From 7fdf8532045f76dfad6e5816c48f741d9576fc78 Mon Sep 17 00:00:00 2001 From: chok Date: Sun, 30 Jun 2024 23:41:37 +0200 Subject: [PATCH] feat(config): improvment --- README.md | 21 ++---- charts/ontopic-studio/identity/cookie-secret | 2 +- charts/ontopic-studio/templates/config.yaml | 9 --- charts/ontopic-studio/templates/job.yaml | 77 ++++++++++++++++++++ create-db-and-users.sql | 5 -- docs/deploy-postgresql.md | 27 +++++++ {k3d-example => docs}/k3d-cluster-example.md | 0 7 files changed, 112 insertions(+), 29 deletions(-) create mode 100644 charts/ontopic-studio/templates/job.yaml create mode 100644 docs/deploy-postgresql.md rename {k3d-example => docs}/k3d-cluster-example.md (100%) diff --git a/README.md b/README.md index efbf421..de4651b 100644 --- a/README.md +++ b/README.md @@ -43,27 +43,19 @@ An example is provided in the folder. It can be adapted to your scenario. cp ./values.example.yaml values.yaml ``` -## Deploy a postgresql database +## Prepare the database -Here is the command to deploy a postgresql database using the [bitnami helm chart](https://artifacthub.io/packages/helm/bitnami/postgresql). +You need a postgresql database with a dedicated owner. -```bash -helm repo add bitnami https://charts.bitnami.com/bitnami -helm install store-server-db bitnami/postgresql --wait -``` +In case you don't have one, you can use the provided helm chart to test it. You can find detailed instructions in the [dedicated documentation](./docs/deploy-postgresql.md). -Wait for the DB to be ready +### Create the database secret file -### Create the database and users +You need to provide the database password as a secret. You have to [create a secret](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret_generic/) with the key `database-password-file` entry. -```bash -kubectl exec -i store-server-db-postgresql-0 -- /opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash -c 'PGPASSWORD=$POSTGRES_PASSWORD psql' < create-db-and-users.sql -``` - -### Create the database secret file +For example, if you have a postgresql database deployed with the helm chart, you can create the secret with the following command: ```bash -# Create the new secret kubectl create secret generic database-password-file \ --from-literal=database-password-file="$(kubectl get secret store-server-db-postgresql -o jsonpath="{.data.postgres-password}" | base64 -d)" ``` @@ -72,6 +64,7 @@ Add in your custom _values.yaml_ file : ```yaml store-server: secrets: + # database-password-file is the name of the secret database-password-file: /run/secrets/database-password-file ``` diff --git a/charts/ontopic-studio/identity/cookie-secret b/charts/ontopic-studio/identity/cookie-secret index 539e635..f76a76f 100644 --- a/charts/ontopic-studio/identity/cookie-secret +++ b/charts/ontopic-studio/identity/cookie-secret @@ -1 +1 @@ -fW3MgE9f_hLd6_4rHGrDorLqVJ2tkXZjItJIfEGPZBg \ No newline at end of file +fW3MgE9f_hLd6_4rHGrDorLqVJ2tkXZjItJIfEGPZBg diff --git a/charts/ontopic-studio/templates/config.yaml b/charts/ontopic-studio/templates/config.yaml index edc9c91..5ebc3fb 100644 --- a/charts/ontopic-studio/templates/config.yaml +++ b/charts/ontopic-studio/templates/config.yaml @@ -17,17 +17,8 @@ data: --- # Identity Service apiVersion: v1 kind: Secret -metadata: - name: cookie-secret -type: Opaque -data: -{{ (.Files.Glob "identity/cookie-secret").AsSecrets | indent 4 }} ---- -apiVersion: v1 -kind: Secret metadata: name: password-file-db type: Opaque data: {{ (.Files.Glob "identity/password-file-db").AsSecrets | indent 4 }} - diff --git a/charts/ontopic-studio/templates/job.yaml b/charts/ontopic-studio/templates/job.yaml new file mode 100644 index 0000000..98c6631 --- /dev/null +++ b/charts/ontopic-studio/templates/job.yaml @@ -0,0 +1,77 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Release.Name }}-pre-install + annotations: + helm.sh/hook: pre-install + helm.sh/hook-weight: "-2" +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Release.Name }}-pre-install + annotations: + helm.sh/hook: pre-install + helm.sh/hook-weight: "-2" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Release.Name }}-pre-install + annotations: + helm.sh/hook: pre-install + helm.sh/hook-weight: "-1" +subjects: + - kind: ServiceAccount + namespace: {{ .Release.Namespace }} + name: {{ .Release.Name }}-pre-install +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Release.Name }}-pre-install +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .Release.Name }}-generate-cookie-secret + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + annotations: + helm.sh/hook: pre-install + helm.sh/hook-weight: "1" +spec: + template: + metadata: + name: "{{ .Release.Name }}" + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + spec: + serviceAccountName: {{ .Release.Name }}-pre-install + restartPolicy: Never + containers: + - name: generate-secret + image: ghcr.io/ontopic-vkg/ontopic-helm/identity-service:helm-{{ .Chart.AppVersion }} + command: ["/usr/bin/entrypoint", "generate", "cookie"] + args: [ ">", "/mnt/secret/cookie-secret && cat /mnt/secret/cookie-secret" ] + volumeMounts: + - name: secret + mountPath: /mnt/secret + - name: create-secret + image: bitnami/kubectl:latest + command: ["sh", "-c", "while [ ! -f /mnt/data/output.txt ]; do sleep 1; done; cat /mnt/secret/cookie-secret && kubectl create secret generic cookie-secret --from-file=password=/mnt/secret/cookie-secret"] + volumeMounts: + - name: secret + mountPath: /mnt/secret + restartPolicy: Never + volumes: + - name: secret + emptyDir: {} diff --git a/create-db-and-users.sql b/create-db-and-users.sql index f36cbe8..2494fe2 100644 --- a/create-db-and-users.sql +++ b/create-db-and-users.sql @@ -1,8 +1,3 @@ --- create database gitea; --- create user gitea with encrypted password 'Phei8Vai'; --- grant all privileges on database gitea to gitea; --- alter database gitea OWNER TO gitea; ---- create database internal; grant all privileges on database internal to postgres; alter database internal OWNER TO postgres; diff --git a/docs/deploy-postgresql.md b/docs/deploy-postgresql.md new file mode 100644 index 0000000..6686aca --- /dev/null +++ b/docs/deploy-postgresql.md @@ -0,0 +1,27 @@ +Deploy a postgresql database +============================ + +Here is the command to deploy a postgresql database using the [bitnami helm chart](https://artifacthub.io/packages/helm/bitnami/postgresql). + +```bash +helm repo add bitnami https://charts.bitnami.com/bitnami +helm install store-server-db bitnami/postgresql --wait +``` + +Wait for the DB to be ready + +Create the database and users +----------------------------- + +```bash +kubectl exec -i store-server-db-postgresql-0 -- /opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash -c 'PGPASSWORD=$POSTGRES_PASSWORD psql' < create-db-and-users.sql +``` + +Create the database secret file +------------------------------- + +```bash +# Create the new secret +kubectl create secret generic database-password-file \ + --from-literal=database-password-file="$(kubectl get secret store-server-db-postgresql -o jsonpath="{.data.postgres-password}" | base64 -d)" +``` diff --git a/k3d-example/k3d-cluster-example.md b/docs/k3d-cluster-example.md similarity index 100% rename from k3d-example/k3d-cluster-example.md rename to docs/k3d-cluster-example.md