openfun · wilbrdt · Feb 27, 2024 · Feb 26, 2024 · Feb 26, 2024 · Mar 1, 2024
diff --git a/src/helm/warren/charts/api/templates/configmap-database.yaml b/src/helm/warren/charts/api/templates/configmap-database.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: warren-api-database
+  labels:
+    {{- include "api.labels" . | nindent 4 }}
+data:
+  WARREN_API_DB_ENGINE: {{ .Values.database.engine | quote }}
+  WARREN_API_DB_HOST: {{ .Values.database.host | quote }}
+  WARREN_API_DB_PORT: {{ .Values.database.port | quote }}
+  WARREN_API_DB_NAME: {{ .Values.database.name | quote }}
+  WARREN_API_DB_USER: {{ .Values.database.user | quote }}
diff --git a/src/helm/warren/charts/api/templates/configmap-env.yaml b/src/helm/warren/charts/api/templates/configmap-env.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: warren-api-env
+  labels:
+    {{- include "api.labels" . | nindent 4 }}
+data:
+  WARREN_API_SERVER_PORT: {{ .Values.service.port | quote}}
+  WARREN_APP_SIGNING_ALGORITHM: {{ .Values.signing.algorithm | quote }}
+  WARREN_ALLOWED_HOSTS: {{ include "api.allowedHosts" . }}
+  WARREN_LRS_HOSTS: {{ .Values.lrs.host | quote }}
+  WARREN_LRS_AUTH_BASIC_USERNAME: {{ .Values.lrs.username | quote}}
diff --git a/...rren/charts/api/templates/cm_logging.yaml → ...arts/api/templates/configmap-logging.yaml b/...rren/charts/api/templates/cm_logging.yaml → ...arts/api/templates/configmap-logging.yaml
diff --git a/src/helm/warren/charts/api/templates/deployment.yaml b/src/helm/warren/charts/api/templates/deployment.yaml
@@ -13,10 +13,13 @@ spec:
       {{- include "api.selectorLabels" . | nindent 6 }}
   template:
     metadata:
-      {{- with .Values.podAnnotations }}
       annotations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
+        checksum/db_config: {{ include (print $.Template.BasePath "/configmap-database.yaml") . | sha256sum }}
+        checksum/env_config: {{ include (print $.Template.BasePath "/configmap-env.yaml") . | sha256sum }}
+        checksum/logging_config: {{ include (print $.Template.BasePath "/configmap-logging.yaml") . | sha256sum }}
+        {{- with .Values.podAnnotations }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
       labels:
         {{- include "api.labels" . | nindent 8 }}
         {{- with .Values.podLabels }}
@@ -43,34 +46,35 @@ spec:
             httpGet:
               path: /__heartbeat__
               port: http
+              {{- if .Values.allowedHosts }}
               httpHeaders:
                 - name: Host
                   value: '{{ first .Values.allowedHosts | trimPrefix "https://" }}'
+              {{- end }}
             initialDelaySeconds: 15
             periodSeconds: 30
           readinessProbe:
             httpGet:
               path: /__lbheartbeat__
               port: http
+              {{- if .Values.allowedHosts }}
               httpHeaders:
                 - name: Host
                   value: '{{ first .Values.allowedHosts | trimPrefix "https://" }}'
+              {{- end }}
             initialDelaySeconds: 5
             periodSeconds: 5
-          env:
-            - name: WARREN_API_SERVER_PORT
-              value: "{{ .Values.service.port }}"
-            - name: WARREN_API_DB_ENGINE
-              value: {{ .Values.database.engine }}
-            - name: WARREN_API_DB_PORT
-              value: {{ .Values.database.port | quote }}
-            - name: WARREN_APP_SIGNING_ALGORITHM
-              value: {{ .Values.signingAlgorithm }}
-            - name: WARREN_ALLOWED_HOSTS
-              value: {{ include "api.allowedHosts" . }}
           envFrom:
+            - configMapRef:
+                name: "warren-api-env"
+            - configMapRef:
+                name: "warren-api-database"
+            - secretRef:
+                name: {{ .Values.lrs.passwordSecretName | quote }}
+            - secretRef:
+                name: {{ .Values.database.passwordSecretName | quote }}
             - secretRef:
-                name: {{ .Values.envVarsSecret | quote }}
+                name: {{ .Values.signing.keySecretName | quote }}
           {{ with .Values.podCommand }}
           command:
             {{- toYaml . | nindent 12 }}

diff --git a/.../charts/app/templates/job_db_migrate.yaml → .../charts/api/templates/job-db-migrate.yaml b/.../charts/app/templates/job_db_migrate.yaml → .../charts/api/templates/job-db-migrate.yaml
@@ -3,14 +3,12 @@ kind: Job
 metadata:
   name: "{{ .Values.jobs.dbMigrate.name }}"
   labels:
-    {{- include "app.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": post-install, pre-upgrade
+    {{- include "api.labels" . | nindent 4 }}
 spec:
   template:
     metadata:
       labels:
-        {{- include "app.labels" . | nindent 8 }}
+        {{- include "api.labels" . | nindent 8 }}
         {{- with .Values.podLabels }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -27,26 +25,17 @@ spec:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          env:
-            - name: DJANGO_SETTINGS_MODULE
-              value: {{ .Values.djangoSettingsModule }}
-            - name: DJANGO_CONFIGURATION
-              value: {{ .Values.djangoConfiguration }}
-            - name: WARREN_APP_DB_PORT
-              value: {{ .Values.database.port | quote }}
-            - name: WARREN_APP_SIGNING_ALGORITHM
-              value: {{ .Values.signingAlgorithm }}
-            - name: WARREN_APP_ACCESS_TOKEN_LIFETIME
-              value: {{ .Values.accessTokenLifetime | quote }}
-            - name: WARREN_APP_REFRESH_TOKEN_LIFETIME
-              value: {{ .Values.refreshTokenLifetime | quote }}
-            - name: WARREN_APP_LTI_ACCESS_TOKEN_LIFETIME
-              value: {{ .Values.ltiAccessTokenLifetime | quote }}
-            - name: WARREN_APP_ALLOWED_HOSTS
-              value: {{ include "app.allowedHosts" . }}
           envFrom:
+            - configMapRef:
+                name: "warren-api-env"
+            - configMapRef:
+                name: "warren-api-database"
             - secretRef:
-                name: {{ .Values.envVarsSecret | quote }}
+                name: {{ .Values.lrs.passwordSecretName | quote }}
+            - secretRef:
+                name: {{ .Values.database.passwordSecretName | quote }}
+            - secretRef:
+                name: {{ .Values.signing.keySecretName | quote }}
           {{ with .Values.jobs.dbMigrate.command }}
           command:
             {{- toYaml . | nindent 12 }}

diff --git a/src/helm/warren/charts/api/templates/secret-database-password.yaml b/src/helm/warren/charts/api/templates/secret-database-password.yaml
@@ -0,0 +1,8 @@
+{{- if $.Values.database.password }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $.Values.database.passwordSecretName }}
+data: 
+  WARREN_API_DB_PASSWORD: {{ $.Values.database.password | b64enc }}
+{{- end }}
diff --git a/src/helm/warren/charts/api/templates/secret-lrs-password.yaml b/src/helm/warren/charts/api/templates/secret-lrs-password.yaml
@@ -0,0 +1,8 @@
+{{- if $.Values.lrs.password }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $.Values.lrs.passwordSecretName }}
+data: 
+  WARREN_LRS_AUTH_BASIC_PASSWORD: {{ $.Values.lrs.password | b64enc }}
+{{- end }}
diff --git a/src/helm/warren/charts/api/templates/secret-signing-key.yaml b/src/helm/warren/charts/api/templates/secret-signing-key.yaml
@@ -0,0 +1,8 @@
+{{- if $.Values.signing.key }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $.Values.signing.keySecretName }}
+data: 
+  WARREN_APP_SIGNING_KEY: {{ $.Values.signing.key | b64enc }}
+{{- end }}
diff --git a/src/helm/warren/charts/api/values.yaml b/src/helm/warren/charts/api/values.yaml
@@ -38,18 +38,13 @@ securityContext: {}
   # runAsNonRoot: true
   # runAsUser: 1000
 
-# Secret name to inject as environment variables
-envVarsSecret: "warren-api-env"
-
 jobs:
   dbMigrate:
     name: "warren-api-db-migrate"
     command:
-      - "alembic"
+      - bash 
       - "-c"
-      - "core/alembic.ini"
-      - "upgrade"
-      - "head"
+      - "warren migration upgrade head"
     restartPolicy: Never
 
 service:
@@ -112,9 +107,27 @@ affinity: {}
 
 # API configuration
 allowedHosts: []
+
+signing:
+  algorithm: HS256
+  key: ""
+  keySecretName: "warren-signing-key"
+
+lrs:
+  host: ""
+  username: ""
+  password: ""
+  passwordSecretName: "warren-api-lrs-password"
+
 database:
   engine: postgresql
+  host: "my-release-postgresql"
   port: 5432
+  name: "warren-api"
+  user: "warren-api"
+  password: ""
+  passwordSecretName: "warren-api-database-password"
+
 loggingConfigConfigMap: api-logging-config
 loggingConfig:
   version: 1
@@ -154,4 +167,3 @@ loggingConfig:
         - default
       level: INFO
       propagate: false
-signingAlgorithm: HS256
diff --git a/src/helm/warren/charts/app/templates/configmap-database.yaml b/src/helm/warren/charts/app/templates/configmap-database.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: warren-app-database
+  labels:
+    {{- include "app.labels" . | nindent 4 }}
+data:
+  WARREN_APP_DB_HOST: {{ .Values.database.host | quote }}
+  WARREN_APP_DB_PORT: {{ .Values.database.port | quote }}
+  WARREN_APP_DB_NAME: {{ .Values.database.name | quote }}
+  WARREN_APP_DB_USER: {{ .Values.database.user | quote }}
diff --git a/src/helm/warren/charts/app/templates/configmap-env.yaml b/src/helm/warren/charts/app/templates/configmap-env.yaml
@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: warren-app-env
+  labels:
+    {{- include "app.labels" . | nindent 4 }}
+data:
+  DJANGO_SETTINGS_MODULE: {{ .Values.djangoSettingsModule | quote }}
+  DJANGO_CONFIGURATION: {{ .Values.djangoConfiguration | quote }}
+  {{- if .Values.persistence.enabled }}
+  WARREN_APP_MEDIA_ROOT: {{ .Values.persistence.volumes.media.mountPath | quote }}
+  WARREN_APP_STATIC_ROOT: {{ .Values.persistence.volumes.static.mountPath | quote }}
+  {{- end }}
+  WARREN_APP_SIGNING_ALGORITHM: {{ .Values.signing.algorithm | quote }}
+  WARREN_APP_ACCESS_TOKEN_LIFETIME: {{ .Values.accessTokenLifetime | quote }}
+  WARREN_APP_REFRESH_TOKEN_LIFETIME: {{ .Values.refreshTokenLifetime | quote }}
+  WARREN_APP_LTI_ACCESS_TOKEN_LIFETIME: {{ .Values.ltiAccessTokenLifetime | quote }}
+  WARREN_API_ROOT_URL: {{ .Values.apiRootUrl | quote }}
+  WARREN_APP_ROOT_URL: {{ .Values.appRootUrl | quote }}
+  WARREN_APP_ALLOWED_HOSTS: {{ include "app.allowedHosts" . }}
+  WARREN_APP_CORS_ALLOWED_ORIGINS: {{ join "," .Values.corsAllowedOrigins | quote }}
diff --git a/src/helm/warren/charts/app/templates/deployment.yaml b/src/helm/warren/charts/app/templates/deployment.yaml
@@ -43,48 +43,31 @@ spec:
             httpGet:
               path: /__heartbeat__
               port: http
+              {{- if .Values.allowedHosts }}
               httpHeaders:
                 - name: Host
                   value: "{{ first .Values.allowedHosts }}"
+              {{- end }}
           readinessProbe:
             httpGet:
               path: /__lbheartbeat__
               port: http
+              {{- if .Values.allowedHosts }}
               httpHeaders:
                 - name: Host
                   value: "{{ first .Values.allowedHosts }}"
-          env:
-            - name: DJANGO_SETTINGS_MODULE
-              value: {{ .Values.djangoSettingsModule }}
-            - name: DJANGO_CONFIGURATION
-              value: {{ .Values.djangoConfiguration }}
-            {{- if .Values.persistence.enabled }}
-            - name: WARREN_APP_MEDIA_ROOT
-              value: {{ .Values.persistence.volumes.media.mountPath }}
-            - name: WARREN_APP_STATIC_ROOT
-              value: {{ .Values.persistence.volumes.static.mountPath }}
-            {{- end }}
-            - name: WARREN_APP_DB_PORT
-              value: {{ .Values.database.port | quote }}
-            - name: WARREN_APP_SIGNING_ALGORITHM
-              value: {{ .Values.signingAlgorithm }}
-            - name: WARREN_APP_ACCESS_TOKEN_LIFETIME
-              value: {{ .Values.accessTokenLifetime | quote }}
-            - name: WARREN_APP_REFRESH_TOKEN_LIFETIME
-              value: {{ .Values.refreshTokenLifetime | quote }}
-            - name: WARREN_APP_LTI_ACCESS_TOKEN_LIFETIME
-              value: {{ .Values.ltiAccessTokenLifetime | quote }}
-            - name: WARREN_API_ROOT_URL
-              value: {{ .Values.apiRootUrl | quote }}
-            - name: WARREN_APP_ROOT_URL
-              value: {{ .Values.appRootUrl | quote }}
-            - name: WARREN_APP_ALLOWED_HOSTS
-              value: {{ include "app.allowedHosts" . }}
-            - name: WARREN_APP_CORS_ALLOWED_ORIGINS
-              value: {{ join "," .Values.corsAllowedOrigins | quote }}
+              {{- end }}
           envFrom:
+            - configMapRef:
+                name: "warren-app-env"
+            - configMapRef:
+                name: "warren-app-database"
             - secretRef:
-                name: {{ .Values.envVarsSecret | quote }}
+                name: {{ .Values.database.passwordSecretName | quote }}
+            - secretRef:
+                name: {{ .Values.secretKeySecretName | quote }}
+            - secretRef:
+                name: {{ .Values.signing.keySecretName | quote }}
           {{ with .Values.podCommand }}
           command:
             {{- toYaml . | nindent 12 }}

diff --git a/...rts/app/templates/job_collect_static.yaml → ...rts/app/templates/job-collect-static.yaml b/...rts/app/templates/job_collect_static.yaml → ...rts/app/templates/job-collect-static.yaml
@@ -5,8 +5,6 @@ metadata:
   name: "{{ .Values.jobs.collectStatic.name }}"
   labels:
     {{- include "app.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": post-install, pre-upgrade
 spec:
   template:
     metadata:
@@ -28,30 +26,11 @@ spec:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          env:
-            - name: DJANGO_SETTINGS_MODULE
-              value: {{ .Values.djangoSettingsModule }}
-            - name: DJANGO_CONFIGURATION
-              value: {{ .Values.djangoConfiguration }}
-            - name: WARREN_APP_MEDIA_ROOT
-              value: {{ .Values.persistence.volumes.media.mountPath }}
-            - name: WARREN_APP_STATIC_ROOT
-              value: {{ .Values.persistence.volumes.static.mountPath }}
-            - name: WARREN_APP_DB_PORT
-              value: {{ .Values.database.port | quote }}
-            - name: WARREN_APP_SIGNING_ALGORITHM
-              value: {{ .Values.signingAlgorithm }}
-            - name: WARREN_APP_ACCESS_TOKEN_LIFETIME
-              value: {{ .Values.accessTokenLifetime | quote }}
-            - name: WARREN_APP_REFRESH_TOKEN_LIFETIME
-              value: {{ .Values.refreshTokenLifetime | quote }}
-            - name: WARREN_APP_LTI_ACCESS_TOKEN_LIFETIME
-              value: {{ .Values.ltiAccessTokenLifetime | quote }}
-            - name: WARREN_APP_ALLOWED_HOSTS
-              value: {{ include "app.allowedHosts" . }}
           envFrom:
+            - configMapRef:
+                name: "warren-app-env"
             - secretRef:
-                name: {{ .Values.envVarsSecret | quote }}
+                name: {{ .Values.secretKeySecretName | quote }}
           {{ with .Values.jobs.collectStatic.command }}
           command:
             {{- toYaml . | nindent 12 }}