[TT-5906] Add a pre-hook to validate Dashboard license (#112)

* add pre-install hook that verifies dashboard licenses Signed-off-by: Burak Sekili <[email protected]> * Add hook annotations to serviceaccounts and update command of job pod Signed-off-by: Burak Sekili <[email protected]> * Add temporary image registeries for bootstrap Signed-off-by: Burak Sekili <[email protected]> * change image repositories to official one Signed-off-by: Burak Sekili <[email protected]> --------- Signed-off-by: Burak Sekili <[email protected]> Co-authored-by: andrei-tyk <[email protected]> Co-authored-by: Pranshu <[email protected]>
TykTechnologies · Sep 12, 2023 · 6dc091f · 6dc091f
1 parent b90aa15
commit 6dc091f
Show file tree

Hide file tree

Showing 6 changed files with 54 additions and 4 deletions.
diff --git a/components/tyk-bootstrap/templates/bootstrap-post-install.yaml b/components/tyk-bootstrap/templates/bootstrap-post-install.yaml
@@ -62,8 +62,6 @@ spec:
               {{- end }}
             - name: TYK_DB_LISTENPORT
               value: "{{ .Values.global.servicePorts.dashboard }}"
-            - name: TYK_DB_LICENSEKEY
-              value: {{ .Values.global.license.dashboard | quote }}
             - name: TYK_ADMIN_SECRET
               {{- if not .Values.global.secrets.useSecretName }}
               value: {{ .Values.global.secrets.AdminSecret | quote }}

diff --git a/components/tyk-bootstrap/templates/bootstrap-pre-install.yaml b/components/tyk-bootstrap/templates/bootstrap-pre-install.yaml
@@ -0,0 +1,40 @@
+{{- if .Values.bootstrap.dashboard.enabled -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name:  {{ .Values.bootstrap.jobs.bootstrapPreInstallJobName }}
+  labels:
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+
+    # Removed the use of appVersion since it's not accurate. We'll put it back in v1.0
+    # when every app will have its own a chart
+    # app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+  annotations:
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  backoffLimit: 1
+  template:
+    metadata:
+      annotations:
+        {{- if .Values.bootstrap.podAnnotations.preInstallPodAnnotations }}
+        {{ toYaml .Values.bootstrap.podAnnotations.preInstallPodAnnotations | nindent 8 }}
+        {{- end }}
+    spec:
+      serviceAccountName: k8s-bootstrap-role
+      containers:
+        - name: bootstrap-tyk-pre-install
+          image: tykio/tyk-k8s-bootstrap-pre-install:latest
+          command: ['/app/bin/bootstrap-app-pre-install']
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: TYK_DB_LICENSEKEY
+              value: {{ .Values.global.license.dashboard | quote }}
+      restartPolicy: Never
+      terminationGracePeriodSeconds: 0
+{{- end }}
+
diff --git a/components/tyk-bootstrap/templates/bootstrap-role-binding.yml b/components/tyk-bootstrap/templates/bootstrap-role-binding.yml
@@ -3,6 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: k8s-bootstrap-role
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-delete-policy: before-hook-creation
+    helm.sh/hook-weight: "-10"
 subjects:
 - kind: ServiceAccount
   name: k8s-bootstrap-role

diff --git a/components/tyk-bootstrap/templates/bootstrap-role.yml b/components/tyk-bootstrap/templates/bootstrap-role.yml
@@ -3,6 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: k8s-bootstrap-role
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-delete-policy: before-hook-creation
+    helm.sh/hook-weight: "-10"
 rules:
 #
 # Give here only the privileges you need

diff --git a/components/tyk-bootstrap/templates/bootstrap-serviceaccount.yml b/components/tyk-bootstrap/templates/bootstrap-serviceaccount.yml
@@ -3,4 +3,8 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: k8s-bootstrap-role
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-delete-policy: before-hook-creation
+    helm.sh/hook-weight: "-10"
 {{- end }}
diff --git a/components/tyk-bootstrap/values.yaml b/components/tyk-bootstrap/values.yaml
@@ -70,8 +70,7 @@ bootstrap:
   jobs:
     # Name of bootstrap job created when running the tyk-bootstrap chart. (needed for cleanup)
     bootstrapJobName: bootstrap-post-install
-
-
+    bootstrapPreInstallJobName: bootstrap-pre-install
 
   org:
     # The name for your organization inside Tyk
@@ -99,5 +98,6 @@ bootstrap:
   #     key: value
   #     post: install
   podAnnotations:
+    preInstallPodAnnotations: {}
     postInstallPodAnnotations: {}
     preDeletePodAnnotations: {}