From 51032367b87e6bc049d26893328c572a782f4377 Mon Sep 17 00:00:00 2001 From: aimee-889 <93951322+aimee-889@users.noreply.github.com> Date: Fri, 22 Mar 2024 15:47:51 +0100 Subject: [PATCH] DBP-686-clean-helm-chart (#388) DBP-686-clean-helm-chart (#388) --- .../dbildungs-iam-server/config/config.json | 2 +- .../templates/_dbildungs-iam-server-envs.tpl | 108 ++----- .../templates/_helpers.tpl | 47 ++- .../templates/backend-deployment.yaml | 99 ++++++ .../templates/backend-ingress.yaml | 30 ++ .../backend-seeding-dev-configmap.yaml | 11 + .../templates/backend-service.yaml | 18 ++ .../templates/backend-servicemonitor.yaml | 21 ++ .../templates/configmap.yaml | 19 +- .../templates/deployment-backend.yaml | 109 ------- .../templates/ingress.yaml | 49 --- .../templates/redis-configmap-tls.yaml | 12 - .../templates/redis-deployment.yaml | 73 +++-- .../templates/redis-service.yaml | 22 +- .../templates/redis-tls-configmap.yaml | 12 + .../templates/secret.yaml | 15 +- .../templates/seeding-dev-configmap.yaml | 12 - .../templates/service-backend.yaml | 15 - .../templates/servicemonitor.yaml | 18 -- charts/dbildungs-iam-server/values.yaml | 294 +++++++----------- 20 files changed, 434 insertions(+), 552 deletions(-) create mode 100644 charts/dbildungs-iam-server/templates/backend-deployment.yaml create mode 100644 charts/dbildungs-iam-server/templates/backend-ingress.yaml create mode 100644 charts/dbildungs-iam-server/templates/backend-seeding-dev-configmap.yaml create mode 100644 charts/dbildungs-iam-server/templates/backend-service.yaml create mode 100644 charts/dbildungs-iam-server/templates/backend-servicemonitor.yaml delete mode 100644 charts/dbildungs-iam-server/templates/deployment-backend.yaml delete mode 100644 charts/dbildungs-iam-server/templates/ingress.yaml delete mode 100644 charts/dbildungs-iam-server/templates/redis-configmap-tls.yaml create mode 100644 charts/dbildungs-iam-server/templates/redis-tls-configmap.yaml delete mode 100644 charts/dbildungs-iam-server/templates/seeding-dev-configmap.yaml delete mode 100644 charts/dbildungs-iam-server/templates/service-backend.yaml delete mode 100644 charts/dbildungs-iam-server/templates/servicemonitor.yaml diff --git a/charts/dbildungs-iam-server/config/config.json b/charts/dbildungs-iam-server/config/config.json index 06c09544f..a246428f8 100644 --- a/charts/dbildungs-iam-server/config/config.json +++ b/charts/dbildungs-iam-server/config/config.json @@ -21,7 +21,7 @@ "CLIENT_ID": "spsh" }, "REDIS": { - "HOST": "redis-service", + "HOST": "dbildungs-iam-server-redis", "PORT": 6379, "USERNAME": "default", "USE_TLS": false diff --git a/charts/dbildungs-iam-server/templates/_dbildungs-iam-server-envs.tpl b/charts/dbildungs-iam-server/templates/_dbildungs-iam-server-envs.tpl index 376838f01..52a5eb391 100644 --- a/charts/dbildungs-iam-server/templates/_dbildungs-iam-server-envs.tpl +++ b/charts/dbildungs-iam-server/templates/_dbildungs-iam-server-envs.tpl @@ -1,83 +1,29 @@ {{- define "dbildungs-iam-server-backend-envs" }} -- name: NODE_ENV - value: {{.Values.environment | quote}} -- name: DEPLOY_STAGE - value: {{.Values.environment | quote}} -- name: DB_NAME - valueFrom: - configMapKeyRef: - name: {{.Values.configmap.name}} - key: db-name -- name: DB_SECRET - valueFrom: - secretKeyRef: - {{- if .Values.auth.existingSecret }} - name: {{ .Values.auth.existingSecret }} - {{- end }} - {{- if not .Values.auth.existingSecret }} - name: {{ .Values.auth.name }} - {{- end }} - key: db-password -- name: DB_HOST - valueFrom: - secretKeyRef: - {{- if .Values.auth.existingSecret }} - name: {{ .Values.auth.existingSecret }} - {{- end }} - {{- if not .Values.auth.existingSecret }} - name: {{ .Values.auth.name }} - {{- end }} - key: db-host -- name: DB_CLIENT_URL - value: "postgres://$(DB_HOST)/" -- name: KC_BASE_URL - valueFrom: - configMapKeyRef: - name: {{.Values.configmap.name}} - key: keycloak-base-url -- name: FRONTEND_OIDC_CALLBACK_URL - valueFrom: - configMapKeyRef: - name: {{.Values.configmap.name}} - key: frontend-oidc-callback-url -- name: FRONTEND_DEFAULT_LOGIN_REDIRECT - valueFrom: - configMapKeyRef: - name: {{.Values.configmap.name}} - key: frontend-default-login-redirect -- name: FRONTEND_LOGOUT_REDIRECT - valueFrom: - configMapKeyRef: - name: {{.Values.configmap.name}} - key: frontend-logout-redirect -- name: KC_ADMIN_SECRET - valueFrom: - secretKeyRef: - {{- if .Values.auth.existingSecret }} - name: {{ .Values.auth.existingSecret }} - {{- end }} - {{- if not .Values.auth.existingSecret }} - name: {{ .Values.auth.name }} - {{- end }} - key: keycloak-adminSecret -- name: KC_CLIENT_SECRET - valueFrom: - secretKeyRef: - {{- if .Values.auth.existingSecret }} - name: {{ .Values.auth.existingSecret }} - {{- end }} - {{- if not .Values.auth.existingSecret }} - name: {{ .Values.auth.name }} - {{- end }} - key: keycloak-clientSecret -- name: FRONTEND_SESSION_SECRET - valueFrom: - secretKeyRef: - {{- if .Values.auth.existingSecret }} - name: {{ .Values.auth.existingSecret }} - {{- end }} - {{- if not .Values.auth.existingSecret }} - name: {{ .Values.auth.name }} - {{- end }} - key: frontend-sessionSecret + - name: DB_SECRET + valueFrom: + secretKeyRef: + name: {{ default .Values.auth.existingSecret .Values.auth.secretName }} + key: db-password + - name: DB_HOST + valueFrom: + secretKeyRef: + name: {{ default .Values.auth.existingSecret .Values.auth.secretName }} + key: db-host + - name: KC_ADMIN_SECRET + valueFrom: + secretKeyRef: + name: {{ default .Values.auth.existingSecret .Values.auth.secretName }} + key: keycloak-adminSecret + - name: DB_CLIENT_URL + value: "postgres://$(DB_HOST)/" + - name: KC_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ default .Values.auth.existingSecret .Values.auth.secretName }} + key: keycloak-clientSecret + - name: FRONTEND_SESSION_SECRET + valueFrom: + secretKeyRef: + name: {{ default .Values.auth.existingSecret .Values.auth.secretName }} + key: frontend-sessionSecret {{- end}} \ No newline at end of file diff --git a/charts/dbildungs-iam-server/templates/_helpers.tpl b/charts/dbildungs-iam-server/templates/_helpers.tpl index e600b49c9..51d7e99fe 100644 --- a/charts/dbildungs-iam-server/templates/_helpers.tpl +++ b/charts/dbildungs-iam-server/templates/_helpers.tpl @@ -1,6 +1,47 @@ {{/* -Create release name with common name: dbildungs-iam-server +Expand the name of the chart. */}} -{{- define "common.names.releasename" -}} -{{- printf "dbildungs-iam-server" -}} +{{- define "common.names.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "common.names.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "common.names.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts. +*/}} +{{- define "common.names.namespace" -}} +{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create common labels +*/}} +{{- define "common.labels" -}} +app.kubernetes.io/name: {{ template "common.names.name" . }} +app.kubernetes.io/version: {{ .Chart.AppVersion }} +app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end -}} \ No newline at end of file diff --git a/charts/dbildungs-iam-server/templates/backend-deployment.yaml b/charts/dbildungs-iam-server/templates/backend-deployment.yaml new file mode 100644 index 000000000..8dbdf310c --- /dev/null +++ b/charts/dbildungs-iam-server/templates/backend-deployment.yaml @@ -0,0 +1,99 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "common.names.name" . }}-backend + namespace: {{ template "common.names.namespace" . }} + labels: + {{- include "common.labels" . | nindent 4 }} + app.kubernetes.io/component: server-backend +spec: + replicas: {{ .Values.backend.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "common.names.name" . }} + app.kubernetes.io/component: server-backend + template: + metadata: + labels: + {{- include "common.labels" . | nindent 8 }} + app.kubernetes.io/component: server-backend + spec: + automountServiceAccountToken: false + {{- if .Values.backend.dbseeding.enabled }} + initContainers: + - name: "{{ template "common.names.name" . }}-db-init" + image: "{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.backend.image.pullPolicy | default "Always"}} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + command: ["node", "dist/src/console/main.js", "db", "init"] + env: + {{- include "dbildungs-iam-server-backend-envs" . | indent 12 }} + {{- if .Values.backend.extraEnvVars }} + {{ toYaml .Values.backend.extraEnvVars | nindent 12 }} + {{- end }} + envFrom: + - configMapRef: + name: {{ template "common.names.name" . }} + volumeMounts: + {{- toYaml .Values.backend.volumeMounts | nindent 12 }} + - mountPath: /app/sql/dev + name: seeding-volume + readOnly: true + resources: {{- toYaml .Values.backend.resources | nindent 12 }} + - name: db-seeding + image: "{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{.Values.imagePullPolicy | default "Always"}} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + command: [ "node", "dist/src/console/main.js", "db", "seed", "dev", "" ] + envFrom: + - configMapRef: + name: {{ template "common.names.name" . }} + env: {{- include "dbildungs-iam-server-backend-envs" . | indent 12}} + volumeMounts: + {{- toYaml .Values.backend.volumeMounts | nindent 12 }} + - mountPath: /app/sql/dev + name: seeding-volume + readOnly: true + resources: {{- toYaml .Values.backend.resources | nindent 12 }} + {{end}} + containers: + - name: "{{ template "common.names.name" . }}-backend" + image: "{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.backend.image.pullPolicy | default "Always"}} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + ports: + - name: web + containerPort: {{ .Values.backend.containerPorts.http }} + protocol: TCP + env: + {{- include "dbildungs-iam-server-backend-envs" . | nindent 12 }} + {{- if .Values.backend.extraEnvVars }} + {{ toYaml .Values.backend.extraEnvVars | nindent 12 }} + {{- end }} + envFrom: + - configMapRef: + name: {{ template "common.names.name" . }} + volumeMounts: + {{- toYaml .Values.backend.volumeMounts | nindent 12 }} + {{- with .Values.backend.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + resources: {{- toYaml .Values.backend.resources | nindent 12 }} + livenessProbe: {{- omit .Values.backend.livenessProbe "enabled" | toYaml | nindent 12 }} + readinessProbe: {{- omit .Values.backend.readinessProbe "enabled" | toYaml | nindent 12 }} + restartPolicy: {{ .Values.restartPolicy }} + volumes: + - name: config-volume + configMap: + name: {{ template "common.names.name" . }} + - name: secret-volume + secret: + secretName: {{ default .Values.auth.existingSecret .Values.auth.secretName }} + {{if .Values.backend.dbseeding.enabled }} + - name: seeding-volume + configMap: + name: {{ template "common.names.name" . }}-backend-seeding + {{- end }} + {{- with .Values.backend.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/dbildungs-iam-server/templates/backend-ingress.yaml b/charts/dbildungs-iam-server/templates/backend-ingress.yaml new file mode 100644 index 000000000..afebb3dc4 --- /dev/null +++ b/charts/dbildungs-iam-server/templates/backend-ingress.yaml @@ -0,0 +1,30 @@ +{{if .Values.backend.ingress.enabled }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ template "common.names.name" . }}-backend + namespace: {{ template "common.names.namespace" . }} + labels: + {{- include "common.labels" . | nindent 4 }} + annotations: + nginx.ingress.kubernetes.io/cors-allow-origin: "https://{{ .Values.keycloakHostname }}" + nginx.ingress.kubernetes.io/enable-cors: "true" + {{- with .Values.backend.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ingressClassName: {{ .Values.backend.ingress.ingressClassName }} + rules: + - host: {{ .Values.backendHostname }} + http: + paths: + {{- range $path := .Values.backend.ingress.paths }} + - path: {{ $path }} + pathType: {{ $.Values.backend.ingress.pathType }} + backend: + service: + name: {{ template "common.names.name" $ }}-backend + port: + number: {{ $.Values.backend.service.ports.http }} + {{- end }} +{{ end }} \ No newline at end of file diff --git a/charts/dbildungs-iam-server/templates/backend-seeding-dev-configmap.yaml b/charts/dbildungs-iam-server/templates/backend-seeding-dev-configmap.yaml new file mode 100644 index 000000000..be555e535 --- /dev/null +++ b/charts/dbildungs-iam-server/templates/backend-seeding-dev-configmap.yaml @@ -0,0 +1,11 @@ +{{if and (.Values.backend.dbseeding.enabled) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "common.names.name" . }}-backend-seeding + namespace: {{ template "common.names.namespace" . }} + labels: + {{- include "common.labels" . | nindent 4 }} +data: +{{ (.Files.Glob "seeding/dev/*").AsConfig | indent 2 }} +{{end}} diff --git a/charts/dbildungs-iam-server/templates/backend-service.yaml b/charts/dbildungs-iam-server/templates/backend-service.yaml new file mode 100644 index 000000000..8ccad6e8e --- /dev/null +++ b/charts/dbildungs-iam-server/templates/backend-service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "common.names.name" . }}-backend + namespace: {{ template "common.names.namespace" . }} + labels: + {{- include "common.labels" . | nindent 4 }} + app.kubernetes.io/component: server-backend +spec: + selector: + {{- include "common.labels" . | nindent 4 }} + app.kubernetes.io/component: server-backend + type: {{ .Values.backend.service.type }} + ports: + - name: web + port: {{ .Values.backend.service.ports.http }} + protocol: TCP + targetPort: web diff --git a/charts/dbildungs-iam-server/templates/backend-servicemonitor.yaml b/charts/dbildungs-iam-server/templates/backend-servicemonitor.yaml new file mode 100644 index 000000000..a1d511019 --- /dev/null +++ b/charts/dbildungs-iam-server/templates/backend-servicemonitor.yaml @@ -0,0 +1,21 @@ +{{if .Values.backend.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "common.names.name" . }}-backend + namespace: {{ template "common.names.namespace" . }} + labels: + {{- include "common.labels" . | nindent 4 }} + app.kubernetes.io/component: server-backend +spec: + namespaceSelector: + matchNames: + - {{ include "common.names.namespace" . | quote }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "common.names.name" . }}-backend + app.kubernetes.io/component: server-backend + endpoints: + - port: {{ (index .Values.backend.serviceMonitor.endpoints 0).port }} +{{ end }} + diff --git a/charts/dbildungs-iam-server/templates/configmap.yaml b/charts/dbildungs-iam-server/templates/configmap.yaml index 07b3554e9..e01473c65 100644 --- a/charts/dbildungs-iam-server/templates/configmap.yaml +++ b/charts/dbildungs-iam-server/templates/configmap.yaml @@ -1,16 +1,17 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ .Values.configmap.name }} - namespace: {{ .Values.namespace }} + name: {{ template "common.names.name" . }} + namespace: {{ template "common.names.namespace" . }} labels: - app.kubernetes.io/name: {{ .Values.dbildungsIamServer.commonLabels.name }} - app.kubernetes.io/version: {{.Chart.Version}} + {{- include "common.labels" . | nindent 4 }} data: config-json: |- {{ .Files.Get "config/config.json" | nindent 4 }} - keycloak-base-url: "https://{{ .Values.keycloakHostname }}" - frontend-oidc-callback-url: "https://{{ .Values.backendHostname }}/api/auth/login" - frontend-default-login-redirect: "https://{{ .Values.backendHostname }}/" - frontend-logout-redirect: "https://{{ .Values.backendHostname }}/" - db-name: "{{ .Values.database.name }}" + NODE_ENV: {{ .Values.environment | quote }} + DEPLOY_STAGE: {{ .Values.environment | quote }} + DB_NAME: {{ .Values.database.name | quote }} + KC_BASE_URL: "https://{{ .Values.keycloakHostname }}" + FRONTEND_OIDC_CALLBACK_URL: "https://{{ .Values.backendHostname }}/api/auth/login" + FRONTEND_DEFAULT_LOGIN_REDIRECT: "https://{{ .Values.backendHostname }}/" + FRONTEND_LOGOUT_REDIRECT: "https://{{ .Values.backendHostname }}/" diff --git a/charts/dbildungs-iam-server/templates/deployment-backend.yaml b/charts/dbildungs-iam-server/templates/deployment-backend.yaml deleted file mode 100644 index f14901e55..000000000 --- a/charts/dbildungs-iam-server/templates/deployment-backend.yaml +++ /dev/null @@ -1,109 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.names.releasename" . }}-backend - namespace: {{ .Values.namespace }} - labels: - app.kubernetes.io/name: {{ .Values.backend.commonLabels.name }} - app.kubernetes.io/version: {{ .Chart.Version }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app.kubernetes.io/layer: {{ .Values.backend.selector.layer }} - template: - metadata: - labels: - app.kubernetes.io/name: {{ .Values.backend.commonLabels.name }} - app.kubernetes.io/layer: {{ .Values.backend.selector.layer }} - spec: - {{- if .Values.seeding.enabled }} - initContainers: - - name: db-init - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{.Values.imagePullPolicy | default "Always"}} - {{- if .Values.enabledcontainerSecurityContext }} - securityContext: - {{- toYaml .Values.containerSecurityContext | nindent 12 }} - {{- end }} - command: [ "node", "dist/src/console/main.js", "db", "init" ] - env: - {{- include "dbildungs-iam-server-backend-envs" . | indent 12}} - volumeMounts: - - mountPath: /app/config/config.json - subPath: config-json - name: config-volume - readOnly: true - - mountPath: /app/config/secrets.json - subPath: secrets-json - name: secret-volume - readOnly: true - - mountPath: /app/sql/{{.Values.seeding.database}} - name: seeding-volume - readOnly: true - resources: - {{- toYaml .Values.containerResources | nindent 12 }} - - name: db-seeding - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{.Values.imagePullPolicy | default "Always"}} - {{- if .Values.enabledcontainerSecurityContext }} - securityContext: - {{- toYaml .Values.containerSecurityContext | nindent 12 }} - {{- end }} - command: [ "node", "dist/src/console/main.js", "db", "seed", "dev", "" ] - env: - {{- include "dbildungs-iam-server-backend-envs" . | indent 12}} - volumeMounts: - - mountPath: /app/config/config.json - subPath: config-json - name: config-volume - readOnly: true - - mountPath: /app/config/secrets.json - subPath: secrets-json - name: secret-volume - readOnly: true - - mountPath: /app/sql/{{.Values.seeding.database}} - name: seeding-volume - readOnly: true - resources: - {{- toYaml .Values.containerResources | nindent 12 }} - {{end}} - containers: - - name: {{ .Values.backend.commonLabels.name }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{.Values.imagePullPolicy | default "Always"}} - {{- if .Values.enabledcontainerSecurityContext }} - securityContext: - {{- toYaml .Values.containerSecurityContext | nindent 12 }} - {{- end }} - ports: - - name: {{ (index .Values.backendcontainer.ports 0).name }} - containerPort: {{ (index .Values.backendcontainer.ports 0).containerPort }} - env: - {{- include "dbildungs-iam-server-backend-envs" . | nindent 12 }} - volumeMounts: - {{- toYaml .Values.backendcontainer.volumeMounts | nindent 12 }} - resources: - {{- toYaml .Values.containerResources | nindent 12 }} - livenessProbe: - {{- toYaml .Values.backendcontainer.livenessProbe | nindent 12 }} - readinessProbe: - {{- toYaml .Values.backendcontainer.readinessProbe | nindent 12 }} - restartPolicy: {{ .Values.restartPolicy }} - volumes: - - name: {{ (index .Values.backendcontainer.volumeMounts 0).name }} - configMap: - name: {{ .Values.configmap.name }} - - name: {{ (index .Values.backendcontainer.volumeMounts 1).name }} - secret: - {{- if .Values.auth.existingSecret }} - secretName: {{ .Values.auth.existingSecret }} - {{- end }} - {{- if not .Values.auth.existingSecret }} - secretName: {{.Values.auth.name}} - {{- end }} - {{if .Values.seeding}} - - name: seeding-volume - configMap: - name: {{ .Values.seeding.configmap }} - {{- end }} diff --git a/charts/dbildungs-iam-server/templates/ingress.yaml b/charts/dbildungs-iam-server/templates/ingress.yaml deleted file mode 100644 index 6f017340b..000000000 --- a/charts/dbildungs-iam-server/templates/ingress.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ include "common.names.releasename" . }}-backend - namespace: {{ .Values.namespace }} - labels: - app.kubernetes.io/name: {{ .Values.dbildungsIamServer.commonLabels.name }} - app.kubernetes.io/version: {{ .Chart.Version }} -spec: - ingressClassName: {{ .Values.ingress.ingressClassName }} - rules: - - host: {{ .Values.backendHostname }} - http: - paths: - - path: /api - pathType: {{ .Values.ingress.pathType }} - backend: - service: - name: {{ .Values.service.name }} - port: - number: {{ (index .Values.backendports 0).port }} - - path: /docs - pathType: {{ .Values.ingress.pathType }} - backend: - service: - name: {{ .Values.service.name }} - port: - number: {{ (index .Values.backendports 0).port }} - - path: /docs-json - pathType: {{ .Values.ingress.pathType }} - backend: - service: - name: {{ .Values.service.name }} - port: - number: {{ (index .Values.backendports 0).port }} - - path: /docs-json - pathType: {{ .Values.ingress.pathType }} - backend: - service: - name: {{ .Values.service.name }} - port: - number: {{ (index .Values.backendports 0).port }} - - path: /docs-yaml - pathType: {{ .Values.ingress.pathType }} - backend: - service: - name: {{ .Values.service.name }} - port: - number: {{ (index .Values.backendports 0).port }} \ No newline at end of file diff --git a/charts/dbildungs-iam-server/templates/redis-configmap-tls.yaml b/charts/dbildungs-iam-server/templates/redis-configmap-tls.yaml deleted file mode 100644 index 72da993d3..000000000 --- a/charts/dbildungs-iam-server/templates/redis-configmap-tls.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ (index .Values.redisvolumes 0).configMap.name }} - namespace: {{ .Values.namespace }} - labels: - app.kubernetes.io/name: {{ .Values.dbildungsIamServer.commonLabels.name }} - app.kubernetes.io/version: {{.Chart.Version}} -data: -{{(.Files.Glob "gencert.sh").AsConfig | indent 2}} -{{(.Files.Glob "copy-tls.sh").AsConfig | indent 2}} -{{(.Files.Glob "redis.conf").AsConfig | indent 2}} \ No newline at end of file diff --git a/charts/dbildungs-iam-server/templates/redis-deployment.yaml b/charts/dbildungs-iam-server/templates/redis-deployment.yaml index 3b3f9e676..f3d8d73cb 100644 --- a/charts/dbildungs-iam-server/templates/redis-deployment.yaml +++ b/charts/dbildungs-iam-server/templates/redis-deployment.yaml @@ -1,27 +1,28 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ include "common.names.releasename" . }}-redis - namespace: {{ .Values.namespace }} + name: {{ template "common.names.name" . }}-redis + namespace: {{ template "common.names.namespace" . }} labels: - app.kubernetes.io/name: {{ .Values.dbildungsIamServer.commonLabels.name }} - app.kubernetes.io/version: {{ .Chart.Version }} + {{- include "common.labels" . | nindent 4 }} + app.kubernetes.io/component: server-redis spec: selector: matchLabels: - app.kubernetes.io/layer: {{ .Values.redis.selector.layer }} + app.kubernetes.io/name: {{ template "common.names.name" . }} + app.kubernetes.io/component: server-redis replicas: {{ .Values.replicaCount }} template: metadata: labels: - app.kubernetes.io/name: {{ .Values.redis.commonLabels.name }} - app.kubernetes.io/layer: {{ .Values.redis.selector.layer }} + {{- include "common.labels" . | nindent 8 }} + app.kubernetes.io/component: server-redis spec: automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} initContainers: - name: copy-tls-data image: alpine - securityContext: + securityContext: allowPrivilegeEscalation: false command: ["/bin/sh","-c", "apk add --no-cache openssl bash;/bin/bash /tls/copy-tls.sh"] volumeMounts: @@ -29,31 +30,37 @@ spec: name: tls-data - mountPath: "/data" name: data - resources: - requests: - cpu: {{.Values.dbildungsIamServerRedisCpuRequest}} - memory: {{.Values.dbildungsIamServerRedisMemRequest}} - limits: - cpu: {{.Values.dbildungsIamServerRedisCpuMax}} - memory: {{.Values.dbildungsIamServerRedisMemMax}} + resources: {{- toYaml .Values.redis.resources | nindent 12 }} containers: - - name: {{ .Values.rediscontainer.image.name }} - image: {{ .Values.rediscontainer.image.repository }}:{{ .Values.rediscontainer.image.tag }} - imagePullPolicy: {{ .Values.rediscontainer.image.pullPolicy }} - securityContext: - {{- toYaml .Values.containerSecurityContext | nindent 12 }} + - name: {{ template "common.names.name" . }}-redis + image: "{{ .Values.redis.image.repository }}:{{ .Values.redis.image.tag }}" + imagePullPolicy: {{ .Values.redis.image.pullPolicy }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} ports: - {{- toYaml .Values.rediscontainer.ports | nindent 12 }} - volumeMounts: - {{- toYaml .Values.rediscontainer.volumeMounts | nindent 12 }} - resources: - {{- toYaml .Values.containerResources | nindent 12 }} - livenessProbe: - {{- toYaml .Values.rediscontainer.livenessProbe | nindent 12 }} - readinessProbe: - {{- toYaml .Values.rediscontainer.readinessProbe | nindent 12 }} - startupProbe: - {{- toYaml .Values.rediscontainer.startupProbe | nindent 12 }} - volumes: - {{- toYaml .Values.redisvolumes | nindent 8 }} + - name: redis + containerPort: {{ .Values.redis.containerPorts.redis }} + protocol: TCP + env: + {{- if .Values.redis.extraEnvVars }} + {{ toYaml .Values.redis.extraEnvVars | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: "/data" + name: data + {{- with .Values.redis.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + resources: {{- toYaml .Values.redis.resources | nindent 12 }} + livenessProbe: {{- omit .Values.redis.livenessProbe "enabled" | toYaml | nindent 12 }} + readinessProbe: {{- omit .Values.redis.readinessProbe "enabled" | toYaml | nindent 12 }} + startupProbe: {{- omit .Values.redis.startupProbe "enabled"| toYaml | nindent 12 }} + volumes: + - name: tls-data + configMap: + name: {{ template "common.names.name" . }}-redis-tls-data + - name: data + emptyDir: {} + {{- with .Values.redis.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} restartPolicy: {{ .Values.restartPolicy }} diff --git a/charts/dbildungs-iam-server/templates/redis-service.yaml b/charts/dbildungs-iam-server/templates/redis-service.yaml index a6fbe803d..e23c81770 100644 --- a/charts/dbildungs-iam-server/templates/redis-service.yaml +++ b/charts/dbildungs-iam-server/templates/redis-service.yaml @@ -1,16 +1,18 @@ apiVersion: v1 kind: Service metadata: - name: {{ .Values.redisservice.name }} - namespace: {{ .Values.namespace }} - labels: - app.kubernetes.io/name: {{ .Values.dbildungsIamServer.commonLabels.name }} - app.kubernetes.io/version: {{ .Chart.Version }} + name: {{ template "common.names.name" . }}-redis + namespace: {{ template "common.names.namespace" . }} + labels: + {{- include "common.labels" . | nindent 4 }} + app.kubernetes.io/component: server-redis spec: selector: - app.kubernetes.io/layer: {{ .Values.redis.selector.layer }} - type: {{ .Values.redisservicetype }} - {{- if .Values.enabledredisserviceport }} + {{- include "common.labels" . | nindent 4 }} + app.kubernetes.io/component: server-redis + type: {{ .Values.redis.service.type }} ports: - {{- toYaml .Values.redisports | nindent 4 }} - {{- end }} + - name: redis + port: {{ .Values.redis.service.ports.redis }} + protocol: TCP + diff --git a/charts/dbildungs-iam-server/templates/redis-tls-configmap.yaml b/charts/dbildungs-iam-server/templates/redis-tls-configmap.yaml new file mode 100644 index 000000000..11539d301 --- /dev/null +++ b/charts/dbildungs-iam-server/templates/redis-tls-configmap.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "common.names.name" . }}-redis-tls-data" + namespace: {{ template "common.names.namespace" . }} + labels: + {{- include "common.labels" . | nindent 4 }} + app.kubernetes.io/component: server-redis +data: +{{(.Files.Glob "gencert.sh").AsConfig | indent 2}} +{{(.Files.Glob "copy-tls.sh").AsConfig | indent 2}} +{{(.Files.Glob "redis.conf").AsConfig | indent 2}} \ No newline at end of file diff --git a/charts/dbildungs-iam-server/templates/secret.yaml b/charts/dbildungs-iam-server/templates/secret.yaml index 3f0fedd96..31dd7728e 100644 --- a/charts/dbildungs-iam-server/templates/secret.yaml +++ b/charts/dbildungs-iam-server/templates/secret.yaml @@ -2,19 +2,14 @@ apiVersion: v1 kind: Secret metadata: - {{- if .Values.auth.existingSecret }} - name: {{ .Values.auth.existingSecret }} - {{- end }} - {{- if not .Values.auth.existingSecret }} - name: {{ .Values.auth.name }} - {{- end }} - namespace: {{ .Values.namespace }} + name: {{ .Values.auth.secretName }} + namespace: {{ template "common.names.namespace" . }} type: Opaque data: frontend-sessionSecret: {{ .Values.auth.frontend_sessionSecret }} - db-host: {{ .Values.database.db_host }} - db-password: {{ .Values.database.db_password }} - db-username: {{ .Values.database.db_username }} + db-host: {{ .Values.database.host }} + db-password: {{ .Values.database.password }} + db-username: {{ .Values.database.username }} keycloak-adminSecret: {{ .Values.auth.keycloak_adminSecret }} keycloak-clientSecret: {{ .Values.auth.keycloak_clientSecret }} secrets-json: {{ .Values.auth.secrets_json }} diff --git a/charts/dbildungs-iam-server/templates/seeding-dev-configmap.yaml b/charts/dbildungs-iam-server/templates/seeding-dev-configmap.yaml deleted file mode 100644 index 9cfb71b34..000000000 --- a/charts/dbildungs-iam-server/templates/seeding-dev-configmap.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{if and (.Values.seeding) (eq .Values.seeding.database "dev")}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ .Values.seeding.configmap }} - namespace: {{ .Values.namespace }} - labels: - app.kubernetes.io/name: {{ .Values.dbildungsIamServer.commonLabels.name }} - app.kubernetes.io/version: {{.Chart.Version}} -data: -{{ (.Files.Glob "seeding/dev/*").AsConfig | indent 2 }} -{{end}} diff --git a/charts/dbildungs-iam-server/templates/service-backend.yaml b/charts/dbildungs-iam-server/templates/service-backend.yaml deleted file mode 100644 index 55def9caf..000000000 --- a/charts/dbildungs-iam-server/templates/service-backend.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - namespace: {{ .Values.namespace }} - labels: - app.kubernetes.io/name: {{ .Values.dbildungsIamServer.commonLabels.name }} - app.kubernetes.io/version: {{.Chart.Version}} -spec: - selector: - app.kubernetes.io/layer: {{ .Values.backend.selector.layer }} - type: {{ .Values.backendservicetype }} - {{- if .Values.enabledbackendserviceport }} - ports: {{- toYaml .Values.backendports | nindent 6 }} - {{- end }} \ No newline at end of file diff --git a/charts/dbildungs-iam-server/templates/servicemonitor.yaml b/charts/dbildungs-iam-server/templates/servicemonitor.yaml deleted file mode 100644 index bbd36c551..000000000 --- a/charts/dbildungs-iam-server/templates/servicemonitor.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{if .Values.enableServiceMonitor}} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "common.names.releasename" . }} - namespace: {{ .Values.namespace }} - labels: - app.kubernetes.io/name: {{ .Values.dbildungsIamServer.commonLabels.name }} - app.kubernetes.io/version: {{ .Chart.Version }} -spec: - namespaceSelector: - {{- toYaml .Values.serviceMonitor.namespaceSelector | nindent 4 }} - selector: - matchLabels: - app.kubernetes.io/name: {{ .Values.dbildungsIamServer.commonLabels.name }} - endpoints: - {{- toYaml .Values.serviceMonitor.endpoints | nindent 4 }} -{{end}} \ No newline at end of file diff --git a/charts/dbildungs-iam-server/values.yaml b/charts/dbildungs-iam-server/values.yaml index 3b765a28a..91a494ded 100644 --- a/charts/dbildungs-iam-server/values.yaml +++ b/charts/dbildungs-iam-server/values.yaml @@ -1,232 +1,146 @@ -dbildungsIamServerCpuMax: 2 -dbildungsIamServerMemMax: 4G -dbildungsIamServerRedisCpuMax: 2 -dbildungsIamServerRedisMemMax: 4G -dbildungsIamServerCpuRequest: 200m -dbildungsIamServerMemRequest: 200Mi -dbildungsIamServerRedisCpuRequest: 200m -dbildungsIamServerRedisMemRequest: 200Mi +nameOverride: "" +fullnameOverride: "" +namespaceOverride: "" + backendHostname: "" keycloakHostname: "" -imagePullPolicy: "Always" -# Configuration of necessary secrets -# Name of the secrets to inject -configmap: - name: dbildungs-iam-server -# If we're running inside an environment with a Prometheus-Operator installed we configure a service monitor -enabledcontainerSecurityContext: true -enabledbackendserviceport: true -enabledredisserviceport: true -enableServiceMonitor: false -enabledserviceport: true -enabledredisvolume: true - -replicaCount: 1 -image: - repository: ghcr.io/dbildungsplattform/dbildungs-iam-server - tag: "" - pullPolicy: Always + +containerSecurityContext: + enabled: true + runAsUser: 1000 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" restartPolicy: Always +environment: prod database: name: "" - db_host: "" - db_password: "" - db_username: "" + host: "" + password: "" + username: "" auth: + # existingSecret: Refers to a secret already present in the cluster, which is required. existingSecret: "" - # Name of the secrets to inject - name: dbildungs-iam-server + secretName: dbildungs-iam-server keycloak_adminSecret: "" keycloak_clientSecret: "" secrets_json: "" frontend_sessionSecret: "" -namespace: "" - -environment: prod - -secrets: - name: dbildungs-iam-server - -service: - name: dbildungs-iam-server-backend -redisservice: - name: redis-service - -dbildungsIamServer: - selector: - layer: dbildungs-iam-server - commonLabels: - name: dbildungs-iam-server backend: - selector: - layer: dbildungs-iam-server-backend - commonLabels: - name: dbildungs-iam-server-backend - -redis: - selector: - layer: dbildungs-iam-server-redis - commonLabels: - name: dbildungs-iam-server-redis - -redisservicetype: ClusterIP -backendservicetype: ClusterIP - -seeding: - enabled: true - configmap: spsh-seeding-data-configmap - database: dev - -serviceMonitor: - namespaceSelector: - any: true - endpoints: - - port: "web" - -containerSecurityContext: - runAsUser: 1000 - runAsNonRoot: true - privileged: false - readOnlyRootFilesystem: false - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - seccompProfile: - type: RuntimeDefault - -initcontainerSecurityContext: - allowPrivilegeEscalation: false - -containerResources: - requests: - cpu: 200m - memory: 200Mi - limits: - cpu: 2 - memory: 4G - -ingress: - ingressClassName: nginx - pathType: Prefix - portnumber: 80 - automountServiceAccountToken: false + replicaCount: 1 + image: + repository: ghcr.io/dbildungsplattform/dbildungs-iam-server + tag: "" + pullPolicy: Always + containerPorts: + http: 8080 + resources: + limits: + cpu: 2 + memory: 4G + requests: + cpu: 200m + memory: 200Mi + livenessProbe: + enabled: true + initialDelaySeconds: 10 + httpGet: + scheme: 'HTTP' + port: 8080 + path: '/health' + readinessProbe: + enabled: true + initialDelaySeconds: 10 + httpGet: + scheme: 'HTTP' + port: 8080 + path: '/health' + dbseeding: + enabled: true + command: [ "node", "dist/src/console/main.js", "db", "seed", "dev", "" ] + ingress: + enabled: true + ingressClassName: nginx + pathType: Prefix + portnumber: 80 + automountServiceAccountToken: false + paths: + - /api + - /docs + - /docs-json + - /docs-yaml + annotations: [] + service: + type: ClusterIP + ports: + http: 80 + serviceMonitor: + enabled: true + endpoints: + - port: "web" + extraEnvVars: [] + extraVolumes: [] + volumeMounts: + - mountPath: /app/config/config.json + subPath: config-json + name: config-volume + readOnly: true + - mountPath: /app/config/secrets.json + subPath: secrets-json + name: secret-volume + extraVolumeMounts: [] -redisinitContainer: - - name: copy-tls-data - image: alpine - volumeMounts: - - mountPath: "/tls" - name: tls-data - - mountPath: "/data" - name: data -rediscontainer: +redis: image: name: redis repository: redis tag: "7.2.4" pullPolicy: IfNotPresent - volumeMounts: - - mountPath: "/data" - name: data - ports: - - name: redis-port - containerPort: 6379 - protocol: TCP args: - "/data/tls/redis.conf" + containerPorts: + redis: 6379 + resources: + limits: + cpu: 2 + memory: 4G + requests: + cpu: 200m + memory: 200Mi livenessProbe: + enabled: true tcpSocket: port: 6379 initialDelaySeconds: 15 timeoutSeconds: 2 readinessProbe: + enabled: true tcpSocket: port: 6379 initialDelaySeconds: 5 timeoutSeconds: 1 startupProbe: + enabled: true tcpSocket: port: 6379 failureThreshold: 30 periodSeconds: 10 + service: + type: ClusterIP + ports: + redis: 6379 + extraEnvVars: [] + extraVolumes: [] + extraVolumeMounts: [] -redisvolumes: - - name: tls-data - configMap: - name: dbildungs-iam-server-redis-tls-config - - name: data - emptyDir: {} - -redisports: - - port: 6379 - targetPort: redis-port - protocol: TCP - name: redis-port - -initContainers: - - name: db-init - command: ["node", "dist/src/console/main.js", "db", "init"] - volumeMounts: - - mountPath: /app/config/config.json - subPath: config-json - name: config-volume - readOnly: true - - mountPath: /app/config/secrets.json - subPath: secrets-json - name: secret-volume - readOnly: true - - mountPath: /app/sql/{{ .Values.seeding.database }} - name: seeding-volume - readOnly: true - - name: db-seeding - command: [ "node", "dist/src/console/main.js", "db", "seed", "dev", "" ] - volumeMounts: - - mountPath: /app/config/config.json - subPath: config-json - name: config-volume - readOnly: true - - mountPath: /app/config/secrets.json - subPath: secrets-json - name: secret-volume - readOnly: true - - mountPath: /app/sql/{{ .Values.seeding.database }} - name: seeding-volume - readOnly: true - -backendcontainer: - ports: - - name: web - containerPort: 8080 - livenessProbe: - initialDelaySeconds: 10 - httpGet: - scheme: 'HTTP' - port: 8080 - path: '/health' - readinessProbe: - initialDelaySeconds: 10 - httpGet: - scheme: 'HTTP' - port: 8080 - path: '/health' - volumeMounts: - - mountPath: /app/config/config.json - subPath: config-json - name: config-volume - readOnly: true - - mountPath: /app/config/secrets.json - subPath: secrets-json - name: secret-volume - readOnly: true - -backendports: - - port: 80 - targetPort: web - protocol: TCP - name: web \ No newline at end of file