From 7194161a0e1dafe1dba6ec9d57631daed3bad16f Mon Sep 17 00:00:00 2001 From: Wilfried BARADAT Date: Tue, 27 Feb 2024 12:22:29 +0100 Subject: [PATCH 1/4] =?UTF-8?q?=F0=9F=9A=9A(helm)=20rename=20template=20fi?= =?UTF-8?q?les=20to=20follow=20kebab-case=20naming=20convention?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Helm template files naming generally follows the kebab-case naming convention. Renaming Warren helm template files to follow it. --- .../api/templates/{cm_logging.yaml => configmap-logging.yaml} | 0 .../api/templates/{job_db_migrate.yaml => job-db-migrate.yaml} | 0 .../{job_collect_static.yaml => job-collect-static.yaml} | 0 .../app/templates/{job_db_migrate.yaml => job-db-migrate.yaml} | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename src/helm/warren/charts/api/templates/{cm_logging.yaml => configmap-logging.yaml} (100%) rename src/helm/warren/charts/api/templates/{job_db_migrate.yaml => job-db-migrate.yaml} (100%) rename src/helm/warren/charts/app/templates/{job_collect_static.yaml => job-collect-static.yaml} (100%) rename src/helm/warren/charts/app/templates/{job_db_migrate.yaml => job-db-migrate.yaml} (100%) diff --git a/src/helm/warren/charts/api/templates/cm_logging.yaml b/src/helm/warren/charts/api/templates/configmap-logging.yaml similarity index 100% rename from src/helm/warren/charts/api/templates/cm_logging.yaml rename to src/helm/warren/charts/api/templates/configmap-logging.yaml diff --git a/src/helm/warren/charts/api/templates/job_db_migrate.yaml b/src/helm/warren/charts/api/templates/job-db-migrate.yaml similarity index 100% rename from src/helm/warren/charts/api/templates/job_db_migrate.yaml rename to src/helm/warren/charts/api/templates/job-db-migrate.yaml diff --git a/src/helm/warren/charts/app/templates/job_collect_static.yaml b/src/helm/warren/charts/app/templates/job-collect-static.yaml similarity index 100% rename from src/helm/warren/charts/app/templates/job_collect_static.yaml rename to src/helm/warren/charts/app/templates/job-collect-static.yaml diff --git a/src/helm/warren/charts/app/templates/job_db_migrate.yaml b/src/helm/warren/charts/app/templates/job-db-migrate.yaml similarity index 100% rename from src/helm/warren/charts/app/templates/job_db_migrate.yaml rename to src/helm/warren/charts/app/templates/job-db-migrate.yaml From fe5d184284815dc3c9a3cb7a91306938edf15c6d Mon Sep 17 00:00:00 2001 From: Wilfried BARADAT Date: Mon, 26 Feb 2024 18:17:16 +0100 Subject: [PATCH 2/4] =?UTF-8?q?=F0=9F=94=A7(helm)=20handle=20variables=20i?= =?UTF-8?q?n=20configmaps=20and=20secrets?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Now that we use Hashicorp Vault for managing secrets, we can now create secrets to store sensitive environment variables within the chart. Additionally, non-sensitive environment variables are now appropriately segregated withing configmaps (api/app env, database and logging). --- .../api/templates/configmap-database.yaml | 12 ++++++ .../charts/api/templates/configmap-env.yaml | 12 ++++++ .../charts/api/templates/deployment.yaml | 30 +++++++------- .../charts/api/templates/job-db-migrate.yaml | 15 ++++--- .../templates/secret-database-password.yaml | 8 ++++ .../api/templates/secret-lrs-password.yaml | 8 ++++ .../api/templates/secret-signing-key.yaml | 8 ++++ src/helm/warren/charts/api/values.yaml | 28 +++++++++---- .../app/templates/configmap-database.yaml | 11 ++++++ .../charts/app/templates/configmap-env.yaml | 21 ++++++++++ .../charts/app/templates/deployment.yaml | 39 +++++-------------- .../app/templates/job-collect-static.yaml | 27 ++----------- .../charts/app/templates/job-db-migrate.yaml | 25 +++--------- src/helm/warren/charts/app/templates/pvc.yaml | 2 + .../templates/secret-database-password.yaml | 8 ++++ .../app/templates/secret-secret-key.yaml | 8 ++++ .../app/templates/secret-signing-key.yaml | 8 ++++ src/helm/warren/charts/app/values.yaml | 26 +++++++++---- 18 files changed, 185 insertions(+), 111 deletions(-) create mode 100644 src/helm/warren/charts/api/templates/configmap-database.yaml create mode 100644 src/helm/warren/charts/api/templates/configmap-env.yaml create mode 100644 src/helm/warren/charts/api/templates/secret-database-password.yaml create mode 100644 src/helm/warren/charts/api/templates/secret-lrs-password.yaml create mode 100644 src/helm/warren/charts/api/templates/secret-signing-key.yaml create mode 100644 src/helm/warren/charts/app/templates/configmap-database.yaml create mode 100644 src/helm/warren/charts/app/templates/configmap-env.yaml create mode 100644 src/helm/warren/charts/app/templates/secret-database-password.yaml create mode 100644 src/helm/warren/charts/app/templates/secret-secret-key.yaml create mode 100644 src/helm/warren/charts/app/templates/secret-signing-key.yaml diff --git a/src/helm/warren/charts/api/templates/configmap-database.yaml b/src/helm/warren/charts/api/templates/configmap-database.yaml new file mode 100644 index 00000000..61536c68 --- /dev/null +++ b/src/helm/warren/charts/api/templates/configmap-database.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: warren-api-database + labels: + {{- include "api.labels" . | nindent 4 }} +data: + WARREN_API_DB_ENGINE: {{ .Values.database.engine | quote }} + WARREN_API_DB_HOST: {{ .Values.database.host | quote }} + WARREN_API_DB_PORT: {{ .Values.database.port | quote }} + WARREN_API_DB_NAME: {{ .Values.database.name | quote }} + WARREN_API_DB_USER: {{ .Values.database.user | quote }} diff --git a/src/helm/warren/charts/api/templates/configmap-env.yaml b/src/helm/warren/charts/api/templates/configmap-env.yaml new file mode 100644 index 00000000..93669284 --- /dev/null +++ b/src/helm/warren/charts/api/templates/configmap-env.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: warren-api-env + labels: + {{- include "api.labels" . | nindent 4 }} +data: + WARREN_API_SERVER_PORT: {{ .Values.service.port | quote}} + WARREN_APP_SIGNING_ALGORITHM: {{ .Values.signing.algorithm | quote }} + WARREN_ALLOWED_HOSTS: {{ include "api.allowedHosts" . }} + WARREN_LRS_HOSTS: {{ .Values.lrs.host | quote }} + WARREN_LRS_AUTH_BASIC_USERNAME: {{ .Values.lrs.username | quote}} diff --git a/src/helm/warren/charts/api/templates/deployment.yaml b/src/helm/warren/charts/api/templates/deployment.yaml index dea67581..57e3aa1c 100644 --- a/src/helm/warren/charts/api/templates/deployment.yaml +++ b/src/helm/warren/charts/api/templates/deployment.yaml @@ -13,10 +13,13 @@ spec: {{- include "api.selectorLabels" . | nindent 6 }} template: metadata: - {{- with .Values.podAnnotations }} annotations: - {{- toYaml . | nindent 8 }} - {{- end }} + checksum/db_config: {{ include (print $.Template.BasePath "/configmap-database.yaml") . | sha256sum }} + checksum/env_config: {{ include (print $.Template.BasePath "/configmap-env.yaml") . | sha256sum }} + checksum/logging_config: {{ include (print $.Template.BasePath "/configmap-logging.yaml") . | sha256sum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} labels: {{- include "api.labels" . | nindent 8 }} {{- with .Values.podLabels }} @@ -57,20 +60,17 @@ spec: value: '{{ first .Values.allowedHosts | trimPrefix "https://" }}' initialDelaySeconds: 5 periodSeconds: 5 - env: - - name: WARREN_API_SERVER_PORT - value: "{{ .Values.service.port }}" - - name: WARREN_API_DB_ENGINE - value: {{ .Values.database.engine }} - - name: WARREN_API_DB_PORT - value: {{ .Values.database.port | quote }} - - name: WARREN_APP_SIGNING_ALGORITHM - value: {{ .Values.signingAlgorithm }} - - name: WARREN_ALLOWED_HOSTS - value: {{ include "api.allowedHosts" . }} envFrom: + - configMapRef: + name: "warren-api-env" + - configMapRef: + name: "warren-api-database" + - secretRef: + name: {{ .Values.lrs.passwordSecretName | quote }} + - secretRef: + name: {{ .Values.database.passwordSecretName | quote }} - secretRef: - name: {{ .Values.envVarsSecret | quote }} + name: {{ .Values.signing.keySecretName | quote }} {{ with .Values.podCommand }} command: {{- toYaml . | nindent 12 }} diff --git a/src/helm/warren/charts/api/templates/job-db-migrate.yaml b/src/helm/warren/charts/api/templates/job-db-migrate.yaml index 97ea3900..936f52ce 100644 --- a/src/helm/warren/charts/api/templates/job-db-migrate.yaml +++ b/src/helm/warren/charts/api/templates/job-db-migrate.yaml @@ -4,8 +4,6 @@ metadata: name: "{{ .Values.jobs.dbMigrate.name }}" labels: {{- include "api.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": post-install, pre-upgrade spec: template: metadata: @@ -27,12 +25,17 @@ spec: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - env: - - name: WARREN_APP_SIGNING_ALGORITHM - value: {{ .Values.signingAlgorithm }} envFrom: + - configMapRef: + name: "warren-api-env" + - configMapRef: + name: "warren-api-database" - secretRef: - name: {{ .Values.envVarsSecret | quote }} + name: {{ .Values.lrs.passwordSecretName | quote }} + - secretRef: + name: {{ .Values.database.passwordSecretName | quote }} + - secretRef: + name: {{ .Values.signing.keySecretName | quote }} {{ with .Values.jobs.dbMigrate.command }} command: {{- toYaml . | nindent 12 }} diff --git a/src/helm/warren/charts/api/templates/secret-database-password.yaml b/src/helm/warren/charts/api/templates/secret-database-password.yaml new file mode 100644 index 00000000..4d420114 --- /dev/null +++ b/src/helm/warren/charts/api/templates/secret-database-password.yaml @@ -0,0 +1,8 @@ +{{- if $.Values.database.password }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $.Values.database.passwordSecretName }} +data: + WARREN_API_DB_PASSWORD: {{ $.Values.database.password | b64enc }} +{{- end }} \ No newline at end of file diff --git a/src/helm/warren/charts/api/templates/secret-lrs-password.yaml b/src/helm/warren/charts/api/templates/secret-lrs-password.yaml new file mode 100644 index 00000000..accb2994 --- /dev/null +++ b/src/helm/warren/charts/api/templates/secret-lrs-password.yaml @@ -0,0 +1,8 @@ +{{- if $.Values.lrs.password }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $.Values.lrs.passwordSecretName }} +data: + WARREN_LRS_AUTH_BASIC_PASSWORD: {{ $.Values.lrs.password | b64enc }} +{{- end }} \ No newline at end of file diff --git a/src/helm/warren/charts/api/templates/secret-signing-key.yaml b/src/helm/warren/charts/api/templates/secret-signing-key.yaml new file mode 100644 index 00000000..1f7ac75a --- /dev/null +++ b/src/helm/warren/charts/api/templates/secret-signing-key.yaml @@ -0,0 +1,8 @@ +{{- if $.Values.signing.key }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $.Values.signing.keySecretName }} +data: + WARREN_APP_SIGNING_KEY: {{ $.Values.signing.key | b64enc }} +{{- end }} \ No newline at end of file diff --git a/src/helm/warren/charts/api/values.yaml b/src/helm/warren/charts/api/values.yaml index 969523a9..96409cf7 100644 --- a/src/helm/warren/charts/api/values.yaml +++ b/src/helm/warren/charts/api/values.yaml @@ -38,18 +38,13 @@ securityContext: {} # runAsNonRoot: true # runAsUser: 1000 -# Secret name to inject as environment variables -envVarsSecret: "warren-api-env" - jobs: dbMigrate: name: "warren-api-db-migrate" command: - - "alembic" + - bash - "-c" - - "core/alembic.ini" - - "upgrade" - - "head" + - "warren migration upgrade head" restartPolicy: Never service: @@ -112,9 +107,27 @@ affinity: {} # API configuration allowedHosts: [] + +signing: + algorithm: HS256 + key: "" + keySecretName: "warren-signing-key" + +lrs: + host: "" + username: "" + password: "" + passwordSecretName: "warren-api-lrs-password" + database: engine: postgresql + host: "my-release-postgresql" port: 5432 + name: "warren-api" + user: "warren-api" + password: "" + passwordSecretName: "warren-api-database-password" + loggingConfigConfigMap: api-logging-config loggingConfig: version: 1 @@ -154,4 +167,3 @@ loggingConfig: - default level: INFO propagate: false -signingAlgorithm: HS256 diff --git a/src/helm/warren/charts/app/templates/configmap-database.yaml b/src/helm/warren/charts/app/templates/configmap-database.yaml new file mode 100644 index 00000000..20f10613 --- /dev/null +++ b/src/helm/warren/charts/app/templates/configmap-database.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: warren-app-database + labels: + {{- include "app.labels" . | nindent 4 }} +data: + WARREN_APP_DB_HOST: {{ .Values.database.host | quote }} + WARREN_APP_DB_PORT: {{ .Values.database.port | quote }} + WARREN_APP_DB_NAME: {{ .Values.database.name | quote }} + WARREN_APP_DB_USER: {{ .Values.database.user | quote }} diff --git a/src/helm/warren/charts/app/templates/configmap-env.yaml b/src/helm/warren/charts/app/templates/configmap-env.yaml new file mode 100644 index 00000000..5a7836a9 --- /dev/null +++ b/src/helm/warren/charts/app/templates/configmap-env.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: warren-app-env + labels: + {{- include "app.labels" . | nindent 4 }} +data: + DJANGO_SETTINGS_MODULE: {{ .Values.djangoSettingsModule | quote }} + DJANGO_CONFIGURATION: {{ .Values.djangoConfiguration | quote }} + {{- if .Values.persistence.enabled }} + WARREN_APP_MEDIA_ROOT: {{ .Values.persistence.volumes.media.mountPath | quote }} + WARREN_APP_STATIC_ROOT: {{ .Values.persistence.volumes.static.mountPath | quote }} + {{- end }} + WARREN_APP_SIGNING_ALGORITHM: {{ .Values.signing.algorithm | quote }} + WARREN_APP_ACCESS_TOKEN_LIFETIME: {{ .Values.accessTokenLifetime | quote }} + WARREN_APP_REFRESH_TOKEN_LIFETIME: {{ .Values.refreshTokenLifetime | quote }} + WARREN_APP_LTI_ACCESS_TOKEN_LIFETIME: {{ .Values.ltiAccessTokenLifetime | quote }} + WARREN_API_ROOT_URL: {{ .Values.apiRootUrl | quote }} + WARREN_APP_ROOT_URL: {{ .Values.appRootUrl | quote }} + WARREN_APP_ALLOWED_HOSTS: {{ include "app.allowedHosts" . }} + WARREN_APP_CORS_ALLOWED_ORIGINS: {{ join "," .Values.corsAllowedOrigins | quote }} diff --git a/src/helm/warren/charts/app/templates/deployment.yaml b/src/helm/warren/charts/app/templates/deployment.yaml index cfa911b6..1e35e340 100644 --- a/src/helm/warren/charts/app/templates/deployment.yaml +++ b/src/helm/warren/charts/app/templates/deployment.yaml @@ -53,38 +53,17 @@ spec: httpHeaders: - name: Host value: "{{ first .Values.allowedHosts }}" - env: - - name: DJANGO_SETTINGS_MODULE - value: {{ .Values.djangoSettingsModule }} - - name: DJANGO_CONFIGURATION - value: {{ .Values.djangoConfiguration }} - {{- if .Values.persistence.enabled }} - - name: WARREN_APP_MEDIA_ROOT - value: {{ .Values.persistence.volumes.media.mountPath }} - - name: WARREN_APP_STATIC_ROOT - value: {{ .Values.persistence.volumes.static.mountPath }} - {{- end }} - - name: WARREN_APP_DB_PORT - value: {{ .Values.database.port | quote }} - - name: WARREN_APP_SIGNING_ALGORITHM - value: {{ .Values.signingAlgorithm }} - - name: WARREN_APP_ACCESS_TOKEN_LIFETIME - value: {{ .Values.accessTokenLifetime | quote }} - - name: WARREN_APP_REFRESH_TOKEN_LIFETIME - value: {{ .Values.refreshTokenLifetime | quote }} - - name: WARREN_APP_LTI_ACCESS_TOKEN_LIFETIME - value: {{ .Values.ltiAccessTokenLifetime | quote }} - - name: WARREN_API_ROOT_URL - value: {{ .Values.apiRootUrl | quote }} - - name: WARREN_APP_ROOT_URL - value: {{ .Values.appRootUrl | quote }} - - name: WARREN_APP_ALLOWED_HOSTS - value: {{ include "app.allowedHosts" . }} - - name: WARREN_APP_CORS_ALLOWED_ORIGINS - value: {{ join "," .Values.corsAllowedOrigins | quote }} envFrom: + - configMapRef: + name: "warren-app-env" + - configMapRef: + name: "warren-app-database" - secretRef: - name: {{ .Values.envVarsSecret | quote }} + name: {{ .Values.database.passwordSecretName | quote }} + - secretRef: + name: {{ .Values.secretKeySecretName | quote }} + - secretRef: + name: {{ .Values.signing.keySecretName | quote }} {{ with .Values.podCommand }} command: {{- toYaml . | nindent 12 }} diff --git a/src/helm/warren/charts/app/templates/job-collect-static.yaml b/src/helm/warren/charts/app/templates/job-collect-static.yaml index 37276653..1879b160 100644 --- a/src/helm/warren/charts/app/templates/job-collect-static.yaml +++ b/src/helm/warren/charts/app/templates/job-collect-static.yaml @@ -5,8 +5,6 @@ metadata: name: "{{ .Values.jobs.collectStatic.name }}" labels: {{- include "app.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": post-install, pre-upgrade spec: template: metadata: @@ -28,30 +26,11 @@ spec: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - env: - - name: DJANGO_SETTINGS_MODULE - value: {{ .Values.djangoSettingsModule }} - - name: DJANGO_CONFIGURATION - value: {{ .Values.djangoConfiguration }} - - name: WARREN_APP_MEDIA_ROOT - value: {{ .Values.persistence.volumes.media.mountPath }} - - name: WARREN_APP_STATIC_ROOT - value: {{ .Values.persistence.volumes.static.mountPath }} - - name: WARREN_APP_DB_PORT - value: {{ .Values.database.port | quote }} - - name: WARREN_APP_SIGNING_ALGORITHM - value: {{ .Values.signingAlgorithm }} - - name: WARREN_APP_ACCESS_TOKEN_LIFETIME - value: {{ .Values.accessTokenLifetime | quote }} - - name: WARREN_APP_REFRESH_TOKEN_LIFETIME - value: {{ .Values.refreshTokenLifetime | quote }} - - name: WARREN_APP_LTI_ACCESS_TOKEN_LIFETIME - value: {{ .Values.ltiAccessTokenLifetime | quote }} - - name: WARREN_APP_ALLOWED_HOSTS - value: {{ include "app.allowedHosts" . }} envFrom: + - configMapRef: + name: "warren-app-env" - secretRef: - name: {{ .Values.envVarsSecret | quote }} + name: {{ .Values.secretKeySecretName | quote }} {{ with .Values.jobs.collectStatic.command }} command: {{- toYaml . | nindent 12 }} diff --git a/src/helm/warren/charts/app/templates/job-db-migrate.yaml b/src/helm/warren/charts/app/templates/job-db-migrate.yaml index c8f702d2..6b6d156a 100644 --- a/src/helm/warren/charts/app/templates/job-db-migrate.yaml +++ b/src/helm/warren/charts/app/templates/job-db-migrate.yaml @@ -4,8 +4,6 @@ metadata: name: "{{ .Values.jobs.dbMigrate.name }}" labels: {{- include "app.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": post-install, pre-upgrade spec: template: metadata: @@ -27,26 +25,13 @@ spec: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - env: - - name: DJANGO_SETTINGS_MODULE - value: {{ .Values.djangoSettingsModule }} - - name: DJANGO_CONFIGURATION - value: {{ .Values.djangoConfiguration }} - - name: WARREN_APP_DB_PORT - value: {{ .Values.database.port | quote }} - - name: WARREN_APP_SIGNING_ALGORITHM - value: {{ .Values.signingAlgorithm }} - - name: WARREN_APP_ACCESS_TOKEN_LIFETIME - value: {{ .Values.accessTokenLifetime | quote }} - - name: WARREN_APP_REFRESH_TOKEN_LIFETIME - value: {{ .Values.refreshTokenLifetime | quote }} - - name: WARREN_APP_LTI_ACCESS_TOKEN_LIFETIME - value: {{ .Values.ltiAccessTokenLifetime | quote }} - - name: WARREN_APP_ALLOWED_HOSTS - value: {{ include "app.allowedHosts" . }} envFrom: + - configMapRef: + name: "warren-app-database" - secretRef: - name: {{ .Values.envVarsSecret | quote }} + name: {{ .Values.database.passwordSecretName | quote }} + - secretRef: + name: {{ .Values.secretKeySecretName | quote }} {{ with .Values.jobs.dbMigrate.command }} command: {{- toYaml . | nindent 12 }} diff --git a/src/helm/warren/charts/app/templates/pvc.yaml b/src/helm/warren/charts/app/templates/pvc.yaml index 7add10f5..867e4a6b 100644 --- a/src/helm/warren/charts/app/templates/pvc.yaml +++ b/src/helm/warren/charts/app/templates/pvc.yaml @@ -22,6 +22,8 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: name: {{ include "app.fullname" . }}-static + labels: + {{- include "app.labels" . | nindent 4 }} spec: accessModes: {{ with .Values.persistence.accessModes }} diff --git a/src/helm/warren/charts/app/templates/secret-database-password.yaml b/src/helm/warren/charts/app/templates/secret-database-password.yaml new file mode 100644 index 00000000..02cb64c4 --- /dev/null +++ b/src/helm/warren/charts/app/templates/secret-database-password.yaml @@ -0,0 +1,8 @@ +{{- if $.Values.database.password }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $.Values.database.passwordSecretName }} +data: + WARREN_APP_DB_PASSWORD: {{ $.Values.database.password | b64enc }} +{{- end }} \ No newline at end of file diff --git a/src/helm/warren/charts/app/templates/secret-secret-key.yaml b/src/helm/warren/charts/app/templates/secret-secret-key.yaml new file mode 100644 index 00000000..1d09bfc4 --- /dev/null +++ b/src/helm/warren/charts/app/templates/secret-secret-key.yaml @@ -0,0 +1,8 @@ +{{- if $.Values.secretKey }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $.Values.secretKeySecretName }} +data: + WARREN_APP_SECRET_KEY: {{ $.Values.secretKey | b64enc }} +{{- end }} \ No newline at end of file diff --git a/src/helm/warren/charts/app/templates/secret-signing-key.yaml b/src/helm/warren/charts/app/templates/secret-signing-key.yaml new file mode 100644 index 00000000..1f7ac75a --- /dev/null +++ b/src/helm/warren/charts/app/templates/secret-signing-key.yaml @@ -0,0 +1,8 @@ +{{- if $.Values.signing.key }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $.Values.signing.keySecretName }} +data: + WARREN_APP_SIGNING_KEY: {{ $.Values.signing.key | b64enc }} +{{- end }} \ No newline at end of file diff --git a/src/helm/warren/charts/app/values.yaml b/src/helm/warren/charts/app/values.yaml index ea99e7b5..85fec636 100644 --- a/src/helm/warren/charts/app/values.yaml +++ b/src/helm/warren/charts/app/values.yaml @@ -33,9 +33,6 @@ securityContext: {} # runAsNonRoot: true # runAsUser: 1000 -# Secret name to inject as environment variables -envVarsSecret: "warren-app-env" - jobs: dbMigrate: name: "warren-app-db-migrate" @@ -97,7 +94,7 @@ persistence: enabled: false storageClass: "standard" accessModes: - - ReadWriteOnce + - ReadWriteMany volumes: media: name: media @@ -130,16 +127,29 @@ tolerations: [] affinity: {} # Django application configuration -accessTokenLifetime: 300 allowedHosts: [] -database: - port: 5432 + +signing: + algorithm: HS256 + key: "" + keySecretName: "warren-signing-key" + +accessTokenLifetime: 300 djangoConfiguration: Production djangoSettingsModule: warren.settings ltiAccessTokenLifetime: 86400 refreshTokenLifetime: 86400 -signingAlgorithm: HS256 apiRootUrl: "http://localhost:8090" appRootUrl: "http://localhost:8100" corsAllowedOrigins: - "http://localhost:8090" +secretKey: "" +secretKeySecretName: "warren-app-secret-key" + +database: + host: "my-release-postgresql" + port: 5432 + name: "warren-app" + user: "warren-app" + password: "" + passwordSecretName: "warren-app-database-password" From 8fff6973a12cbd43ab66afd3300477ad9b322243 Mon Sep 17 00:00:00 2001 From: Wilfried BARADAT Date: Mon, 26 Feb 2024 18:21:29 +0100 Subject: [PATCH 3/4] =?UTF-8?q?=F0=9F=9A=A8(helm)=20fix=20linter=20warning?= =?UTF-8?q?=20for=20empty=20`allowedHosts`=20value?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On liveness and readiness probes, with virtual hosts, `Host` should be set in the Host header. As the default value is an empty list, Helm linter was raising an error. Fixing the lint issue by only adding an `httpHeaders` if value `allowHosts` is not empty, for both `api` and `app` deployments. --- src/helm/warren/charts/api/templates/deployment.yaml | 4 ++++ src/helm/warren/charts/app/templates/deployment.yaml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/src/helm/warren/charts/api/templates/deployment.yaml b/src/helm/warren/charts/api/templates/deployment.yaml index 57e3aa1c..8682b9e9 100644 --- a/src/helm/warren/charts/api/templates/deployment.yaml +++ b/src/helm/warren/charts/api/templates/deployment.yaml @@ -46,18 +46,22 @@ spec: httpGet: path: /__heartbeat__ port: http + {{- if .Values.allowedHosts }} httpHeaders: - name: Host value: '{{ first .Values.allowedHosts | trimPrefix "https://" }}' + {{- end }} initialDelaySeconds: 15 periodSeconds: 30 readinessProbe: httpGet: path: /__lbheartbeat__ port: http + {{- if .Values.allowedHosts }} httpHeaders: - name: Host value: '{{ first .Values.allowedHosts | trimPrefix "https://" }}' + {{- end }} initialDelaySeconds: 5 periodSeconds: 5 envFrom: diff --git a/src/helm/warren/charts/app/templates/deployment.yaml b/src/helm/warren/charts/app/templates/deployment.yaml index 1e35e340..b27102cc 100644 --- a/src/helm/warren/charts/app/templates/deployment.yaml +++ b/src/helm/warren/charts/app/templates/deployment.yaml @@ -43,16 +43,20 @@ spec: httpGet: path: /__heartbeat__ port: http + {{- if .Values.allowedHosts }} httpHeaders: - name: Host value: "{{ first .Values.allowedHosts }}" + {{- end }} readinessProbe: httpGet: path: /__lbheartbeat__ port: http + {{- if .Values.allowedHosts }} httpHeaders: - name: Host value: "{{ first .Values.allowedHosts }}" + {{- end }} envFrom: - configMapRef: name: "warren-app-env" From a5329d0e7475fdff97b02d6d3d43372d8e0a2f75 Mon Sep 17 00:00:00 2001 From: Wilfried BARADAT Date: Fri, 1 Mar 2024 20:15:15 +0100 Subject: [PATCH 4/4] =?UTF-8?q?=F0=9F=94=A7(helm)=20disable=20postgresql?= =?UTF-8?q?=20database=20deployment=20by=20default?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As it is generally recommended to handle databases outside the cluster, disabling the postgresql database deployment by default. --- src/helm/warren/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/helm/warren/values.yaml b/src/helm/warren/values.yaml index 031ff5ac..92b71e0c 100644 --- a/src/helm/warren/values.yaml +++ b/src/helm/warren/values.yaml @@ -24,7 +24,7 @@ api: postgresql: # If enabled, a postgresql database will be deployed in the k8s cluster, else # a simple gateway can be used (see the postgresql-gw chart) - enabled: true + enabled: false # Global variables are accessible both from charts and subcharts templates using # the "global" prefix path: {{ .Values.global.var_name }}