From 533acff6fef77200c2a51d86f21699d0874cd3a6 Mon Sep 17 00:00:00 2001 From: wkoot <3715211+wkoot@users.noreply.github.com> Date: Tue, 30 Apr 2024 23:13:15 +0200 Subject: [PATCH] WIP --- docs/src/deployment.md | 19 +++++++++++++++ helm/Chart.yaml | 4 ++-- helm/templates/api_server.yaml | 43 +++++++++++++++++++++++----------- helm/templates/collector.yaml | 21 ++++++++++++++--- helm/templates/database.yaml | 34 +++++++++++++++++++-------- helm/templates/frontend.yaml | 7 +++--- helm/templates/notifier.yaml | 21 ++++++++++++++--- helm/templates/renderer.yaml | 11 ++++----- helm/templates/shared.yaml | 13 ---------- helm/templates/www.yaml | 25 +++++++++++++------- helm/values.yaml | 22 +++++++++++++---- 11 files changed, 152 insertions(+), 68 deletions(-) delete mode 100644 helm/templates/shared.yaml diff --git a/docs/src/deployment.md b/docs/src/deployment.md index b8d997e783..af89431d63 100644 --- a/docs/src/deployment.md +++ b/docs/src/deployment.md @@ -40,6 +40,12 @@ For example: - "1080:${PROXY_PORT:-80}" ``` +## Kubernetes + +The helm chart for deploying on Kubernetes does not support overriding port numbers. +Setting port environment variables in the `values.yaml` will not change the service port mapping, while the app within the pod will listen on the altered port. +Instead, only the ingress should be configured. + ## Configuring authentication (mandatory) You need to either configure an LDAP server to authenticate users with or configure forwarded authentication. @@ -48,6 +54,7 @@ You need to either configure an LDAP server to authenticate users with or config To configure an LDAP server to authenticate users with, set the `LDAP_URL`, `LDAP_ROOT_DN`, `LDAP_LOOKUP_USER_DN`, `LDAP_LOOKUP_USER_PASSWORD`, and `LDAP_SEARCH_FILTER` environment variables. Note that `LDAP_URL` may be a comma-separated list of LDAP connection URL(s). + Add the LDAP environment variables to the API-server service in the [compose file](https://github.com/ICTU/quality-time/blob/master/docker/docker-compose.yml): ```yaml @@ -60,6 +67,18 @@ Add the LDAP environment variables to the API-server service in the [compose fil - LDAP_SEARCH_FILTER=(|(uid=$username)(cn=$username)) ``` +Alternatively, for a Kubernetes deployment, add the LDAP environment variables to the API-server service in the [Helm values.yaml](https://github.com/ICTU/quality-time/blob/master/helm/values.yaml): + +```yaml +api_server: + env: + LDAP_URL: "ldap://host.docker.internal:389" + LDAP_ROOT_DN: "dc=example,dc=org" + LDAP_LOOKUP_USER_DN: "cn=admin,dc=example,dc=org" + LDAP_LOOKUP_USER_PASSWORD: "admin" + LDAP_SEARCH_FILTER: "(|(uid=$$username)(cn=$$username))" +``` + When using the `LDAP_SEARCH_FILTER` as shown above, users can use either their LDAP canonical name (`cn`) or their LDAP user id to login. The `$username` variable is filled by *Quality-time* at run time with the username that the user enters in the login dialog box. ```{seealso} diff --git a/helm/Chart.yaml b/helm/Chart.yaml index e01ebcc661..df9fa387ce 100644 --- a/helm/Chart.yaml +++ b/helm/Chart.yaml @@ -1,8 +1,8 @@ --- apiVersion: v2 -name: Quality-time +name: quality-time version: 1.0.0 -appVersion: "v5.11.0" +appVersion: "v5.14.0-rc.1" description: Helm chart for Quality-time, an automated quality system for software development and maintenance type: application home: https://github.com/ICTU/Quality-time diff --git a/helm/templates/api_server.yaml b/helm/templates/api_server.yaml index 0716908022..9f594e832c 100644 --- a/helm/templates/api_server.yaml +++ b/helm/templates/api_server.yaml @@ -29,24 +29,39 @@ spec: envFrom: - configMapRef: name: {{ .Release.Name }}-{{ template "api_server_name" . }}-env - - configMapRef: - name: {{ .Release.Name }}-shared-env + optional: true env: - - name: DATABASE_URL - value: "mongodb://root:root@{{ .Release.Name }}-{{ template "database_name" . }}:27017" -{{- if .Values.ldap }} + - name: DATABASE_HOST + value: {{ .Release.Name }}-{{ template "database_name" . }} + - name: DATABASE_USERNAME + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.dbCredential }} + key: DATABASE_USERNAME + optional: true + - name: DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.dbCredential }} + key: DATABASE_PASSWORD + optional: true - name: LDAP_LOOKUP_USER_DN - value: "{{ .Values.ldap.lookupUserDN }}" + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.ldapCredential }} + key: LDAP_LOOKUP_USER_DN + optional: true - name: LDAP_LOOKUP_USER_PASSWORD - value: "{{ .Values.ldap.lookupUserPassword }}" - - name: LDAP_ROOT_DN - value: "{{ .Values.ldap.rootDN }}" - - name: LDAP_SEARCH_FILTER - value: "{{ .Values.ldap.search }}" - - name: LDAP_URL - value: "{{ .Values.ldap.url }}" + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.ldapCredential }} + key: LDAP_LOOKUP_USER_PASSWORD + optional: true + - name: LDAP_SEARCH_FILTER # override to make sure that double dollar signs are processed like in docker + value: {{ .Values.api_server.env.LDAP_SEARCH_FILTER }} +{{- with .Values.api_server.resources }} + resources: {{- toYaml . | nindent 12 }} {{- end }} - resources: {} securityContext: capabilities: drop: diff --git a/helm/templates/collector.yaml b/helm/templates/collector.yaml index 363bc0830f..b811e641bb 100644 --- a/helm/templates/collector.yaml +++ b/helm/templates/collector.yaml @@ -29,10 +29,25 @@ spec: envFrom: - configMapRef: name: {{ .Release.Name }}-{{ template "collector_name" . }}-env + optional: true env: - - name: DATABASE_URL - value: "mongodb://root:root@{{ .Release.Name }}-{{ template "database_name" . }}:27017" - resources: {} + - name: DATABASE_HOST + value: {{ .Release.Name }}-{{ template "database_name" . }} + - name: DATABASE_USERNAME + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.dbCredential }} + key: DATABASE_USERNAME + optional: true + - name: DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.dbCredential }} + key: DATABASE_PASSWORD + optional: true +{{- with .Values.collector.resources }} + resources: {{- toYaml . | nindent 12 }} +{{- end }} securityContext: capabilities: drop: diff --git a/helm/templates/database.yaml b/helm/templates/database.yaml index a321daf852..d16fbade7c 100644 --- a/helm/templates/database.yaml +++ b/helm/templates/database.yaml @@ -27,6 +27,11 @@ spec: - name: {{ .Release.Name }}-{{ template "database_name" . }} persistentVolumeClaim: claimName: {{ .Release.Name }}-{{ template "database_name" . }} + {{- if .Values.database.backupVol }} + - name: backups + persistentVolumeClaim: + claimName: {{ .Values.database.backupVol.claimName }} + {{- end }} containers: - name: {{ template "database_name" . }} image: "{{ .Values.database.image.repository }}:{{ .Values.database.image.tag | default .Chart.AppVersion }}" @@ -34,18 +39,23 @@ spec: envFrom: - configMapRef: name: {{ .Release.Name }}-{{ template "database_name" . }}-env + optional: true env: - - name: MONGO_INITDB_ROOT_PASSWORD - value: "root" - name: MONGO_INITDB_ROOT_USERNAME - value: "root" - resources: - limits: - cpu: "2" - memory: "2Gi" - requests: - cpu: "1" - memory: "1Gi" + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.dbCredential }} + key: DATABASE_USERNAME + optional: true + - name: MONGO_INITDB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.dbCredential }} + key: DATABASE_PASSWORD + optional: true +{{- with .Values.database.resources }} + resources: {{- toYaml . | nindent 12 }} +{{- end }} securityContext: capabilities: add: @@ -58,6 +68,10 @@ spec: volumeMounts: - mountPath: /data/db name: {{ .Release.Name }}-{{ template "database_name" . }} + {{- if .Values.database.backupVol }} + - mountPath: {{ .Values.database.backupVol.mountPath }} + name: backups + {{- end }} restartPolicy: Always --- apiVersion: v1 diff --git a/helm/templates/frontend.yaml b/helm/templates/frontend.yaml index 7edd8c201c..be52ca172a 100644 --- a/helm/templates/frontend.yaml +++ b/helm/templates/frontend.yaml @@ -29,9 +29,10 @@ spec: envFrom: - configMapRef: name: {{ .Release.Name }}-{{ template "frontend_name" . }}-env - - configMapRef: - name: {{ .Release.Name }}-shared-env - resources: {} + optional: true +{{- with .Values.frontend.resources }} + resources: {{- toYaml . | nindent 12 }} +{{- end }} securityContext: capabilities: drop: diff --git a/helm/templates/notifier.yaml b/helm/templates/notifier.yaml index 1913a01935..7385737869 100644 --- a/helm/templates/notifier.yaml +++ b/helm/templates/notifier.yaml @@ -29,10 +29,25 @@ spec: envFrom: - configMapRef: name: {{ .Release.Name }}-{{ template "notifier_name" . }}-env + optional: true env: - - name: DATABASE_URL - value: "mongodb://root:root@{{ .Release.Name }}-{{ template "database_name" . }}:27017" - resources: {} + - name: DATABASE_HOST + value: {{ .Release.Name }}-{{ template "database_name" . }} + - name: DATABASE_USERNAME + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.dbCredential }} + key: DATABASE_USERNAME + optional: true + - name: DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.dbCredential }} + key: DATABASE_PASSWORD + optional: true +{{- with .Values.notifier.resources }} + resources: {{- toYaml . | nindent 12 }} +{{- end }} securityContext: capabilities: drop: diff --git a/helm/templates/renderer.yaml b/helm/templates/renderer.yaml index 3689f8fb29..2e2d893c47 100644 --- a/helm/templates/renderer.yaml +++ b/helm/templates/renderer.yaml @@ -29,14 +29,13 @@ spec: envFrom: - configMapRef: name: {{ .Release.Name }}-{{ template "renderer_name" . }}-env + optional: true env: - - name: LC_ALL - value: "en_GB.UTF-8" - name: PROXY_HOST - value: "{{ .Release.Name }}-{{ template "www_name" . }}" - - name: TZ - value: "Europe/Amsterdam" - resources: {} + value: {{ .Release.Name }}-{{ template "www_name" . }} +{{- with .Values.renderer.resources }} + resources: {{- toYaml . | nindent 12 }} +{{- end }} securityContext: capabilities: drop: diff --git a/helm/templates/shared.yaml b/helm/templates/shared.yaml deleted file mode 100644 index 55afd116c5..0000000000 --- a/helm/templates/shared.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ .Release.Name }}-shared-env - labels: - app.kubernetes.io/name: {{ .Chart.Name }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: "shared" -data: -{{- range $key, $val := .Values.shared.env }} - {{ $key }}: "{{ $val }}" -{{- end }} diff --git a/helm/templates/www.yaml b/helm/templates/www.yaml index 57eec5d64e..d15481849f 100644 --- a/helm/templates/www.yaml +++ b/helm/templates/www.yaml @@ -29,20 +29,25 @@ spec: envFrom: - configMapRef: name: {{ .Release.Name }}-{{ template "www_name" . }}-env - - configMapRef: - name: {{ .Release.Name }}-shared-env + optional: true env: - name: API_SERVER_HOST - value: "{{ .Release.Name }}-{{ template "api_server_name" . }}" + value: {{ .Release.Name }}-{{ template "api_server_name" . }} - name: FRONTEND_HOST - value: "{{ .Release.Name }}-{{ template "frontend_name" . }}" + value: {{ .Release.Name }}-{{ template "frontend_name" . }} + - name: PROXY_PORT + value: "8080" ports: - - containerPort: 80 - resources: {} + - containerPort: 8080 +{{- with .Values.www.resources }} + resources: {{- toYaml . | nindent 12 }} +{{- end }} securityContext: capabilities: add: - CHOWN + - SETGID + - SETUID drop: - ALL restartPolicy: Always @@ -63,8 +68,8 @@ spec: app.kubernetes.io/component: {{ template "www_name" . }} ports: - protocol: TCP - port: 80 - targetPort: 80 + port: 8080 + targetPort: 8080 sessionAffinity: None --- {{- if .Values.www.ingress -}} @@ -90,12 +95,14 @@ spec: service: name: {{ .Release.Name }}-{{ template "www_name" . }} port: - number: 80 + number: 8080 path: / pathType: ImplementationSpecific +{{- if .Values.www.ingress.tls }} tls: {{ toYaml .Values.www.ingress.tls | indent 4 }} {{- end }} +{{- end }} --- apiVersion: v1 kind: ConfigMap diff --git a/helm/values.yaml b/helm/values.yaml index 34f6749f95..821113a028 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -1,7 +1,15 @@ --- +secrets: + dbCredential: "quality-time-db-secret" + ldapCredential: "quality-time-ldap-secret" + api_server: image: repository: "ictu/quality-time_api_server" + env: + LDAP_URL: "ldap://host.docker.internal:389" + LDAP_ROOT_DN: "dc=example,dc=org" + LDAP_SEARCH_FILTER: "(|(uid=$$username)(cn=$$username))" collector: image: @@ -10,6 +18,13 @@ collector: database: image: repository: "ictu/quality-time_database" + resources: + limits: + cpu: "2" + memory: "2Gi" + requests: + cpu: "1" + memory: "1Gi" frontend: image: @@ -22,12 +37,9 @@ notifier: renderer: image: repository: "ictu/quality-time_renderer" - -shared: env: - API_SERVER_PORT: "5001" - FRONTEND_PORT: "5000" - PROXY_PORT: "80" + LC_ALL: "en_GB.UTF-8" + TZ: "Europe/Amsterdam" www: image: