config/postgres/POSTGRES_PORT) + export DB_SSLMODE=$(cat /config/postgres/POSTGRES_SSLMODE) + export DB_NAME=$(cat /config/postgres/POSTGRES_DB) + export DB_USER=$(cat /config/postgres/POSTGRES_USER) + export DB_PASSWORD=$(cat /secrets/postgres/POSTGRES_PASSWORD) + export MQ_HOST=$(cat /config/rabbitmq/RABBITMQ_HOST) + export MQ_PORT=$(cat /config/rabbitmq/RABBITMQ_PORT) + export MQ_SECURE=$(cat /config/rabbitmq/RABBITMQ_SECURE) + export MQ_VHOST=$(cat /config/rabbitmq/RABBITMQ_VHOST) + export MQ_USER=$(cat /secrets/rabbitmq/RABBITMQ_USERNAME) + export MQ_PASSWORD=$(cat /secrets/rabbitmq/RABBITMQ_PASSWORD) + + # Build pigeon config from exported env vars + jq -n \ + --arg db_host "$DB_HOST" \ + --arg db_port "$DB_PORT" \ + --arg db_sslmode "$DB_SSLMODE" \ + --arg db_name "$DB_NAME" \ + --arg db_user "$DB_USER" \ + --arg db_pass "$DB_PASSWORD" \ + --arg mq_host "$MQ_HOST" \ + --arg mq_port "$MQ_PORT" \ + --arg mq_secure "$MQ_SECURE" \ + --arg mq_vhost "$MQ_VHOST" \ + --arg mq_user "$MQ_USER" \ + --arg mq_pass "$MQ_PASSWORD" \ + '{ + db: { + driver: "postgres", + parameters: { + host: $db_host, + port: ($db_port | tonumber), + sslmode: $db_sslmode, + dbname: $db_name, + user: $db_user, + password: $db_pass, + connect_timeout: 10 + } + }, + mq: { + servers: [{ + host: $mq_host, + port: ($mq_port | tonumber), + secure: ($mq_secure == "true") + }], + user: $mq_user, + password: $mq_pass, + vhost: $mq_vhost, + redialPeriod: 5 + }, + chronos: { + TTL: 60 + }, + griffon: { + TTL: 10 + }, + merlin: { + reservedCPU: 1, + heartbeatPeriod: 5, + programs: { + pigeon: { + path: "/usr/bin/php", + queue: "PIGEON", + CPU: 0, + RAM: 0 + }, + workflow_ended: { + component: "pigeon", + path: "/usr/bin/php", + queue: "WORKFLOW_EVENT", + topic: "evt.workflow_status.griffon.#", + params: "common/pigeon/pigeon.phar event:post workflow_ended ${payload}", + CPU: 0.25, + RAM: 250 + }, + report_published: { + component: "pigeon", + path: "/usr/bin/php", + queue: "REPORT_PUBLISHED", + topic: "evt.report_published.proximity.#", + params: "common/pigeon/pigeon.phar event:post report_published ${payload}", + CPU: 0.25, + RAM: 250 + } + } + } + }' > /exivity/home/system/config.json diff --git a/charts/exivity/templates/configmap.yaml b/charts/exivity/templates/configmap.yaml deleted file mode 100644 index bf07d404..00000000 --- a/charts/exivity/templates/configmap.yaml +++ /dev/null @@ -1 +0,0 @@ -{{- template "exivity.config" (set $ "data" (dict nil nil)) }} diff --git a/charts/exivity/templates/dummy-data/job.yaml b/charts/exivity/templates/dummy-data/job.yaml index bbe0927c..76815c7f 100644 --- a/charts/exivity/templates/dummy-data/job.yaml +++ b/charts/exivity/templates/dummy-data/job.yaml @@ -18,11 +18,31 @@ spec: labels: app.kubernetes.io/component: dummy-data {{- include "exivity.labels" $ | indent 8 }} - annotations: - checksum/{{- include "exivity.fullname" $ -}}-config-shared: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} spec: securityContext: {{- include "exivity.securityContext" (dict "root" . "component" "dummyData") | indent 8 }} + volumes: + {{- include "exivity.configGeneratedVolume" . | nindent 8 }} + - name: preset-file + configMap: + name: {{ include "exivity.fullname" $ -}}-dummy-data-preset + - name: config + persistentVolumeClaim: + claimName: {{ include "exivity.fullname" $ -}}-etl-config + - name: import + persistentVolumeClaim: + claimName: {{ include "exivity.fullname" $ -}}-import + - name: report + persistentVolumeClaim: + claimName: {{ include "exivity.fullname" $ -}}-report + - name: exported + persistentVolumeClaim: + claimName: {{ include "exivity.fullname" $ -}}-exported + - name: extracted + persistentVolumeClaim: + claimName: {{ include "exivity.fullname" $ -}}-extracted + initContainers: + {{- include "exivity.initConfigContainer" (dict "root" . "appname" "" "path" "" "queue" "") | nindent 8 }} containers: - name: dummy-data image: {{ include "exivity.image" (set $ "name" "dummyData") }} @@ -37,10 +57,9 @@ spec: resources: {{- toYaml .Values.service.dummyData.resources | nindent 12 }} volumeMounts: + {{- include "exivity.configGeneratedVolumeMount" . | nindent 12 }} - name: config mountPath: /exivity/home/system/config - - name: config-file - mountPath: /exivity/home/system - name: exported mountPath: /exivity/home/exported - name: extracted @@ -51,28 +70,6 @@ spec: mountPath: /exivity/home/system/report - name: preset-file mountPath: /exivity/home/system/preset - volumes: - - name: preset-file - configMap: - name: {{ include "exivity.fullname" $ -}}-dummy-data-preset - - name: config-file - configMap: - name: {{ include "exivity.fullname" $ -}}-config-shared - - name: config - persistentVolumeClaim: - claimName: {{ include "exivity.fullname" $ -}}-etl-config - - name: import - persistentVolumeClaim: - claimName: {{ include "exivity.fullname" $ -}}-import - - name: report - persistentVolumeClaim: - claimName: {{ include "exivity.fullname" $ -}}-report - - name: exported - persistentVolumeClaim: - claimName: {{ include "exivity.fullname" $ -}}-exported - - name: extracted - persistentVolumeClaim: - claimName: {{ include "exivity.fullname" $ -}}-extracted restartPolicy: Never {{- with .Values.service.pullSecrets }} imagePullSecrets: diff --git a/charts/exivity/templates/edify/configmap.yaml b/charts/exivity/templates/edify/configmap.yaml deleted file mode 100644 index 259ec9d5..00000000 --- a/charts/exivity/templates/edify/configmap.yaml +++ /dev/null @@ -1 +0,0 @@ -{{- template "exivity.config" (set $ "data" (dict "appname" "edify" "path" "/exivity/program/bin/edify" "queue" "REPORT")) }} diff --git a/charts/exivity/templates/edify/deployment.yaml b/charts/exivity/templates/edify/deployment.yaml index 70a1cdea..5a8d0c16 100644 --- a/charts/exivity/templates/edify/deployment.yaml +++ b/charts/exivity/templates/edify/deployment.yaml @@ -17,22 +17,19 @@ spec: app.kubernetes.io/component: edify {{- include "exivity.labels" $ | indent 8 }} annotations: - checksum/{{- include "exivity.fullname" $ -}}-config-edify: {{ include (print $.Template.BasePath "/edify/configmap.yaml") . | sha256sum }} checksum/{{- include "exivity.fullname" $ -}}-licence-pub: {{ include (print $.Template.BasePath "/proximity/api.configmap.yaml") . | sha256sum }} checksum/{{- include "exivity.fullname" $ -}}-licence-key: {{ include (print $.Template.BasePath "/proximity/api.secret.yaml") . | sha256sum }} spec: securityContext: {{- include "exivity.securityContext" (dict "root" . "component" "edify") | indent 8 }} volumes: - - name: config-file - projected: - sources: - - configMap: - name: {{ include "exivity.fullname" $ -}}-config-edify - - configMap: - name: {{ include "exivity.fullname" $ -}}-licence-pub - - secret: - name: {{ include "exivity.fullname" $ -}}-licence-key + {{- include "exivity.configGeneratedVolume" . | nindent 8 }} + - name: licence-pub + configMap: + name: {{ include "exivity.fullname" $ -}}-licence-pub + - name: licence-key + secret: + secretName: {{ include "exivity.secretRefName" (dict "value" $.Values.licence "defaultName" (printf "%s-licence-key" (include "exivity.fullname" $)) "context" $) }} - name: config persistentVolumeClaim: claimName: {{ include "exivity.fullname" $ -}}-etl-config @@ -46,7 +43,9 @@ spec: persistentVolumeClaim: claimName: {{ include "exivity.fullname" $ -}}-report {{- include "exivity.permissionScriptVolume" . | nindent 8 }} - {{- include "exivity.initPermissions" (dict "root" . "component" "edify" "volumes" (list "config" "extracted" "log" "report")) | nindent 6 }} + initContainers: + {{- include "exivity.initConfigContainer" (dict "root" . "appname" "edify" "path" "/exivity/program/bin/edify" "queue" "REPORT") | nindent 8 }} + {{- include "exivity.initPermissionsContainer" (dict "root" . "component" "edify" "volumes" (list "config" "extracted" "log" "report")) | nindent 8 }} containers: - name: edify image: {{ include "exivity.image" (set $ "name" "edify") }} @@ -65,8 +64,13 @@ spec: volumeMounts: - name: config mountPath: /exivity/home/system/config - - name: config-file - mountPath: /exivity/home/system + {{- include "exivity.configGeneratedVolumeMount" . | nindent 12 }} + - name: licence-pub + mountPath: /exivity/home/system/license.pub + subPath: license.pub + - name: licence-key + mountPath: /exivity/home/system/license.key + subPath: license.key - name: extracted mountPath: /exivity/home/system/extracted - name: log diff --git a/charts/exivity/templates/executor/configmap.yaml b/charts/exivity/templates/executor/configmap.yaml deleted file mode 100644 index c7ea87eb..00000000 --- a/charts/exivity/templates/executor/configmap.yaml +++ /dev/null @@ -1 +0,0 @@ -{{- template "exivity.config" (set $ "data" (dict "root" $ "appname" "executor" "path" "${program}" "queue" "EXECUTE")) }} diff --git a/charts/exivity/templates/executor/deployment.yaml b/charts/exivity/templates/executor/deployment.yaml index 36a70f32..b8247cc7 100644 --- a/charts/exivity/templates/executor/deployment.yaml +++ b/charts/exivity/templates/executor/deployment.yaml @@ -16,15 +16,11 @@ spec: labels: app.kubernetes.io/component: executor {{- include "exivity.labels" $ | indent 8 }} - annotations: - checksum/{{- include "exivity.fullname" $ -}}-config-executor: {{ include (print $.Template.BasePath "/executor/configmap.yaml") . | sha256sum }} spec: securityContext: {{- include "exivity.securityContext" (dict "root" . "component" "executor") | indent 8 }} volumes: - - name: config-file - configMap: - name: {{ include "exivity.fullname" $ -}}-config-executor + {{- include "exivity.configGeneratedVolume" . | nindent 8 }} - name: config persistentVolumeClaim: claimName: {{ include "exivity.fullname" $ -}}-etl-config @@ -44,7 +40,9 @@ spec: persistentVolumeClaim: claimName: {{ include "exivity.fullname" $ -}}-executor-log {{- include "exivity.permissionScriptVolume" . | nindent 8 }} - {{- include "exivity.initPermissions" (dict "root" . "component" "executor" "volumes" (list "config" "import" "report" "exported" "extracted" "log")) | nindent 6 }} + initContainers: + {{- include "exivity.initConfigContainer" (dict "root" . "appname" "executor" "path" "${program}" "queue" "EXECUTE") | nindent 8 }} + {{- include "exivity.initPermissionsContainer" (dict "root" . "component" "executor" "volumes" (list "config" "import" "report" "exported" "extracted" "log")) | nindent 8 }} containers: - name: executor image: {{ include "exivity.image" (set $ "name" "executor") }} @@ -59,8 +57,7 @@ spec: volumeMounts: - name: config mountPath: /exivity/home/system/config - - name: config-file - mountPath: /exivity/home/system + {{- include "exivity.configGeneratedVolumeMount" . | nindent 12 }} - name: exported mountPath: /exivity/home/exported - name: extracted diff --git a/charts/exivity/templates/griffon/deployment.yaml b/charts/exivity/templates/griffon/deployment.yaml index 86c5158b..ecf9374b 100644 --- a/charts/exivity/templates/griffon/deployment.yaml +++ b/charts/exivity/templates/griffon/deployment.yaml @@ -16,15 +16,11 @@ spec: labels: app.kubernetes.io/component: griffon {{- include "exivity.labels" $ | indent 8 }} - annotations: - checksum/{{- include "exivity.fullname" $ -}}-config-shared: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} spec: securityContext: {{- include "exivity.securityContext" (dict "root" . "component" "griffon") | indent 8 }} volumes: - - name: config-file - configMap: - name: {{ include "exivity.fullname" $ -}}-config-shared + {{- include "exivity.configGeneratedVolume" . | nindent 8 }} - name: config persistentVolumeClaim: claimName: {{ include "exivity.fullname" $ -}}-griffon-config @@ -32,7 +28,9 @@ spec: persistentVolumeClaim: claimName: {{ include "exivity.fullname" $ -}}-griffon-log {{- include "exivity.permissionScriptVolume" . | nindent 8 }} - {{- include "exivity.initPermissions" (dict "root" . "component" "griffon" "volumes" (list "config" "log")) | nindent 6 }} + initContainers: + {{- include "exivity.initConfigContainer" (dict "root" . "appname" "" "path" "" "queue" "") | nindent 8 }} + {{- include "exivity.initPermissionsContainer" (dict "root" . "component" "griffon" "volumes" (list "config" "log")) | nindent 8 }} containers: - name: griffon image: {{ include "exivity.image" (set $ "name" "griffon") }} @@ -45,8 +43,7 @@ spec: - name: ENABLE_PROMETHEUS value: "{{ .Values.prometheus.metricServer.enabled }}" volumeMounts: - - name: config-file - mountPath: /exivity/home/system + {{- include "exivity.configGeneratedVolumeMount" . | nindent 12 }} - name: config mountPath: /exivity/home/system/config - name: log diff --git a/charts/exivity/templates/horizon/configmap.yaml b/charts/exivity/templates/horizon/configmap.yaml deleted file mode 100644 index cdb3f178..00000000 --- a/charts/exivity/templates/horizon/configmap.yaml +++ /dev/null @@ -1 +0,0 @@ -{{- template "exivity.config" (set $ "data" (dict "appname" "horizon" "path" "/exivity/program/bin/horizon" "queue" "BUDGET")) }} diff --git a/charts/exivity/templates/horizon/deployment.yaml b/charts/exivity/templates/horizon/deployment.yaml index b9828dea..5314cc21 100644 --- a/charts/exivity/templates/horizon/deployment.yaml +++ b/charts/exivity/templates/horizon/deployment.yaml @@ -16,20 +16,18 @@ spec: labels: app.kubernetes.io/component: horizon {{- include "exivity.labels" $ | indent 8 }} - annotations: - checksum/{{- include "exivity.fullname" $ -}}-config-horizon: {{ include (print $.Template.BasePath "/horizon/configmap.yaml") . | sha256sum }} spec: securityContext: {{- include "exivity.securityContext" (dict "root" . "component" "horizon") | indent 8 }} volumes: - - name: config - configMap: - name: {{ include "exivity.fullname" $ -}}-config-horizon + {{- include "exivity.configGeneratedVolume" . | nindent 8 }} - name: log persistentVolumeClaim: claimName: {{ include "exivity.fullname" $ -}}-horizon-log {{- include "exivity.permissionScriptVolume" . | nindent 8 }} - {{- include "exivity.initPermissions" (dict "root" . "component" "horizon" "volumes" (list "log")) | nindent 6 }} + initContainers: + {{- include "exivity.initConfigContainer" (dict "root" . "appname" "horizon" "path" "/exivity/program/bin/horizon" "queue" "BUDGET") | nindent 8 }} + {{- include "exivity.initPermissionsContainer" (dict "root" . "component" "horizon" "volumes" (list "log")) | nindent 8 }} containers: - name: horizon image: {{ include "exivity.image" (set $ "name" "horizon") }} @@ -42,8 +40,7 @@ spec: - name: ENABLE_PROMETHEUS value: "{{ .Values.prometheus.metricServer.enabled }}" volumeMounts: - - name: config - mountPath: /exivity/home/system + {{- include "exivity.configGeneratedVolumeMount" . | nindent 12 }} - name: log mountPath: /exivity/home/log/horizon - name: log diff --git a/charts/exivity/templates/pigeon/configmap.yaml b/charts/exivity/templates/pigeon/configmap.yaml deleted file mode 100644 index a8679bf3..00000000 --- a/charts/exivity/templates/pigeon/configmap.yaml +++ /dev/null @@ -1,68 +0,0 @@ -# pigeon listens to multiple MQ topics, so it gets its own config definition for now -# TODO: get some PHP guru to fix it so we don't need merlin here. -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "exivity.fullname" $ -}}-config-pigeon - labels: - app.kubernetes.io/component: pigeon - {{- include "exivity.labels" $ | indent 4 }} -data: - config.json: |- - { - "db": { - "driver": "postgres", - "parameters": { - "host": {{ $.Values.postgresql.host | default (printf "%s-postgresql" (include "exivity.fullname" $ )) | quote }}, - "port": {{ $.Values.postgresql.port | default 5432 }}, - "sslmode": {{ $.Values.postgresql.sslmode | default "disable" | quote }}, - "dbname": {{ $.Values.postgresql.global.postgresql.auth.database | quote }}, - "user": {{ $.Values.postgresql.global.postgresql.auth.username | quote }}, - "password": {{ $.Values.postgresql.global.postgresql.auth.password | quote }}, - "connect_timeout": 10 - } - }, - "mq": { - "servers": [ - { - "host": {{ if $.Values.rabbitmq.host }}{{ $.Values.rabbitmq.host | quote }}{{ else if $.Values.rabbitmq.nameOverride }}{{ printf "%s-%s" (include "exivity.fullname" $) $.Values.rabbitmq.nameOverride | quote }}{{ else }}{{ printf "%s-rabbitmq" (include "exivity.fullname" $) | quote }}{{ end }}, - "port": {{ $.Values.rabbitmq.port | default 5672 }}, - "secure": {{ $.Values.rabbitmq.secure | default false }} - } - ], - "user": {{ $.Values.rabbitmq.auth.username | quote }}, - "password": {{ $.Values.rabbitmq.auth.password | quote }}, - "vhost": {{ $.Values.rabbitmq.vhost | default "/" | quote }}, - "redialPeriod": 5 - }, - "merlin": { - "reservedCPU": 1, - "heartbeatPeriod": 5, - "programs": { - "pigeon": { - "path": "/usr/bin/php", - "queue": "PIGEON", - "CPU": 0, - "RAM": 0 - }, - "workflow_ended": { - "component": "pigeon", - "path": "/usr/bin/php", - "queue": "WORKFLOW_EVENT", - "topic": "evt.workflow_status.griffon.#", - "params": "common/pigeon/pigeon.phar event:post workflow_ended `${payload}`", - "CPU": 0.25, - "RAM": 250 - }, - "report_published": { - "component": "pigeon", - "path": "/usr/bin/php", - "queue": "REPORT_PUBLISHED", - "topic": "evt.report_published.proximity.#", - "params": "common/pigeon/pigeon.phar event:post report_published `${payload}`", - "CPU": 0.25, - "RAM": 250 - } - } - } - } diff --git a/charts/exivity/templates/pigeon/deployment.yaml b/charts/exivity/templates/pigeon/deployment.yaml index dfce5989..7c388d15 100644 --- a/charts/exivity/templates/pigeon/deployment.yaml +++ b/charts/exivity/templates/pigeon/deployment.yaml @@ -16,15 +16,11 @@ spec: labels: app.kubernetes.io/component: pigeon {{- include "exivity.labels" $ | indent 8 }} - annotations: - checksum/{{- include "exivity.fullname" $ -}}-config-pigeon: {{ include (print $.Template.BasePath "/pigeon/configmap.yaml") . | sha256sum }} spec: securityContext: {{- include "exivity.securityContext" (dict "root" . "component" "pigeon") | indent 8 }} volumes: - - name: config - configMap: - name: {{ include "exivity.fullname" $ -}}-config-pigeon + {{- include "exivity.configGeneratedVolume" . | nindent 8 }} - name: log persistentVolumeClaim: claimName: {{ include "exivity.fullname" $ -}}-pigeon-log @@ -38,7 +34,9 @@ spec: persistentVolumeClaim: claimName: {{ include "exivity.fullname" $ -}}-etl-config {{- include "exivity.permissionScriptVolume" . | nindent 8 }} - {{- include "exivity.initPermissions" (dict "root" . "component" "pigeon" "volumes" (list "log" "exported" "import" "config-volume")) | nindent 6 }} + initContainers: + {{- include "exivity.initPigeonConfigContainer" . | nindent 8 }} + {{- include "exivity.initPermissionsContainer" (dict "root" . "component" "pigeon" "volumes" (list "log" "exported" "import" "config-volume")) | nindent 8 }} containers: - name: pigeon image: {{ include "exivity.image" (set $ "name" "pigeon") }} @@ -46,8 +44,7 @@ spec: resources: {{- toYaml .Values.service.pigeon.resources | nindent 12 }} volumeMounts: - - name: config - mountPath: /exivity/home/system + {{- include "exivity.configGeneratedVolumeMount" . | nindent 12 }} - name: log mountPath: /exivity/home/log/pigeon - name: log @@ -60,7 +57,7 @@ spec: mountPath: /exivity/home/system/config envFrom: - secretRef: - name: {{ include "exivity.fullname" $ -}}-app-key + name: {{ include "exivity.secretRefName" (dict "value" $.Values.secret.appKey "defaultName" (printf "%s-app-key" (include "exivity.fullname" $)) "context" $) }} env: - name: EXIVITY_BACKEND_LOG_LEVEL value: "{{ .Values.logLevel.backend }}" diff --git a/charts/exivity/templates/postgres-configmap.yaml b/charts/exivity/templates/postgres-configmap.yaml index d3f255dc..8b2afe15 100644 --- a/charts/exivity/templates/postgres-configmap.yaml +++ b/charts/exivity/templates/postgres-configmap.yaml @@ -9,5 +9,7 @@ data: POSTGRES_HOST: {{ .Values.postgresql.host | default (printf "%s-postgresql" (include "exivity.fullname" . )) | quote }} POSTGRES_PORT: {{ .Values.postgresql.port | quote }} POSTGRES_DB: {{ .Values.postgresql.global.postgresql.auth.database | quote }} + {{- if not (include "exivity.isSecretRef" .Values.postgresql.global.postgresql.auth.username) }} POSTGRES_USER: {{ .Values.postgresql.global.postgresql.auth.username | quote }} + {{- end }} POSTGRES_SSLMODE: {{ .Values.postgresql.sslmode | default "disable" | quote }} diff --git a/charts/exivity/templates/postgres-secret.yaml b/charts/exivity/templates/postgres-secret.yaml index 7ea09359..43812087 100644 --- a/charts/exivity/templates/postgres-secret.yaml +++ b/charts/exivity/templates/postgres-secret.yaml @@ -1,3 +1,6 @@ +{{- $passwordIsSecretRef := include "exivity.isSecretRef" .Values.postgresql.global.postgresql.auth.password -}} +{{- $usernameIsSecretRef := include "exivity.isSecretRef" .Values.postgresql.global.postgresql.auth.username -}} +{{- if or (not $passwordIsSecretRef) (not $usernameIsSecretRef) }} apiVersion: v1 kind: Secret metadata: @@ -7,4 +10,10 @@ metadata: {{- include "exivity.labels" . | nindent 4 }} type: Opaque data: + {{- if not $passwordIsSecretRef }} POSTGRES_PASSWORD: {{ .Values.postgresql.global.postgresql.auth.password | b64enc | quote }} + {{- end }} + {{- if not $usernameIsSecretRef }} + POSTGRES_USER: {{ .Values.postgresql.global.postgresql.auth.username | b64enc | quote }} + {{- end }} +{{- end }} diff --git a/charts/exivity/templates/proximity/api.deployment.yaml b/charts/exivity/templates/proximity/api.deployment.yaml index 732133b1..c69b7aeb 100644 --- a/charts/exivity/templates/proximity/api.deployment.yaml +++ b/charts/exivity/templates/proximity/api.deployment.yaml @@ -17,7 +17,6 @@ spec: app.kubernetes.io/component: proximity-api {{- include "exivity.labels" $ | indent 8 }} annotations: - checksum/{{- include "exivity.fullname" $ -}}-config-shared: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} checksum/{{- include "exivity.fullname" $ -}}-licence-pub: {{ include (print $.Template.BasePath "/proximity/api.configmap.yaml") . | sha256sum }} checksum/{{- include "exivity.fullname" $ -}}-licence-key: {{ include (print $.Template.BasePath "/proximity/api.secret.yaml") . | sha256sum }} checksum/{{- include "exivity.fullname" $ -}}-lock: {{ include (print $.Template.BasePath "/proximity/api.configmap.yaml") . | sha256sum }} @@ -30,15 +29,13 @@ spec: securityContext: {{- include "exivity.securityContext" (dict "root" . "component" "proximityApi") | indent 8 }} volumes: - - name: projected - projected: - sources: - - configMap: - name: {{ include "exivity.fullname" $ -}}-config-shared - - configMap: - name: {{ include "exivity.fullname" $ -}}-licence-pub - - secret: - name: {{ include "exivity.fullname" $ -}}-licence-key + {{- include "exivity.configGeneratedVolume" . | nindent 8 }} + - name: licence-pub + configMap: + name: {{ include "exivity.fullname" $ -}}-licence-pub + - name: licence-key + secret: + secretName: {{ include "exivity.secretRefName" (dict "value" $.Values.licence "defaultName" (printf "%s-licence-key" (include "exivity.fullname" $)) "context" $) }} - name: exivity-lock configMap: name: {{ include "exivity.fullname" $ -}}-lock @@ -84,11 +81,13 @@ spec: {{- if .Values.ldap.tlsCacert }} - name: ldap-tls-cert secret: - secretName: {{ include "exivity.fullname" $ -}}-ldap-tls-cert + secretName: {{ include "exivity.secretRefName" (dict "value" $.Values.ldap.tlsCacert "defaultName" (printf "%s-ldap-tls-cert" (include "exivity.fullname" $)) "context" $) }} defaultMode: 0444 {{- end }} {{- include "exivity.permissionScriptVolume" . | nindent 8 }} - {{- include "exivity.initPermissions" (dict "root" . "component" "proximityApi" "volumes" (list "log" "log-chronos" "log-edify" "log-griffon" "log-horizon" "log-pigeon" "log-transcript" "log-use" "config" "import" "report" "exported" "extracted")) | nindent 6 }} + initContainers: + {{- include "exivity.initConfigContainer" (dict "root" . "appname" "" "path" "" "queue" "") | nindent 8 }} + {{- include "exivity.initPermissionsContainer" (dict "root" . "component" "proximityApi" "volumes" (list "log" "log-chronos" "log-edify" "log-griffon" "log-horizon" "log-pigeon" "log-transcript" "log-use" "config" "import" "report" "exported" "extracted")) | nindent 8 }} containers: - name: proximity-api image: {{ include "exivity.image" (set $ "name" "proximityApi") }} @@ -102,8 +101,13 @@ spec: volumeMounts: - name: config mountPath: /exivity/home/system/config - - name: projected - mountPath: /exivity/home/system + {{- include "exivity.configGeneratedVolumeMount" . | nindent 12 }} + - name: licence-pub + mountPath: /exivity/home/system/license.pub + subPath: license.pub + - name: licence-key + mountPath: /exivity/home/system/license.key + subPath: license.key - name: exported mountPath: /exivity/home/exported - name: extracted @@ -133,20 +137,20 @@ spec: {{- if .Values.ldap.tlsCacert }} - name: ldap-tls-cert mountPath: {{ .Values.ldap.tlsCacertPath }} - subPath: ldap.pem + subPath: {{ include "exivity.secretRefKey" (dict "value" $.Values.ldap.tlsCacert "defaultKey" "ldap.pem" "context" $) }} readOnly: true {{- end }} env: - name: EXIVITY_LICENSE_KEY valueFrom: secretKeyRef: - name: {{ include "exivity.fullname" $ -}}-licence-key - key: license.key + name: {{ include "exivity.secretRefName" (dict "value" $.Values.licence "defaultName" (printf "%s-licence-key" (include "exivity.fullname" $)) "context" $) }} + key: {{ include "exivity.secretRefKey" (dict "value" $.Values.licence "defaultKey" "license.key" "context" $) }} envFrom: - secretRef: - name: {{ include "exivity.fullname" $ -}}-app-key + name: {{ include "exivity.secretRefName" (dict "value" $.Values.secret.appKey "defaultName" (printf "%s-app-key" (include "exivity.fullname" $)) "context" $) }} - secretRef: - name: {{ include "exivity.fullname" $ -}}-jwt-secret + name: {{ include "exivity.secretRefName" (dict "value" $.Values.secret.jwtSecret "defaultName" (printf "%s-jwt-secret" (include "exivity.fullname" $)) "context" $) }} - configMapRef: name: {{ include "exivity.fullname" $ -}}-proximity-api-env {{- include "exivity.probes" $ | indent 10}} diff --git a/charts/exivity/templates/proximity/api.secret.yaml b/charts/exivity/templates/proximity/api.secret.yaml index baec085e..ecc0f156 100644 --- a/charts/exivity/templates/proximity/api.secret.yaml +++ b/charts/exivity/templates/proximity/api.secret.yaml @@ -1,3 +1,4 @@ +{{- if not (include "exivity.isSecretRef" .Values.licence) }} apiVersion: v1 kind: Secret metadata: @@ -6,15 +7,17 @@ metadata: app.kubernetes.io/component: proximity-api {{- include "exivity.labels" $ | indent 4 }} data: - {{- if (and .Release.IsUpgrade (not .Values.licence)) }} + {{- if .Release.IsUpgrade }} license.key: {{ index (lookup "v1" "Secret" .Release.Namespace (printf "%s-licence-key" (include "exivity.fullname" $))).data "license.key" }} {{- else }} license.key: {{ .Values.licence | required "A licence is required to be set on initial install" | b64enc }} {{- end }} +{{- end }} --- {{- if .Values.ldap.tlsCacert }} +{{- if not (include "exivity.isSecretRef" .Values.ldap.tlsCacert) }} apiVersion: v1 kind: Secret metadata: @@ -29,3 +32,4 @@ metadata: data: ldap.pem: {{ .Values.ldap.tlsCacert | b64enc }} {{- end }} +{{- end }} diff --git a/charts/exivity/templates/proximity/cli.configmap.yaml b/charts/exivity/templates/proximity/cli.configmap.yaml deleted file mode 100644 index b30b6c8a..00000000 --- a/charts/exivity/templates/proximity/cli.configmap.yaml +++ /dev/null @@ -1 +0,0 @@ -{{- template "exivity.config" (set $ "data" (dict "appname" "proximity-cli" "path" "/usr/bin/php" "queue" "PROXIMITY")) }} diff --git a/charts/exivity/templates/proximity/cli.deployment.yaml b/charts/exivity/templates/proximity/cli.deployment.yaml index cf054985..450c3f0f 100644 --- a/charts/exivity/templates/proximity/cli.deployment.yaml +++ b/charts/exivity/templates/proximity/cli.deployment.yaml @@ -17,7 +17,6 @@ spec: app.kubernetes.io/component: proximity-cli {{- include "exivity.labels" $ | indent 8 }} annotations: - checksum/{{- include "exivity.fullname" $ -}}-config-proximity-cli: {{ include (print $.Template.BasePath "/proximity/cli.configmap.yaml") . | sha256sum }} checksum/{{- include "exivity.fullname" $ -}}-proximity-cli-env: {{ include (print $.Template.BasePath "/proximity/cli.env.yaml") . | sha256sum }} checksum/{{- include "exivity.fullname" $ -}}-secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} checksum/{{- include "exivity.fullname" $ -}}-config-logfiles: {{ include (print $.Template.BasePath "/logfiles-configmap.yaml") . | sha256sum }} @@ -25,9 +24,7 @@ spec: securityContext: {{- include "exivity.securityContext" (dict "root" . "component" "proximityCli") | indent 8 }} volumes: - - name: config-file - configMap: - name: {{ include "exivity.fullname" $ -}}-config-proximity-cli + {{- include "exivity.configGeneratedVolume" . | nindent 8 }} - name: log persistentVolumeClaim: claimName: {{ include "exivity.fullname" $ -}}-proximity-cli-log @@ -47,7 +44,9 @@ spec: persistentVolumeClaim: claimName: {{ include "exivity.fullname" $ -}}-exported {{- include "exivity.permissionScriptVolume" . | nindent 8 }} - {{- include "exivity.initPermissions" (dict "root" . "component" "proximityCli" "volumes" (list "log" "config" "import" "report" "extracted" "exported")) | nindent 6 }} + initContainers: + {{- include "exivity.initConfigContainer" (dict "root" . "appname" "proximity-cli" "path" "/usr/bin/php" "queue" "PROXIMITY") | nindent 8 }} + {{- include "exivity.initPermissionsContainer" (dict "root" . "component" "proximityCli" "volumes" (list "log" "config" "import" "report" "extracted" "exported")) | nindent 8 }} containers: - name: proximity-cli image: {{ include "exivity.image" (set $ "name" "proximityCli") }} @@ -57,8 +56,7 @@ spec: volumeMounts: - name: config mountPath: /exivity/home/system/config - - name: config-file - mountPath: /exivity/home/system + {{- include "exivity.configGeneratedVolumeMount" . | nindent 12 }} - name: exported mountPath: /exivity/home/system/exported - name: extracted @@ -75,9 +73,9 @@ spec: - configMapRef: name: {{ include "exivity.fullname" $ -}}-proximity-cli-env - secretRef: - name: {{ include "exivity.fullname" $ -}}-app-key + name: {{ include "exivity.secretRefName" (dict "value" $.Values.secret.appKey "defaultName" (printf "%s-app-key" (include "exivity.fullname" $)) "context" $) }} - secretRef: - name: {{ include "exivity.fullname" $ -}}-jwt-secret + name: {{ include "exivity.secretRefName" (dict "value" $.Values.secret.jwtSecret "defaultName" (printf "%s-jwt-secret" (include "exivity.fullname" $)) "context" $) }} - configMapRef: name: {{ include "exivity.fullname" $ -}}-config-logfiles {{- include "exivity.probes" $ | indent 10}} diff --git a/charts/exivity/templates/proximity/migrate.yaml b/charts/exivity/templates/proximity/migrate.yaml index 8cacf7d7..fca7c68a 100644 --- a/charts/exivity/templates/proximity/migrate.yaml +++ b/charts/exivity/templates/proximity/migrate.yaml @@ -18,19 +18,17 @@ spec: app.kubernetes.io/component: proximity-migration {{- include "exivity.labels" . | indent 8 }} annotations: - checksum/{{- include "exivity.fullname" $ -}}-config-shared: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} checksum/{{- include "exivity.fullname" $ -}}-secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} spec: securityContext: {{- include "exivity.securityContext" (dict "root" . "component" "proximityMigrate") | indent 8 }} volumes: - - name: config-shared - configMap: - name: {{ include "exivity.fullname" . }}-config-shared - readOnly: true + {{- include "exivity.configGeneratedVolume" . | nindent 8 }} - name: config persistentVolumeClaim: claimName: {{ include "exivity.fullname" $ -}}-etl-config + initContainers: + {{- include "exivity.initConfigContainer" (dict "root" . "appname" "" "path" "" "queue" "") | nindent 8 }} containers: - name: proximity-migration image: {{ include "exivity.image" (set $ "name" "proximityMigrate") }} @@ -38,8 +36,7 @@ spec: resources: {{- toYaml .Values.service.proximityMigrate.resources | nindent 12 }} volumeMounts: - - name: config-shared - mountPath: /exivity/home/system + {{- include "exivity.configGeneratedVolumeMount" . | nindent 12 }} - name: config mountPath: /exivity/home/system/config command: [php] @@ -48,9 +45,7 @@ spec: - exivity:migrate-db envFrom: - secretRef: - name: {{ include "exivity.fullname" . }}-app-key - - secretRef: - name: {{ include "exivity.fullname" $ -}}-jwt-secret + name: {{ include "exivity.secretRefName" (dict "value" $.Values.secret.jwtSecret "defaultName" (printf "%s-jwt-secret" (include "exivity.fullname" $)) "context" $) }} restartPolicy: Never {{- with .Values.service.pullSecrets }} imagePullSecrets: diff --git a/charts/exivity/templates/rabbitmq-configmap.yaml b/charts/exivity/templates/rabbitmq-configmap.yaml new file mode 100644 index 00000000..5a7491d4 --- /dev/null +++ b/charts/exivity/templates/rabbitmq-configmap.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "exivity.fullname" . }}-rabbitmq-config + labels: + app.kubernetes.io/component: rabbitmq-config + {{- include "exivity.labels" . | nindent 4 }} +data: + RABBITMQ_HOST: {{ .Values.rabbitmq.host | default (printf "%s-%s" (include "exivity.fullname" .) (.Values.rabbitmq.nameOverride | default "rabbitmq")) | quote }} + RABBITMQ_PORT: {{ .Values.rabbitmq.port | default 5672 | toString | quote }} + RABBITMQ_SECURE: {{ .Values.rabbitmq.secure | default false | toString | quote }} + RABBITMQ_VHOST: {{ .Values.rabbitmq.vhost | default "/" | quote }} diff --git a/charts/exivity/templates/secret.yaml b/charts/exivity/templates/secret.yaml index ee879f8f..0fbda151 100644 --- a/charts/exivity/templates/secret.yaml +++ b/charts/exivity/templates/secret.yaml @@ -1,3 +1,4 @@ +{{- if not (include "exivity.isSecretRef" .Values.secret.appKey) }} apiVersion: v1 kind: Secret metadata: @@ -12,8 +13,10 @@ data: {{- else }} EXIVITY_APP_KEY: {{ randAlphaNum 32 | b64enc }} {{- end }} +{{- end }} --- +{{- if not (include "exivity.isSecretRef" .Values.secret.jwtSecret) }} apiVersion: v1 kind: Secret metadata: @@ -28,3 +31,24 @@ data: {{- else }} EXIVITY_JWT_SECRET: {{ randAlphaNum 32 | b64enc }} {{- end }} +{{- end }} + +--- +{{- $rabbitmqUsernameIsSecretRef := include "exivity.isSecretRef" .Values.rabbitmq.auth.username -}} +{{- $rabbitmqPasswordIsSecretRef := include "exivity.isSecretRef" .Values.rabbitmq.auth.password -}} +{{- if or (not $rabbitmqUsernameIsSecretRef) (not $rabbitmqPasswordIsSecretRef) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "exivity.fullname" $ -}}-rabbitmq-secret + labels: + {{- include "exivity.labels" $ | indent 4 }} +type: Opaque +data: + {{- if not $rabbitmqUsernameIsSecretRef }} + RABBITMQ_USERNAME: {{ .Values.rabbitmq.auth.username | b64enc | quote }} + {{- end }} + {{- if not $rabbitmqPasswordIsSecretRef }} + RABBITMQ_PASSWORD: {{ .Values.rabbitmq.auth.password | b64enc | quote }} + {{- end }} +{{- end }} diff --git a/charts/exivity/templates/transcript/configmap.yaml b/charts/exivity/templates/transcript/configmap.yaml deleted file mode 100644 index 77cb4dc4..00000000 --- a/charts/exivity/templates/transcript/configmap.yaml +++ /dev/null @@ -1 +0,0 @@ -{{- template "exivity.config" (set $ "data" (dict "appname" "transcript" "path" "/exivity/program/bin/transcript" "queue" "TRANSFORM")) }} diff --git a/charts/exivity/templates/transcript/deployment.yaml b/charts/exivity/templates/transcript/deployment.yaml index 2941f5bd..867f8121 100644 --- a/charts/exivity/templates/transcript/deployment.yaml +++ b/charts/exivity/templates/transcript/deployment.yaml @@ -16,15 +16,11 @@ spec: labels: app.kubernetes.io/component: transcript {{- include "exivity.labels" $ | indent 8 }} - annotations: - checksum/{{- include "exivity.fullname" $ -}}-config-transcript: {{ include (print $.Template.BasePath "/transcript/configmap.yaml") . | sha256sum }} spec: securityContext: {{- include "exivity.securityContext" (dict "root" . "component" "transcript") | indent 8 }} volumes: - - name: config-file - configMap: - name: {{ include "exivity.fullname" $ -}}-config-transcript + {{- include "exivity.configGeneratedVolume" . | nindent 8 }} - name: config persistentVolumeClaim: claimName: {{ include "exivity.fullname" $ -}}-etl-config @@ -44,7 +40,9 @@ spec: persistentVolumeClaim: claimName: {{ include "exivity.fullname" $ -}}-report {{- include "exivity.permissionScriptVolume" . | nindent 8 }} - {{- include "exivity.initPermissions" (dict "root" . "component" "transcript" "volumes" (list "config" "exported" "extracted" "import" "log" "report")) | nindent 6 }} + initContainers: + {{- include "exivity.initConfigContainer" (dict "root" . "appname" "transcript" "path" "/exivity/program/bin/transcript" "queue" "TRANSFORM") | nindent 8 }} + {{- include "exivity.initPermissionsContainer" (dict "root" . "component" "transcript" "volumes" (list "config" "exported" "extracted" "import" "log" "report")) | nindent 8 }} containers: - name: transcript image: {{ include "exivity.image" (set $ "name" "transcript") }} @@ -54,8 +52,7 @@ spec: volumeMounts: - name: config mountPath: /exivity/home/system/config - - name: config-file - mountPath: /exivity/home/system + {{- include "exivity.configGeneratedVolumeMount" . | nindent 12 }} - name: exported mountPath: /exivity/home/exported - name: extracted @@ -70,7 +67,7 @@ spec: mountPath: /exivity/home/system/report envFrom: - secretRef: - name: {{ include "exivity.fullname" $ -}}-app-key + name: {{ include "exivity.secretRefName" (dict "value" $.Values.secret.appKey "defaultName" (printf "%s-app-key" (include "exivity.fullname" $)) "context" $) }} env: - name: EXIVITY_BACKEND_LOG_LEVEL value: "{{ .Values.logLevel.backend }}" diff --git a/charts/exivity/templates/use/configmap.yaml b/charts/exivity/templates/use/configmap.yaml deleted file mode 100644 index 1a86fb7e..00000000 --- a/charts/exivity/templates/use/configmap.yaml +++ /dev/null @@ -1 +0,0 @@ -{{- template "exivity.config" (set $ "data" (dict "appname" "use" "path" "/exivity/program/bin/use" "queue" "EXTRACT")) }} diff --git a/charts/exivity/templates/use/deployment.yaml b/charts/exivity/templates/use/deployment.yaml index b36a7c7b..c896fdd3 100644 --- a/charts/exivity/templates/use/deployment.yaml +++ b/charts/exivity/templates/use/deployment.yaml @@ -16,15 +16,11 @@ spec: labels: app.kubernetes.io/component: use {{- include "exivity.labels" $ | indent 8 }} - annotations: - checksum/{{- include "exivity.fullname" $ -}}-config-use: {{ include (print $.Template.BasePath "/use/configmap.yaml") . | sha256sum }} spec: securityContext: {{- include "exivity.securityContext" (dict "root" . "component" "use") | indent 8 }} volumes: - - name: config-file - configMap: - name: {{ include "exivity.fullname" $ -}}-config-use + {{- include "exivity.configGeneratedVolume" . | nindent 8 }} - name: etl-config persistentVolumeClaim: claimName: {{ include "exivity.fullname" $ -}}-etl-config @@ -49,7 +45,8 @@ spec: secretName: {{ include "exivity.fullname" $ -}}-use-certificates {{- end }} initContainers: - {{- include "exivity.initPermissionsContainer" (dict "root" . "component" "use" "volumes" (list "etl-config" "exported" "extracted" "import" "log")) | nindent 8 }} + {{- include "exivity.initConfigContainer" (dict "root" . "appname" "use" "path" "/exivity/program/bin/use" "queue" "EXTRACT") | nindent 8 }} + {{- include "exivity.initPermissionsContainer" (dict "root" . "component" "use" "volumes" (list "etl-config" "exported" "extracted" "import" "log")) | nindent 8 }} {{- if gt (len (default "" .Values.service.use.caCertificates)) 0 }} - name: install-ca-cert image: {{ include "exivity.image" (set $ "name" "use") }} @@ -76,8 +73,7 @@ spec: resources: {{- toYaml .Values.service.use.resources | nindent 12 }} volumeMounts: - - name: config-file - mountPath: /exivity/home/system + {{- include "exivity.configGeneratedVolumeMount" . | nindent 12 }} - name: etl-config mountPath: /exivity/home/system/config - name: exported @@ -96,7 +92,7 @@ spec: {{- end }} envFrom: - secretRef: - name: {{ include "exivity.fullname" $ -}}-app-key + name: {{ include "exivity.secretRefName" (dict "value" $.Values.secret.appKey "defaultName" (printf "%s-app-key" (include "exivity.fullname" $)) "context" $) }} env: - name: RUN_DELAY value: "10" diff --git a/charts/exivity/values.schema.json b/charts/exivity/values.schema.json index dc0972be..91708c60 100644 --- a/charts/exivity/values.schema.json +++ b/charts/exivity/values.schema.json @@ -26,10 +26,33 @@ "examples": [""] }, "licence": { - "type": "string", - "default": "", + "oneOf": [ + { + "type": "string", + "title": "Direct licence value" + }, + { + "type": "object", + "title": "Secret reference", + "required": ["secretName", "key"], + "properties": { + "secretName": { + "type": "string", + "title": "Name of the Kubernetes secret" + }, + "key": { + "type": "string", + "title": "Key within the secret" + } + } + } + ], + "default": "demo", "title": "The licence Schema", - "examples": ["demo"] + "examples": [ + "demo", + { "secretName": "exivity-secrets", "key": "LICENCE" } + ] }, "secret": { "type": "object", @@ -38,25 +61,73 @@ "required": ["appKey", "jwtSecret"], "properties": { "appKey": { - "type": "string", + "oneOf": [ + { + "type": "string", + "title": "Direct secret value", + "maxLength": 64 + }, + { + "type": "object", + "title": "Secret reference", + "required": ["secretName", "key"], + "properties": { + "secretName": { + "type": "string", + "title": "Name of the Kubernetes secret" + }, + "key": { + "type": "string", + "title": "Key within the secret" + } + } + } + ], "default": "", "title": "The appKey Schema", "examples": [ - "ieR3rai9aijeghingo9LeaCaipah4lohxiliekaem3chahph0iemeeghai3ohfah" - ], - "maxLength": 64 + "ieR3rai9aijeghingo9LeaCaipah4lohxiliekaem3chahph0iemeeghai3ohfah", + { "secretName": "exivity-secrets", "key": "APP_KEY" } + ] }, "jwtSecret": { - "type": "string", + "oneOf": [ + { + "type": "string", + "title": "Direct secret value" + }, + { + "type": "object", + "title": "Secret reference", + "required": ["secretName", "key"], + "properties": { + "secretName": { + "type": "string", + "title": "Name of the Kubernetes secret" + }, + "key": { + "type": "string", + "title": "Key within the secret" + } + } + } + ], "default": "", "title": "The jwtSecret Schema", - "examples": [""] + "examples": [ + "my-jwt-secret-value", + { "secretName": "exivity-secrets", "key": "JWT_SECRET" } + ] } }, "examples": [ { "appKey": "", "jwtSecret": "" + }, + { + "appKey": { "secretName": "exivity-secrets", "key": "APP_KEY" }, + "jwtSecret": { "secretName": "exivity-secrets", "key": "JWT_SECRET" } } ] }, @@ -253,16 +324,58 @@ "examples": ["exivity"] }, "username": { - "type": "string", - "default": "", + "oneOf": [ + { + "type": "string", + "title": "Direct username value" + }, + { + "type": "object", + "title": "Secret reference", + "required": ["secretName", "key"], + "properties": { + "secretName": { + "type": "string" + }, + "key": { + "type": "string" + } + } + } + ], + "default": "exivity", "title": "The username Schema", - "examples": ["exivity"] + "examples": [ + "exivity", + { "secretName": "db-secret", "key": "USERNAME" } + ] }, "password": { - "type": "string", - "default": "", + "oneOf": [ + { + "type": "string", + "title": "Direct password value" + }, + { + "type": "object", + "title": "Secret reference", + "required": ["secretName", "key"], + "properties": { + "secretName": { + "type": "string" + }, + "key": { + "type": "string" + } + } + } + ], + "default": "Password12!", "title": "The password Schema", - "examples": ["Password12!"] + "examples": [ + "Password12!", + { "secretName": "db-secret", "key": "PASSWORD" } + ] }, "postgresPassword": { "type": "string", @@ -390,16 +503,62 @@ "required": ["username", "password"], "properties": { "username": { - "type": "string", + "oneOf": [ + { + "type": "string", + "title": "Direct username value" + }, + { + "type": "object", + "title": "Secret reference", + "required": ["secretName", "key"], + "properties": { + "secretName": { + "type": "string", + "title": "Name of the Kubernetes secret" + }, + "key": { + "type": "string", + "title": "Key within the secret" + } + } + } + ], "default": "", "title": "The username Schema", - "examples": ["user"] + "examples": [ + "user", + { "secretName": "mq-secret", "key": "USERNAME" } + ] }, "password": { - "type": "string", + "oneOf": [ + { + "type": "string", + "title": "Direct password value" + }, + { + "type": "object", + "title": "Secret reference", + "required": ["secretName", "key"], + "properties": { + "secretName": { + "type": "string", + "title": "Name of the Kubernetes secret" + }, + "key": { + "type": "string", + "title": "Key within the secret" + } + } + } + ], "default": "", "title": "The password Schema", - "examples": ["pass"] + "examples": [ + "pass", + { "secretName": "mq-secret", "key": "PASSWORD" } + ] } }, "examples": [ @@ -3732,7 +3891,27 @@ "required": ["tlsCacertPath"], "properties": { "tlsCacert": { - "type": "string", + "oneOf": [ + { + "type": "string", + "title": "Direct certificate value" + }, + { + "type": "object", + "title": "Secret reference", + "required": ["secretName", "key"], + "properties": { + "secretName": { + "type": "string", + "title": "Name of the Kubernetes secret" + }, + "key": { + "type": "string", + "title": "Key within the secret" + } + } + } + ], "title": "LDAP TLS CA Certificate", "description": "PEM-encoded CA certificate for LDAP over TLS connections. Must be provided together with tlsCacertPath." }, diff --git a/charts/exivity/values.yaml b/charts/exivity/values.yaml index 6d300747..775a712e 100644 --- a/charts/exivity/values.yaml +++ b/charts/exivity/values.yaml @@ -4,13 +4,17 @@ nameOverride: "" # Set to the actual licence for production environments. # For evaluation purposes, use "demo", but note that "demo" will not allow you to run reports. # For a trial license, please contact license@exivity.com. +# +# Can be specified as: +# 1. Direct value: licence: "your-license-key" +# 2. Secret reference: licence: {secretName: "exivity-secrets", key: "LICENCE"} licence: "demo" # Secret keys used for application security. Random values are generated on installation if not set. # Random values are generated on installation if not set, but it's recommended to specify values for production. secret: - appKey: "" # Used to encrypt application data. Specify a value for production. Max length: 64 characters. - jwtSecret: "" # Used for signing JWTs. Specify a value for production. + appKey: "" # Encrypts application data (max 64 chars). Direct value OR {secretName: "secrets", key: "APP_KEY"} + jwtSecret: "" # Signs JWTs. Direct value OR {secretName: "secrets", key: "JWT_SECRET"} ingress: enabled: true # Indicates if ingress is enabled. @@ -92,17 +96,10 @@ storage: # and setting the LDAPTLS_CACERT environment variable to enable LDAP over TLS. # Both tlsCacert and tlsCacertPath must be provided together to enable LDAP TLS. ldap: - # PEM certificate content for LDAP TLS validation. - # When empty, LDAP TLS functionality is disabled. - # tlsCacert: | - # -----BEGIN CERTIFICATE----- - # [Your Root CA certificate here] - # -----END CERTIFICATE----- - - # Path where the LDAP TLS certificate will be mounted in the container. - # This path will be set as the LDAPTLS_CACERT environment variable. - # Only used when tlsCacert is provided. Default: "/etc/ssl/certs/ldap.pem" - tlsCacertPath: "/etc/ssl/certs/ldap.pem" + # LDAP TLS CA certificate. Empty disables TLS. + # Direct value: multiline PEM string OR Secret reference: {secretName: "ldap-certs", key: "CA_CERT"} + tlsCacert: "" + tlsCacertPath: "/etc/ssl/certs/ldap.pem" # Certificate mount path (sets LDAPTLS_CACERT) # Configuration for PostgreSQL, either as an embedded database using the Bitnami PostgreSQL chart or an external database. # It is recommended to use an external PostgreSQL server for production environments to ensure scalability and manageability. @@ -119,10 +116,10 @@ postgresql: global: postgresql: auth: - database: exivity # Database name for both external and embedded databases. - username: exivity # Username for accessing the database. - password: Password12! # Password for the database user. - postgresPassword: Password13! # Root password for PostgreSQL, optional when using an external database. + database: exivity + username: exivity # Direct value OR Secret reference: {secretName: "db-secret", key: "USERNAME"} + password: Password12! # Direct value OR Secret reference: {secretName: "db-secret", key: "PASSWORD"} + postgresPassword: Password13! # Root password (optional for external DB) # Configuration for using an external PostgreSQL database. host: "" # Hostname of the external database server, if applicable. @@ -159,8 +156,8 @@ rabbitmq: enabled: false # Determines if clustering is enabled for RabbitMQ. auth: - username: user # Username for RabbitMQ authentication. - password: pass # Password for RabbitMQ authentication. + username: user # Direct value OR Secret reference: {secretName: "mq-secret", key: "USERNAME"} + password: pass # Direct value OR Secret reference: {secretName: "mq-secret", key: "PASSWORD"} # Configuration for using an external RabbitMQ server. host: "" # Hostname of the external RabbitMQ server, if applicable.