Helm3 chart fixes (#64)

* new generic utils * fix scheme in notes and ingresses + values for generic scripts * move migrations to init containers * new generic utils * fix scheme in notes and ingresses + values for generic scripts * move migrations to init containers * fix versions * update readme * emphasize some parts of readme * remove chart beta warning * add future version of octopod to the chart * Update charts/helm3/octopod/README.md Co-authored-by: iko <ilyakooo0@gmail.com> * Update charts/helm3/octopod/README.md Co-authored-by: iko <ilyakooo0@gmail.com> * add an ability to have a fixed secret for ui basic auth * dont ask for cliauth header if vault is enabled * add readme section about ui auth * Refined wording Co-authored-by: iko <ilyakooo0@gmail.com>
2024-11-26 10:33:03 +03:00 · 2021-08-23 16:42:45 +03:00 · 2021-08-23 16:42:45 +03:00 · e2c109213b
commit e2c109213b
parent 648e654ece
10 changed files with 102 additions and 110 deletions
--- a/charts/helm3/octopod/Chart.yaml
+++ b/charts/helm3/octopod/Chart.yaml
@ -2,8 +2,8 @@ apiVersion: v2
 name: octopod
 description: An opensource self-hosted solution for managing multiple deployments in a Kubernetes cluster.
 type: application
-version: 0.4.0
-appVersion: 1.3
+version: 0.5.0
+appVersion: 1.3.1
 keywords:
  - kubernetes
  - octopod
--- a/charts/helm3/octopod/README.md
+++ b/charts/helm3/octopod/README.md
@ -1,14 +1,12 @@
 # Octopod

-### This is beta version of a chart!
-
 [Octopod](https://octopod.site/) is a fully open-source self-hosted solution for managing multiple deployments in a Kubernetes cluster with a user-friendly web interface. Managing deployments does not require any technical expertise.

 ## TL;DR
 ```console
-helm repo add typeable https://typeable.github.io/octopod/
-kubectl create ns octopod-deployment
-helm install octopod typeable/octopod --set octopod.baseDomain="your-domain.com"
+$ helm repo add typeable https://typeable.github.io/octopod/
+$ kubectl create ns octopod-deployment
+$ helm install octopod typeable/octopod --set octopod.baseDomain="your-domain.com"
 ```

 ## Introduction
@ -33,27 +31,12 @@ Second in which Octopod will deploy all it's deployments (configured in octopod.
 ```console
 $ kubectl create namespace octopod-deployments
 ```
-Also you need to generate certificates for octo client<->octopod server communication.
-
-Generate certificates
-```bash
-mkdir certs
-cd certs && \
-openssl req -x509 -newkey rsa:4096 -keyout server_key.pem -out server_cert.pem -nodes -subj "/CN=localhost/O=Server" && \
-openssl req -newkey rsa:4096 -keyout client_key.pem -out client_csr.pem -nodes -subj "/CN=Client" && \
-openssl x509 -req -in client_csr.pem -CA server_cert.pem -CAkey server_key.pem -out client_cert.pem -set_serial 01 -days 3650
-
-```
-Create configmap from generated certificates
-```console
-kubectl create configmap octopod-certs -n octopod --from-file=./certs
-```
-Name for configmap is cofigured in octopod.certsConfigMapName  
+  
 To install the chart with the release name `my-release` from current directory execute:

 ```console
 $ helm repo add typeable https://typeable.github.io/octopod/
-# helm -n octopod install my-release typeable/octopod 
+$ helm -n octopod install my-release typeable/octopod --set octopod.baseDomain="your-domain.com"
 ```

 The command deploys Octopod on the Kubernetes cluster in the default configuration inside octopod namespace. The [Parameters](#parameters) section lists the parameters that can be configured during installation.
@ -68,6 +51,17 @@ $ helm -n octopod delete my-release

 The command removes all the Kubernetes components but PVC's associated with the postgres chart and deletes the release.

+## Note about generated values
+Some values (such as passwords) in this chart (and its dependencies) are generated automatically, but due to [a limitation in helm](https://github.com/helm/charts/issues/5167) the values are changing on every upgrade. To prevent this you must fix these values by providing them via `--set` flags or in the [values file](https://helm.sh/docs/chart_template_guide/values_files/).
+
+These values are:
+- `postgresql.postgresqlPassword` - main db password
+- `postgresql.postgresqlPostgresPassword` - password for "postgres" user
+- `octopod.cliAuthSecret` - auth header for octo cli tool
+- `octopod.uiAuthSecret` - basic auth secret for ui->octopod communication
+
+Note: if these values are not provided, the `helm upgrade` command can fail or Octopod will not work after the upgrade.
+
 ## Parameters

 The following tables lists the configurable parameters of the Octopod chart and their default values.
@ -102,6 +96,7 @@ The following tables lists the configurable parameters of the Octopod chart and
 | octopod.archiveRetention | int | `1209600` |  |
 | octopod.baseDomain | string | `""` | Domain that will be used as a ase for Octopod deploymets and ingress hosts|
 | octopod.cliAuthSecret | string | `nil` | Auth Header for accessing octopod using octo CLI |
+| octopod.uiAuthSecret | string | `nil` | Basic auth secret for securing communcation between octopod UI and backend API  |
 | octopod.deploymentNamespace | string | `"octopod-deployment"` | Name of a namespace which will be used for all Octopod deployments (you need to create it yourself) |
 | octopod.env | object | `{}` | key value map for supplying additional environment variables for octopod or your control scripts |
 | octopod.migrations.enabled | bool | `true` | Enable or not automatic DB schema migrations |
--- a/charts/helm3/octopod/templates/NOTES.txt
+++ b/charts/helm3/octopod/templates/NOTES.txt
@ -1,8 +1,8 @@
 Thank you for installing Octopod!
-You can access UI here: https://{{ include "uiIngressHost" . }}
-To access octopod via octo CLI you can use this url https://{{ include "powerAppIngressHost" . }}
+You can access UI here: {{ include "httpScheme" . }}://{{ include "uiIngressHost" . }}
+To access octopod via octo CLI you can use this url {{ include "httpScheme" . }}://{{ include "powerAppIngressHost" . }}
 To get you CLI secret you need to execute this command:
  kubectl -n {{ .Release.Namespace }} get secret {{ include "octopodCliAuthSecretName" . }} -o jsonpath='{.data.cli-secret}' | base64 -d
-{{ if and (not .Values.octopod.cliAuthSecret) .Release.IsUpgrade }}
+{{ if and (not .Values.octopod.cliAuthSecret) (not .Values.vault.enabled) .Release.IsUpgrade }}
 {{ fail "To upgrade you need to set octopod.cliAuthSecret variable with your current secret" }}
 {{- end }}
--- a/charts/helm3/octopod/templates/_helpers.tpl
+++ b/charts/helm3/octopod/templates/_helpers.tpl
@ -135,4 +135,12 @@ octopod-app.{{ .Values.octopod.baseDomain }}
 {{- else }}
 {{- randAlphaNum 32 }}
 {{- end }}
+{{- end }}
+
+{{- define "octopodUiAuthSecret" -}}
+{{- if .Values.octopod.uiAuthSecret -}}
+{{ .Values.octopod.uiAuthSecret }}
+{{- else }}
+{{- randAlphaNum 32 }}
+{{- end }}
 {{- end }}
--- a/charts/helm3/octopod/templates/deployment.yaml
+++ b/charts/helm3/octopod/templates/deployment.yaml
@ -45,6 +45,60 @@ spec:
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
      initContainers:
+        - name: copy-migrations
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          command:
+          - "bash"
+          - "-ec"
+          - |
+            set -ex
+
+            # copy migrations
+            cp -av /migrations/* /mymigrations
+
+            # create sqitch.conf
+            echo '[core]' > /mymigrations/sqitch.conf
+            echo 'engine = pg' >> /mymigrations/sqitch.conf
+            echo 'plan_file = sqitch.plan' >> /mymigrations/sqitch.conf
+            echo 'top_dir = .' >> /mymigrations/sqitch.conf
+            echo '[engine "pg"]' >> /mymigrations/sqitch.conf
+            echo '  registry = sqitch' >> /mymigrations/sqitch.conf
+            echo '[deploy]' >> /mymigrations/sqitch.conf
+            echo '  verify = true' >> /mymigrations/sqitch.conf
+            echo '[rebase]' >> /mymigrations/sqitch.conf
+            echo '  verify = true' >> /mymigrations/sqitch.conf
+            echo '[target "octopod"]' >> /mymigrations/sqitch.conf
+            echo 'uri = db:pg://{{ .Values.postgresql.postgresqlUsername }}:$(PG_PASS)@{{ include "postgresqlHost" . }}/{{ .Values.postgresql.postgresqlDatabase }}' >> /mymigrations/sqitch.conf
+          env:
+            - name: PG_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "postgresqlSecretName" . }}
+                  key: postgresql-password
+          volumeMounts:
+          - name: migrations
+            mountPath: /mymigrations
+        - name: run-migrations
+          image: "{{ .Values.sqitch.image.repository }}:{{ .Values.sqitch.image.tag }}"
+          command:
+          - "bash"
+          - "-c"
+          - |
+            set -x
+            echo 'checking connection to postgresql...'
+            for i in $(seq 1 6); do psql "postgres://{{ .Values.postgresql.postgresqlUsername }}:$(PG_PASS)@{{ include "postgresqlHost" . }}/{{ .Values.postgresql.postgresqlDatabase }}" -c ''; if [ $? -eq 0 ]; then break; fi; sleep 10; done
+            set -e
+            echo 'run migrations...'
+            cd /migrations && /usr/local/bin/sqitch deploy octopod
+          env:
+            - name: PG_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "postgresqlSecretName" . }}
+                  key: postgresql-password
+          volumeMounts:
+          - name: migrations
+            mountPath: /migrations
        - name: copy-control-scripts
          image: "{{ .Values.controlScripts.image.repository }}:{{ .Values.controlScripts.image.tag }}"
          imagePullPolicy: {{ .Values.controlScripts.image.pullPolicy }}
@ -179,6 +233,8 @@ spec:
        emptyDir: {}
      - name: www
        emptyDir: {}
+      - name: migrations
+        emptyDir: {}
      - name: nginx-config
        configMap:
          name: {{ include "octopod.fullname" . }}-nginx-config
--- a/charts/helm3/octopod/templates/ingress-app.yaml
+++ b/charts/helm3/octopod/templates/ingress-app.yaml
@ -24,7 +24,7 @@ metadata:
    nginx.ingress.kubernetes.io/auth-secret-type: auth-file
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/enable-cors: "true"
-    nginx.ingress.kubernetes.io/cors-allow-origin: {{ printf "%s://%s" (include "httpScheme" .) .Values.ingress.ui.host | quote }}
+    nginx.ingress.kubernetes.io/cors-allow-origin: {{ printf "%s://%s" (include "httpScheme" .) (include "uiIngressHost" .) | quote }}
    nginx.ingress.kubernetes.io/cors-allow-methods: "GET, POST, PUT, DELETE, PATCH, OPTIONS"
    {{- with .Values.ingress.app.annotations }}
      {{- toYaml . | nindent 4 }}
--- a/charts/helm3/octopod/templates/ingress-powerapp.yaml
+++ b/charts/helm3/octopod/templates/ingress-powerapp.yaml
@ -24,7 +24,7 @@ metadata:
      {{- toYaml . | nindent 4 }}
    {{- end }}
 spec:
-  {{- if .Values.ingress.tls }}
+  {{- if .Values.ingress.tls.enabled }}
  tls:
    - hosts:
        - {{ include "powerAppIngressHost" . }}
--- a/charts/helm3/octopod/templates/migration-job.yaml
+++ b/charts/helm3/octopod/templates/migration-job.yaml
@ -1,77 +0,0 @@
-{{- if .Values.octopod.migrations.enabled }}
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: {{ include "octopod.fullname" . }}-migrations
-  labels:
-    {{- include "octopod.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": post-install,post-upgrade
-    "helm.sh/hook-delete-policy": hook-succeeded
-spec:
-  activeDeadlineSeconds: 600
-  template:
-    spec:
-      initContainers:
-        - name: copy
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-          command:
-          - "bash"
-          - "-ec"
-          - |
-            set -ex
-
-            # copy migrations
-            cp -av /migrations/* /mymigrations
-
-            # create sqitch.conf
-            echo '[core]' > /mymigrations/sqitch.conf
-            echo 'engine = pg' >> /mymigrations/sqitch.conf
-            echo 'plan_file = sqitch.plan' >> /mymigrations/sqitch.conf
-            echo 'top_dir = .' >> /mymigrations/sqitch.conf
-            echo '[engine "pg"]' >> /mymigrations/sqitch.conf
-            echo '  registry = sqitch' >> /mymigrations/sqitch.conf
-            echo '[deploy]' >> /mymigrations/sqitch.conf
-            echo '  verify = true' >> /mymigrations/sqitch.conf
-            echo '[rebase]' >> /mymigrations/sqitch.conf
-            echo '  verify = true' >> /mymigrations/sqitch.conf
-            echo '[target "octopod"]' >> /mymigrations/sqitch.conf
-            echo 'uri = db:pg://{{ .Values.postgresql.postgresqlUsername }}:$(PG_PASS)@{{ include "postgresqlHost" . }}/{{ .Values.postgresql.postgresqlDatabase }}' >> /mymigrations/sqitch.conf
-          env:
-            - name: PG_PASS
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "postgresqlSecretName" . }}
-                  key: postgresql-password
-          volumeMounts:
-          - name: migrations
-            mountPath: /mymigrations
-      containers:
-        - name: migrations
-          image: "{{ .Values.sqitch.image.repository }}:{{ .Values.sqitch.image.tag }}"
-          command:
-          - "bash"
-          - "-c"
-          - |
-            set -x
-            echo 'checking connection to postgresql...'
-            for i in $(seq 1 6); do psql "postgres://{{ .Values.postgresql.postgresqlUsername }}:$(PG_PASS)@{{ include "postgresqlHost" . }}/{{ .Values.postgresql.postgresqlDatabase }}" -c ''; if [ $? -eq 0 ]; then break; fi; sleep 10; done
-            set -e
-            echo 'run migrations...'
-            cd /migrations && /usr/local/bin/sqitch deploy octopod
-          env:
-            - name: PG_PASS
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "postgresqlSecretName" . }}
-                  key: postgresql-password
-          volumeMounts:
-          - name: migrations
-            mountPath: /migrations
-
-      volumes:
-        - name: migrations
-          emptyDir: {}
-      restartPolicy: Never
-  backoffLimit: 3
-{{- end }}
--- a/charts/helm3/octopod/templates/nginx-configmap.yaml
+++ b/charts/helm3/octopod/templates/nginx-configmap.yaml
@ -1,4 +1,4 @@
-{{- $octopodAppAuthPassword := randAlphaNum 32 -}}
+{{- $octopodAppAuthPassword := include "octopodUiAuthSecret" . -}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
--- a/charts/helm3/octopod/values.yaml
+++ b/charts/helm3/octopod/values.yaml
@ -83,13 +83,23 @@ octopod:
  archiveRetention: 1209600
  migrations:
    enabled: true
-  env: {}
+  env:
+    HELM_BIN: "/utils/helm"
+    KUBECTL_BIN: "/utils/kubectl"
+    DEFAULTS: |
+     {
+      "chart_name": "wordpress",
+      "chart_repo_name": "bitnami",
+      "chart_repo_url": "https://charts.bitnami.com/bitnami",
+      "chart_version": "12.0.0",
+      "default_overrides": []
+     }
  vaultEnv: {}
 controlScripts:
  image:
-    repository: typeable/octopod-helm-example
+    repository: typeable/octopod-generic-utils
    pullPolicy: IfNotPresent
-    tag: 1.1
+    tag: 0.1.0
 sqitch:
  image:
    repository: typeable/sqitch