From 625aedaf531f56deff4f1715b4c1a9feb54af945 Mon Sep 17 00:00:00 2001 From: Rob Kooper Date: Tue, 7 May 2024 23:24:10 -0500 Subject: [PATCH 1/2] upgrade postgresql --- CHANGELOG.md | 43 ++++++++++++++++++++++++++++++++++++++++++ Chart.lock | 8 ++++---- Chart.yaml | 6 +++--- templates/_helpers.tpl | 4 ++-- values.yaml | 28 ++++++++++++++------------- 5 files changed, 67 insertions(+), 22 deletions(-) create mode 100644 CHANGELOG.md diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 00000000..afd94a1b --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,43 @@ +# Change Log + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](http://keepachangelog.com/) +and this project adheres to [Semantic Versioning](http://semver.org/). + +## 0.5.5 + +### Fixed +- use new repository for postgresql chart + +## Changed +- upgraded postgresql to 14.5 + +## 0.5.4 + +### Fixed +- back to hooks since job completion requires RBAC role + +## 0.5.3 + +### Fixed +- need to check for table before start bety application + +## 0.5.2 + +### Added +- use new check image to use PG environment variables +- add-user and load-db are now jobs, not hooks (prevent timeout issues) + +## 0.5.1 + +## Changed +- update README to describe values +- fix left over when initializing from URL +- fix binami url change + +## 0.5.0 + +## Added +- initial release of the BETY helm chart. +- build on bety 5.4.1 \ No newline at end of file diff --git a/Chart.lock b/Chart.lock index 4d62d201..b85d7f72 100644 --- a/Chart.lock +++ b/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: postgresql - repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami - version: 8.9.9 -digest: sha256:526629d1646df6a72d4414adc89f3728f0e97e37a4e8ac65036c51e06361c7bb -generated: "2022-06-22T22:35:06.775527-05:00" + repository: oci://registry-1.docker.io/bitnamicharts + version: 11.9.13 +digest: sha256:f6c50d1570fe995f60d34ac2a25dcd502caa08ef5194624fe7db275aab8df10f +generated: "2024-05-07T22:48:59.495844-05:00" diff --git a/Chart.yaml b/Chart.yaml index 2a163901..adee35e7 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -34,8 +34,8 @@ sources: # are enabled. dependencies: - name: postgresql - version: ~8.9 - repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami + version: ~11 + repository: oci://registry-1.docker.io/bitnamicharts condition: postgres.enabled annotations: @@ -43,4 +43,4 @@ annotations: - name: Helm Chart url: https://github.com/pecanproject/bety-helm artifacthub.io/changes: | - - back to hooks since job completion requires RBAC role + - use new repository for postgresql chart diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index e239785c..fd089548 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -75,13 +75,13 @@ Environment variables for PostgreSQL - name: PGPORT value: {{ include "betydb.postgresqlPort" . | quote }} - name: PGUSER - value: {{ .Values.postgresql.postgresqlUsername | default "postgres" | quote }} + value: {{ .Values.postgresql.auth.username | default "postgres" | quote }} - name: PGPASSWORD valueFrom: secretKeyRef: {{- if .Values.postgresql.enabled }} name: {{ .Release.Name }}-postgresql - key: postgresql-password + key: postgres-password {{- else }} name: {{ include "betydb.fullname" . }} key: postgresqlPassword diff --git a/values.yaml b/values.yaml index 13d48931..f0cf9c62 100644 --- a/values.yaml +++ b/values.yaml @@ -97,19 +97,21 @@ postgresql: ## postgresqlPort port to connect to postgresql # postgresqlPort: 5432 - ## postgresqlUsername is the initial user added to the system. This is freqently the - ## postgres user. This user will have superuser abilities. - # postgresqlUsername: postgres - - ## postgresqlPassword the password for postgresqlUsername, if using auto generated - ## password make sure to save the password as described in the notes. When upgrading - ## you will need to provide this secret otherwise a new secret will be generated but - ## not saved in the database. - postgresqlPassword: supersecret - - # need more space - persistence: - size: 20Gi + auth: + ## enablePostgresUser adds the postgres user This user will have superuser abilities. + # enablePostgresUser: true + + ## postgresPassword the password for postgres, if using auto generated + ## password make sure to save the password as described in the notes. When upgrading + ## you will need to provide this secret otherwise a new secret will be generated but + ## not saved in the database. + postgresPassword: supersecret + + # we will only configure the primary database + primary: + # need more space + persistence: + size: 20Gi # ------------------------------------------------------------------------------- From 8431af105daca479af7f671201520fec2aac2105 Mon Sep 17 00:00:00 2001 From: Christopher Tate Date: Mon, 27 Feb 2023 22:10:53 -0700 Subject: [PATCH 2/2] Adding features like serviceAccountName for OpenShift security constraints - Fix a bug with postgresql.enabled value - Add optional serviceAccount to deployment for required security on OpenShift - Add docs for the new serviceAccount values - Allow customizing the postgresqlDatabase value and PGDATABASE environment variable on the betydb container - Allow disabling the creation of a betydb Secret in order to use an ExternalSecret from a vault instead - Remove the conflicting PGDATABASE in the init container that points to the bety database - Removing the PG_TABLE=sessions and PG_DATABASE=bety environment variable - When the PG_TABLE=sessions environment variable is set, the check-postgresql init container fails. When the deployment fails, the argocd application never completes and enters the post-install phase. The load-db Job depends on the post-install hook running, so the bety database is never created. - Remove post-install helm hook from load-db Job so that the bety database gets created for the Deployment - Added string around the -r 0 parameter of the command parent 9cc554112c075c1a994205d50c08e0366afb00d7 author Christopher Tate 1677561053 -0700 committer Christopher Tate 1680705101 -0600 gpgsig -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEE8gjca+F8TU1M4A3jZbVOLA7tOVIFAmQthk0ACgkQZbVOLA7t OVIK1AgA1wYe2xmMRpyz/qQfGH7UpdoLv+az9JReXlW2+cda41VYaQahcEUSuRy3 c3iJynk5uoaO9QcR8gKGThmuO6kZYpJceyaPGP/ms+KBT+rgN9XFcUPQIGjuRIoj OplUx9IqKPrTqVLb7H448QHNDq+oST43vvmzxmXei5KSHSxq6Vrjgiqe+3UoyjdM HidKEaIYddajhpbzGiHZ96klIq5TNiU+q1xsuTzT5fsFkiPzwrpom5H5MlQ31EGg CeKpBPtG7qNI3zrK3gi9//4n8BlYqh14ncr/7Ju5MxP9bjIHyL22ksasMYL3HMxu ggwyLGRQmhbpsXoRHVbxelyi381a7w== =pmxl -----END PGP SIGNATURE----- --- README.md | 8 ++++++++ templates/_helpers.tpl | 19 +++++++++++++++++++ templates/deployment.yaml | 7 +++---- templates/hooks/load-db.yaml | 2 +- templates/secrets.yaml | 2 ++ templates/serviceAccount.yaml | 12 ++++++++++++ values.yaml | 20 ++++++++++++++++++++ 7 files changed, 65 insertions(+), 5 deletions(-) create mode 100644 templates/serviceAccount.yaml diff --git a/README.md b/README.md index 32488c9e..cafcea36 100644 --- a/README.md +++ b/README.md @@ -86,6 +86,14 @@ The following table lists the configurable parameters of the Bety chart and thei | `betyPassword` | Password value for bety.password | `bety` | | `betyDatabase` | Name of the database for bety.database | `bety` | +### OpenShift/Kubernetes parameters + +| Parameter | Description | Default | +|-----------------------------------|----------------------------------------------------------|--------------------------------| +| `serviceAccount.enabled` | Enable creation and use of a deployment service account | false | +| `serviceAccount.name` | Add a serviceAccountName to the deployment | `` | +| `serviceAccount.annotations` | Add annotations to the serviceAccount | {} | + ### Ingress parameters | Parameter | Description | Default | diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index fd089548..38f6da4c 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -24,6 +24,23 @@ If release name contains chart name it will be used as a full name. {{- end -}} {{- end -}} +{{/* +Create a default service account name. +If release name contains chart name it will be used as a full name. +*/}} +{{- define "serviceAccount.fullname" -}} +{{- if .Values.serviceAccount.name -}} +{{- .Values.serviceAccount.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + {{/* Create chart name and version as used by the chart label. */}} @@ -74,6 +91,8 @@ Environment variables for PostgreSQL value: {{ include "betydb.postgresqlHost" . | quote }} - name: PGPORT value: {{ include "betydb.postgresqlPort" . | quote }} +- name: PGDATABASE + value: {{ .Values.postgresql.postgresqlDatabase | default "postgres" | quote }} - name: PGUSER value: {{ .Values.postgresql.auth.username | default "postgres" | quote }} - name: PGPASSWORD diff --git a/templates/deployment.yaml b/templates/deployment.yaml index b9027786..3c457ea2 100644 --- a/templates/deployment.yaml +++ b/templates/deployment.yaml @@ -42,10 +42,6 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} env: {{- include "betydb.postgresqlEnv" . | nindent 12 }} - - name: PGDATABASE - value: {{ .Values.betyDatabase | quote }} - - name: PG_TABLE - value: "sessions" containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" @@ -100,6 +96,9 @@ spec: nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} + {{- if .Values.serviceAccount.enabled }} + serviceAccountName: {{ include "serviceAccount.fullname" . | quote }} + {{- end }} {{- with .Values.affinity }} affinity: {{- toYaml . | nindent 8 }} diff --git a/templates/hooks/load-db.yaml b/templates/hooks/load-db.yaml index e6e244db..19dfe1d4 100644 --- a/templates/hooks/load-db.yaml +++ b/templates/hooks/load-db.yaml @@ -49,7 +49,7 @@ spec: - -m - ${LOCAL_SERVER} - -r - - 0 + - '0' - -w - {{ .Values.dburl | quote }} {{- else }} diff --git a/templates/secrets.yaml b/templates/secrets.yaml index 70d0e937..999aa540 100644 --- a/templates/secrets.yaml +++ b/templates/secrets.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.externalSecret }} apiVersion: v1 kind: Secret metadata: @@ -11,3 +12,4 @@ data: {{- end }} betyPassword: {{ .Values.betyPassword | b64enc | quote }} secretKey: {{ .Values.secretKey | b64enc | quote }} +{{- end }} diff --git a/templates/serviceAccount.yaml b/templates/serviceAccount.yaml new file mode 100644 index 00000000..97486121 --- /dev/null +++ b/templates/serviceAccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.enabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "serviceAccount.fullname" . }} + labels: + {{- include "betydb.labels" . | nindent 4 }} + annotations: + {{- with .Values.serviceAccount.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/values.yaml b/values.yaml index f0cf9c62..b9a7ba25 100644 --- a/values.yaml +++ b/values.yaml @@ -39,6 +39,11 @@ betyDatabase: bety ## changed users will not be able to login with their existing passwords. secretKey: thisisnotasecret +## Set to true if you will be managing the `betydb` secret with external secrets. +## The `betydb` secret includes `betyPassword`, `postgresqlPassword`, +## and `secretKey`. +externalSecret: false + ## dbtag is the tag of the database to load. Normally will use latest to ## make sure latest tag is loaded, this might not work with an older database. ## set this to "" to not load the database @@ -171,6 +176,21 @@ resources: {} ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector nodeSelector: {} +serviceAccount: + + # Specifies whether a service account should be added to the deployment + enabled: false + + # Specifies whether a service account should be created + create: false + + # Annotations to add to the service account + annotations: {} + + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + ## Tolerations ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ tolerations: []