charts/timesketch Lock tag by release version, simplify ingress for n…

…on GKE setups, remove roll and config override, allow multiple instances to run, README updates (#168)

* Make ingress more generalized, remove roll and config override

* Update README.md with readme-generator-for-helm

Signed-off-by: wajihyassine <[email protected]>

* Allow multiple instances of opensearch

* Update README.md with readme-generator-for-helm

Signed-off-by: wajihyassine <[email protected]>

* Lock version by release

* Update README.md with readme-generator-for-helm

Signed-off-by: wajihyassine <[email protected]>

* Update README with chart upgrade instructions and documentation cleanup

---------

Signed-off-by: wajihyassine <[email protected]>
Co-authored-by: wajihyassine <[email protected]>

charts/timesketch/Chart.lock

@@ -9,4 +9,4 @@ dependencies:
   repository: https://opensearch-project.github.io/helm-charts/
   version: 2.20.0
 digest: sha256:3fbaef8755ed79056d10a0c93cf5d278a47bb5f55b9a98802922edef4faa0610
-generated: "2024-05-16T13:22:27.139681-07:00"
+generated: "2024-09-23T13:14:31.525789-07:00"

charts/timesketch/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: timesketch
-version: 1.0.7
+version: 1.0.8
 description: A Helm chart for Timesketch Kubernetes deployments.
 keywords:
 - timesketch
@@ -29,7 +29,7 @@ sources:
 - https://github.com/google/timesketch
 - https://github.com/google/osdfir-infrastructure
 icon: https://raw.githubusercontent.com/google/timesketch/master/timesketch/frontend-ng/dist/timesketch-color.png
-appVersion: "latest"
+appVersion: "20240828"
 annotations:
   category: Security
   licenses: Apache-2.0

charts/timesketch/templates/_helpers.tpl

@@ -28,11 +28,10 @@ Return the proper persistence volume claim name
 */}}
 {{- define "timesketch.pvc.name" -}}
 {{- $pvcName := .Values.persistence.name -}}
-{{- if .Values.global -}}
-    {{- if .Values.global.existingPVC -}}
-        {{- $pvcName = .Values.global.existingPVC -}}
-    {{- end -}}
-{{- printf "%s-%s" $pvcName "claim" }}
+{{- if and .Values.global .Values.global.existingPVC -}}
+{{- .Values.global.existingPVC -}}
+{{- else -}}
+{{- printf "%s-%s-claim" .Release.Name $pvcName }}
 {{- end -}}
 {{- end -}}
 
@@ -93,10 +92,10 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 Create the name of the service account to use
 */}}
 {{- define "timesketch.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "timesketch.fullname" .) .Values.serviceAccount.name }}
+{{- if .Values.serviceAccount.name }}
+{{- .Values.serviceAccount.name }}
 {{- else }}
-{{- default "default" .Values.serviceAccount.name }}
+{{- printf "%s-%s" .Release.Name "timesketch" }}
 {{- end }}
 {{- end }}
 
@@ -132,12 +131,20 @@ Postgresql subcharts connection url
 {{- end -}}
 {{- end -}}
 
+{{/*
+Override Opensearch Subchart "opensearch.uname" helper function to allow for
+multiple instances using the Release Name.
+*/}}
+{{- define "opensearch.uname" -}}
+{{- printf "%s-%s" .Release.Name .Values.masterService -}}
+{{- end -}}
+
 {{/*
 Opensearch subcharts host name
 */}}
 {{- define "timesketch.opensearch.host" -}}
 {{- if .Values.opensearch.enabled -}}
-{{- printf "%s" .Values.opensearch.masterService -}}
+{{- printf "%s-%s" .Release.Name .Values.opensearch.masterService -}}
 {{- else -}}
 {{ fail "Attempting to use Opensearch, but the subchart is not enabled. This will lead to misconfiguration" }}
 {{- end -}}
@@ -172,11 +179,3 @@ Timesketch service port
 {{- printf "%s-access-list" (include "timesketch.fullname" .) -}}
 {{- end -}}
 {{- end -}}
-
-{{- define "timesketch.configmap" -}}
-{{- if .Values.config.existingConfigMap -}}
-{{- .Values.config.existingConfigMap -}}
-{{- else -}}
-{{- include "timesketch.fullname" . }}-configmap
-{{- end -}}
-{{- end -}}

charts/timesketch/templates/_initContainer.tpl

@@ -59,11 +59,13 @@ Worker pod upon startup.
       name: init-timesketch
     - mountPath: /etc/timesketch
       name: timesketch-configs
+    {{- if .Values.config.existingConfigMap }}
     - mountPath: /tmp/timesketch
       name: uploaded-configs
-  {{- if .Values.config.oidc.authenticatedEmailsFile.enabled }}
+    {{- end }}
+    {{- if .Values.config.oidc.authenticatedEmailsFile.enabled }}
     - name: authenticated-emails
       mountPath: /init/authenticated-emails
       readOnly: true
-  {{- end }}
+    {{- end }}
 {{- end }}

charts/timesketch/templates/ingress.yaml

@@ -8,19 +8,19 @@ metadata:
     {{- include "timesketch.labels" . | nindent 4 }}
   annotations:
     kubernetes.io/ingressClassName: {{ .Values.ingress.className }}
-    {{- if .Values.ingress.gcp.managedCertificates }}
-    networking.gke.io/managed-certificates: {{ include "timesketch.fullname" . }}-managed-ssl
-    {{- end }}
     {{- if .Values.ingress.certManager }}
     kubernetes.io/tls-acme: "true"
     cert-manager.io/issuer: {{ include "timesketch.fullname" . }}-letsencrypt-production
     {{- end }}
+    # GKE specific annotations
     {{- if (eq .Values.ingress.className "gce") }}
     {{- if .Values.ingress.gcp.staticIPName }}
     kubernetes.io/ingress.global-static-ip-name: {{ .Values.ingress.gcp.staticIPName }}
     networking.gke.io/v1beta1.FrontendConfig: {{ include "timesketch.fullname" . }}-frontend-config
-    {{- else }}
-    {{- fail "A valied .Values.ingress.gcp.staticIPName entry is required when using the GCE Ingress" }}
+    {{- end }}
+    {{- if .Values.ingress.gcp.managedCertificates }}
+    networking.gke.io/managed-certificates: {{ include "timesketch.fullname" . }}-managed-ssl
+    networking.gke.io/v1beta1.FrontendConfig: {{ include "timesketch.fullname" . }}-frontend-config
     {{- end }}
     {{- end }}
 spec:
@@ -31,7 +31,7 @@ spec:
       secretName: {{ include "timesketch.fullname" . }}-tls
   {{- end }}
   rules:
-    - host: {{ required "A valid .Values.ingress.host entry is required!" .Values.ingress.host }}
+    - host: {{ .Values.ingress.host }}
       http:
         paths:
           - path: /
@@ -58,19 +58,18 @@ metadata:
     {{- include "timesketch.labels" . | nindent 4 }}
   annotations:
     kubernetes.io/ingressClassName: {{ .Values.ingress.className }}
-    {{- if .Values.ingress.gcp.managedCertificates }}
-    networking.gke.io/managed-certificates: {{ include "timesketch.fullname" . }}-managed-ssl
-    {{- end }}
     {{- if .Values.ingress.certManager }}
     kubernetes.io/tls-acme: "true"
     cert-manager.io/issuer: {{ include "timesketch.fullname" . }}-letsencrypt-production
     {{- end }}
+    # GKE specific annotations
     {{- if (eq .Values.ingress.className "gce") }}
     {{- if .Values.ingress.gcp.staticIPV6Name }}
     kubernetes.io/ingress.global-static-ip-name: {{ .Values.ingress.gcp.staticIPV6Name }}
+    {{- end }}
+    {{- if .Values.ingress.gcp.managedCertificates }}
+    networking.gke.io/managed-certificates: {{ include "timesketch.fullname" . }}-managed-ssl
     networking.gke.io/v1beta1.FrontendConfig: {{ include "timesketch.fullname" . }}-frontend-config
-    {{- else }}
-    {{- fail "A valied .Values.ingress.gcp.staticIPV6Name entry is required when using the GCE Ingress" }}
     {{- end }}
     {{- end }}
 spec:
@@ -81,7 +80,7 @@ spec:
       secretName: {{ include "timesketch.fullname" . }}-tls
   {{- end }}
   rules:
-    - host: {{ required "A valid .Values.ingress.host entry is required!" .Values.ingress.host }}
+    - host: {{ .Values.ingress.host }}
       http:
         paths:
           - path: /

charts/timesketch/templates/serviceaccount.yaml

@@ -9,4 +9,5 @@ metadata:
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
+automountServiceAccountToken: false
 {{- end }}

charts/timesketch/templates/web-deployment.yaml

@@ -15,8 +15,8 @@ spec:
   template:
     metadata:
       annotations:
-        # Have Deployment restart after each upgrade
-        roll: {{ randAlphaNum 5 | quote }}
+        # Restart pod if values.yaml parameters that affect the config were changed
+        checksum/config: {{  include (print $.Template.BasePath "/init-configmap.yaml") . | sha256sum }}
         {{- if .Values.metrics.enabled }} 
         prometheus.io/port: {{ .Values.metrics.port | quote }}
         prometheus.io/scrape: "true"
@@ -83,10 +83,11 @@ spec:
             defaultMode: 0744
         - name: timesketch-configs
           emptyDir: {}
+        {{- if .Values.config.existingConfigMap }}
         - name: uploaded-configs
           configMap:
-            name: {{ include "timesketch.configmap" . }}
-            optional: true
+            name: {{ .Values.config.existingConfigMap }}
+        {{- end }}
         {{- if .Values.config.oidc.authenticatedEmailsFile.enabled }}
         - name: authenticated-emails
           secret:

charts/timesketch/templates/worker-deployment.yaml

@@ -15,8 +15,8 @@ spec:
   template:
     metadata:
       annotations:
-        # Have Deployment restart after each upgrade
-        roll: {{ randAlphaNum 5 | quote }}
+        # Restart pod if values.yaml parameters that affect the config were changed
+        checksum/config: {{  include (print $.Template.BasePath "/init-configmap.yaml") . | sha256sum }}
         {{- if .Values.metrics.enabled }} 
         prometheus.io/port: {{ .Values.metrics.port | quote }}
         prometheus.io/scrape: "true"
@@ -72,10 +72,11 @@ spec:
             defaultMode: 0744
         - name: timesketch-configs
           emptyDir: {}
+        {{- if .Values.config.existingConfigMap }}
         - name: uploaded-configs
           configMap:
-            name: {{ include "timesketch.configmap" . }}
-            optional: true
+            name: {{ .Values.config.existingConfigMap }}
+        {{- end }}
         {{- if .Values.config.oidc.authenticatedEmailsFile.enabled }}
         - name: authenticated-emails
           secret:
@@ -96,4 +97,3 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-