Add instructions to handle upgrades for auto generated postgresql pas…

…swords Remove hardcoding of postgres password Enable resource configuration for elasticsearch
jfrog · Mar 28, 2019 · 7124dfb · 7124dfb
1 parent f515197
commit 7124dfb
Show file tree

Hide file tree

Showing 4 changed files with 66 additions and 17 deletions.
diff --git a/stable/mission-control/README.md b/stable/mission-control/README.md
@@ -29,6 +29,43 @@ helm repo add jfrog https://charts.jfrog.io
 ```bash
 helm install --name mission-control jfrog/mission-control
 ```
+### Auto generated passwords
+
+This section is applicable only for deployments with internal postgreSQL.
+
+Internal postgreSQL needs 5 variables to be available on install or upgrade. If they are not set by user, a random 10 character alphanumeric string will be set for the same. It is recommended for the user to set this explicitly during install and upgrade.
+```bash
+...
+--set postgresql.postgresPassword=<value> \
+--set postgresql.db.jfmcPassword=<value> \
+--set postgresql.db.jfscPassword=<value> \
+--set postgresql.db.jfisPassword=<value> \
+--set postgresql.db.jfexPassword=<value> \
+...
+```
+The values should remain same between upgrades.
+
+If this was autogenerated during `helm install`, the same passwords will have to be passed on future upgrades.
+
+Following can be used to read current set password,(refer [decoding-a-secret](https://kubernetes.io/docs/concepts/configuration/secret/#decoding-a-secret) for more info on reading a sceret value)
+
+POSTGRES_PASSWORD=$(kubectl get secret -n <namespace> <release_name>-postgresql -o jsonpath="{.data.postgres-password}" | base64 --decode)
+JFMC_PG_PASSWORD=$(kubectl get secret -n <namespace> <release_name>-mission-control-postgresql-cred -o jsonpath="{.data.jfmcPassword}" | base64 --decode)
+JFIS_PG_PASSWORD=$(kubectl get secret -n <namespace> <release_name>-mission-control-postgresql-cred -o jsonpath="{.data.jfisPassword}" | base64 --decode)
+JFSC_PG_PASSWORD=$(kubectl get secret -n <namespace> <release_name>-mission-control-postgresql-cred -o jsonpath="{.data.jfscPassword}" | base64 --decode)
+JFEX_PG_PASSWORD=$(kubectl get secret -n <namespace> <release_name>-mission-control-postgresql-cred -o jsonpath="{.data.jfexPassword}" | base64 --decode)
+
+Following parameters can be set during upgrade,
+```bash
+...
+--set postgresql.postgresPassword=${POSTGRES_PASSWORD} \
+--set postgresql.db.jfmcPassword=${JFMC_PG_PASSWORD} \
+--set postgresql.db.jfscPassword=${JFSC_PG_PASSWORD} \
+--set postgresql.db.jfisPassword=${JFIS_PG_PASSWORD} \
+--set postgresql.db.jfexPassword=${JFEX_PG_PASSWORD} \
+...
+```
+
 ### Create a unique MC Key
 Mission Control HA cluster uses a unique mc key. By default the chart has one set in values.yaml (`missionControl.mcKey`).
 
@@ -73,17 +110,24 @@ helm upgrade mission-control jfrog/mission-control
 ### Non compatible upgrades
 In cases where a new version is not compatible with existing deployed version (look in CHANGELOG.md) you should
 * Deploy new version along side old version (set a new release name)
-* Copy configurations and data from old deployment to new one (The following instructions were tested for chart migration from 0.9.x to 1.0.0)
+* Copy configurations and data from old deployment to new one (The following instructions were tested for chart migration from 0.9.4 (3.4.3) to 1.0.0 (3.5.0))
   * Copy data and config from old deployment to local filesystem
     ```
     kubectl cp <elasticsearch-pod>:/usr/share/elasticsearch/data                                   /<local_disk_path>/mission-control-data/elastic_data               -n <old_namespace>
     kubectl cp <postgres-pod>:/var/lib/postgresql/data                                             /<local_disk_path>/mission-control-data/postgres_data              -n <old_namespace>
     kubectl cp <mission-control-pod>:/var/opt/jfrog/mission-control/etc/mission-control.properties /<local_disk_path>/mission-control-data/mission-control.properties -n <old_namespace> -c mission-control
     kubectl cp <mission-control-pod>:/var/opt/jfrog/mission-control/data/security/mc.key           /<local_disk_path>/mission-control-data/mc.key                     -n <old_namespace> -c mission-control
     ```
+  * This point applies only if you have used autogenerated password for postgres in your previous deploy or in your new deployement.
+    * Get the postgres password from previous deploy, (refer [decoding-a-secret](https://kubernetes.io/docs/concepts/configuration/secret/#decoding-a-secret) for more info on reading a sceret value)
+      ```
+      POSTGRES_PASSWORD=$(kubectl get secret -n <old_namespace> <old_release_name>-postgresql -o jsonpath="{.data.postgres-password}" | base64 --decode)
+      ```
+      **NOTE** This needs to be passed with every `helm --set postgresql.postgresPassword=${POSTGRES_PASSWORD} install` and `helm --set postgresql.postgresPassword=${POSTGRES_PASSWORD} upgrade` 
   * Copy data and config from local filesystem to new deployment
-    ```
+    ```bash
     kubectl cp /<local_disk_path>/mission-control-data/mc.key                     <mission-control-pod>:/var/opt/jfrog/mission-control/data/security/mc.key            -n <new_namespace> -c mission-control
+    # Note : This mission-control.properties has to be copied to all the replicas if you plan to scale to more replicas in future
     kubectl cp /<local_disk_path>/mission-control-data/mission-control.properties <mission-control-pod>:/var/opt/jfrog/mission-control/etc/mission-control.properties  -n <new_namespace> -c mission-control
     kubectl cp /<local_disk_path>/mission-control-data/elastic_data               <mission-control-pod>:/usr/share/elasticsearch                                       -n <new_namespace> -c elasticsearch
     kubectl cp /<local_disk_path>/mission-control-data/postgres_data              <postgres-pod>:/var/lib/postgresql                                                   -n <new_namespace>
@@ -98,13 +142,16 @@ In cases where a new version is not compatible with existing deployed version (l
         rm -fr /usr/share/elasticsearch/elastic_data
     ```
 * Restart the new deployment
-```bash
-kubectl scale deployment <postgres-deployment> --replicas=0 -n <new_namespace>
-kubectl scale statefulset <mission-control-statefulset> --replicas=0 -n <new_namespace>
+  ```bash
+  kubectl scale deployment <postgres-deployment> --replicas=0 -n <new_namespace>
+  kubectl scale statefulset <mission-control-statefulset> --replicas=0 -n <new_namespace>
 
-kubectl scale deployment <postgres-deployment> --replicas=1 -n <new_namespace>
-kubectl scale statefulset <mission-control-statefulset> --replicas=1 -n <new_namespace>
-```
+  kubectl scale deployment <postgres-deployment> --replicas=1 -n <new_namespace>
+  kubectl scale statefulset <mission-control-statefulset> --replicas=1 -n <new_namespace>
+
+  # if you are using autogenerated password for postgres, set the postgres password from previous deploy by running an upgrade
+  # helm --set postgresql.postgresPassword=${POSTGRES_PASSWORD} upgrade ...
+  ```
 * Once the new release is up and ready, update mission-control base url with new DNS
   * Login to mission-control pod,
     ```bash

diff --git a/stable/mission-control/ci/test-values.yaml b/stable/mission-control/ci/test-values.yaml
@@ -6,10 +6,3 @@
 # serviceAccount:
 #   create: false
 
-postgresql:
-  postgresPassword: postgres
-  db:
-    jfisPassword: password
-    jfscPassword: password
-    jfexPassword: password
-    jfmcPassword: password
diff --git a/stable/mission-control/templates/mission-control-statefulset.yaml b/stable/mission-control/templates/mission-control-statefulset.yaml
@@ -353,7 +353,7 @@ spec:
         - name: elasticsearch-scripts
           mountPath: "/scripts"
         resources:
-{{ toYaml .Values.resources | indent 10 }}
+{{ toYaml .Values.elasticsearch.resources | indent 10 }}
         livenessProbe:
           exec:
             command:

diff --git a/stable/mission-control/values.yaml b/stable/mission-control/values.yaml
@@ -58,7 +58,7 @@ postgresql:
   enabled: true
   imageTag: "9.6.11"
   postgresUsername: postgres
-  postgresPassword: postgres
+  postgresPassword: 
   postgresConfig:
     maxConnections: "1500"
   db:
@@ -172,10 +172,19 @@ elasticsearch:
     ##
     # storageClass: "-"
 
+  ## ElasticSearch xms and xmx should be same!
   javaOpts: {}
   #  xms: "2g"
   #  xmx: "2g"
 
+  resources: {}
+  #  requests:
+  #    memory: "2Gi"
+  #    cpu: "100m"
+  #  limits:
+  #    memory: "2Gi"
+  #    cpu: "500m"
+
 podRestartTime:
 
 ingress: