From c3a7897428540d2729abac7e136501721175d192 Mon Sep 17 00:00:00 2001
From: Tristan <74349933+trispera@users.noreply.github.com>
Date: Fri, 31 May 2024 11:07:18 +0300
Subject: [PATCH] Improve postgreSQL deployment: (#33)
* Improve postgreSQL deployment:
- Update Chart version to 1.2.0
- Update bitnami/postgresql to 15.x.x to use Openshift SCC
- Use of a global values to use Openshift SCC. Dependency common added for this purpose.
- It's possible to use an external database
- Update NOTES.txt with new text after deployment
- Update README
* Clean code
---
charts/hedgedoc/Chart.yaml | 9 +-
charts/hedgedoc/README.md | 36 ++--
charts/hedgedoc/templates/NOTES.txt | 12 ++
charts/hedgedoc/templates/deployment.yaml | 5 +
charts/hedgedoc/values.schema.json | 209 ++--------------------
charts/hedgedoc/values.yaml | 67 ++-----
6 files changed, 74 insertions(+), 264 deletions(-)
diff --git a/charts/hedgedoc/Chart.yaml b/charts/hedgedoc/Chart.yaml
index 0f51909..eff609f 100644
--- a/charts/hedgedoc/Chart.yaml
+++ b/charts/hedgedoc/Chart.yaml
@@ -2,12 +2,17 @@ apiVersion: v2
name: hedgedoc
description: Hedgedoc Helm Chart for Rahti platform
Link to the repo https://github.com/CSCfi/helm-charts
-version: 1.1.2
+version: 1.2.0
sources:
- https://github.com/CSCfi/helm-charts
icon: https://raw.githubusercontent.com/hedgedoc/hedgedoc/develop/frontend/src/app/icon.png
dependencies:
+ - name: common
+ repository: oci://registry-1.docker.io/bitnamicharts
+ tags:
+ - bitnami-common
+ version: 2.x.x
- name: postgresql
repository: oci://registry-1.docker.io/bitnamicharts
condition: postgresql.enabled
- version: 13.x.x
\ No newline at end of file
+ version: 15.x.x
\ No newline at end of file
diff --git a/charts/hedgedoc/README.md b/charts/hedgedoc/README.md
index ccea3aa..9721219 100644
--- a/charts/hedgedoc/README.md
+++ b/charts/hedgedoc/README.md
@@ -11,6 +11,9 @@ If you want to use it with different values, you can edit `values.yaml` file and
helm upgrade --install hedgedoc . -f {custom_values.yaml}
```
+By default, this Helm Chart deployed a postgreSQL database along Hedgedoc. If you want to connect Hedgedoc to an existing external database, you have to enable the parameters
+`postgresqlExternal.enabled` and disable the default one `postgresql.enabled`. More information below in the table.
+
## Parameters
### Common parameters
@@ -22,26 +25,35 @@ helm upgrade --install hedgedoc . -f {custom_values.yaml}
### HedgeDoc parameters
-| Name | Description | Value |
-| -------------------------------------- | ------------------------------------------------------- | --------------------------------- |
-| `hedgedoc.appname` | Name of your app. Used for the creation of the `route` | `my-hedgedoc` |
-| `hedgedoc.domain` | Name of your domain where the Helm is deployed | `rahtiapp.fi` |
-| `hedgedoc.image` | Name of the `hedgedoc` image | `quay.io/hedgedoc/hedgedoc:1.9.4` |
-| `hedgedoc.podSecurityContext` | Set SecurityContext for the pod | `{}` |
+| Name | Description | Value |
+| -------------------------------------- | ------------------------------------------------------- | ------------------------------------------ |
+| `hedgedoc.appname` | Name of your app. Used for the creation of the `route` | `my-hedgedoc` |
+| `hedgedoc.domain` | Name of your domain where the Helm is deployed | `rahtiapp.fi` |
+| `hedgedoc.image` | Name of the `hedgedoc` image | `quay.io/hedgedoc/hedgedoc:1.9.4` |
+| `hedgedoc.podSecurityContext` | Set SecurityContext for the pod | `{}` |
| `hedgedoc.containerSecurityContext` | Set SecurityContext for the container | `allowPrivilegeEscalation: false`
`runAsUser:`
`runAsGroup:`
`capabilities:`
`drop:`
`- ALL`
`runAsNonRoot: true`
`seccompProfile:`
`type: RuntimeDefault` |
-| `hedgedoc.pvc.storageSpace` | Storage space for the PersistentVolume | `5Gi` |
-| `hedgedoc.service.type` | Set the Service type | `ClusterIP` |
-| `hedgedoc.random_pw_secret_key` | Key to store the password | `database-password` |
-| `hedgedoc.secret.database-name` | Name of the database | `postgres` |
-| `hedgedoc.secret.database-user` | Name of the postgres user | `postgres` |
+| `hedgedoc.pvc.storageSpace` | Storage space for the PersistentVolume | `5Gi` |
+| `hedgedoc.service.type` | Set the Service type | `ClusterIP` |
+| `hedgedoc.random_pw_secret_key` | Key to store the password | `database-password` |
+| `hedgedoc.secret.database-name` | Name of the database | `postgres` |
+| `hedgedoc.secret.database-user` | Name of the postgres user | `postgres` |
| `hedgedoc.secret.database-password` | Function that retrieve the generated password | `'{{- include "random_pw_reusable" . -}}'` |
### PostgreSQL parameters
-Since we are using the `bitnami/postgresql` Helm Chart as a dependency, you can take a look to the [PostgreSQL ArtifactHub](https://artifacthub.io/packages/helm/bitnami/postgresql/13.4.4) to check the different values.
+Since we are using the `bitnami/postgresql` Helm Chart as a dependency, you can take a look to the [PostgreSQL ArtifactHub](https://artifacthub.io/packages/helm/bitnami/postgresql/15.5.0) to check the different values.
The postgres database password is generated randomly and won't change if you upgrade the Chart.
+### HedgeDoc parameters
+
+It's possible to use an external database if you have one ready. Here are the parameters:
+
+| Name | Description | Value |
+| -------------------------------------- | -------------------------------------------------------------------- | ---------- |
+| `postgresqlExternal.enabled` | If you want to use an existing external database | `false` |
+| `postgresqlExternal.externalDatabase` | If you enable an external, enter its DNS name or public address IP | `` |
+
## Cleanup
To delete all the resources, simply uninstall the Helm Chart:
```sh
diff --git a/charts/hedgedoc/templates/NOTES.txt b/charts/hedgedoc/templates/NOTES.txt
index 351d35c..af11b1f 100644
--- a/charts/hedgedoc/templates/NOTES.txt
+++ b/charts/hedgedoc/templates/NOTES.txt
@@ -7,6 +7,18 @@ and then you could access it through this URL:
https://{{ .Values.hedgedoc.appname }}.{{ .Values.hedgedoc.domain }}
+{{ if .Values.postgresql.enabled }}
The postgresql database password is generated automatically. To check its value, run this command:
echo PostgreSQL Password: $(oc get secret --namespace={{ .Release.Namespace }} postgres -o jsonpath="{.data.database-password}" | base64 -d)
+
+{{ else if .Values.postgresqlExternal.enabled }}
+You decided to use an external database named {{ index .Values.hedgedoc.secret "database-name" }} reachable through {{ .Values.postgresqlExternal.externalDatabase }}
+{{ else }}
+!!! WARNING !!!
+No PostgreSQL database is deployed.
+Your pod may fail.
+
+Enable either the values postgresql.enabled
+If you want to use an existing external database, enable the value postgresqlExternal.enabled
+{{ end }}
diff --git a/charts/hedgedoc/templates/deployment.yaml b/charts/hedgedoc/templates/deployment.yaml
index f5b6ce9..67eace1 100644
--- a/charts/hedgedoc/templates/deployment.yaml
+++ b/charts/hedgedoc/templates/deployment.yaml
@@ -39,8 +39,13 @@ spec:
secretKeyRef:
key: database-name
name: postgres
+ {{- if .Values.postgresql.enabled }}
- name: CMD_DB_HOST
value: {{ include "postgresql.v1.primary.fullname" . }}-postgresql
+ {{- else if .Values.postgresqlExternal.enabled }}
+ - name: CMD_DB_HOST
+ value: {{ .Values.postgresqlExternal.externalDatabase }}
+ {{- end }}
- name: CMD_DB_PORT
value: "5432"
- name: CMD_DB_DIALECT
diff --git a/charts/hedgedoc/values.schema.json b/charts/hedgedoc/values.schema.json
index 2c5782a..8d45622 100644
--- a/charts/hedgedoc/values.schema.json
+++ b/charts/hedgedoc/values.schema.json
@@ -109,217 +109,38 @@
},
"type": "object"
},
- "backup": {
- "properties": {
- "cronjob": {
- "properties": {
- "containerSecurityContext": {
- "properties": {
- "allowPrivilegeEscalation": {
- "type": "boolean"
- },
- "capabilities": {
- "properties": {
- "drop": {
- "items": {
- "type": "string"
- },
- "type": "array"
- }
- },
- "type": "object"
- },
- "enabled": {
- "type": "boolean"
- },
- "runAsNonRoot": {
- "type": "boolean"
- },
- "seccompProfile": {
- "properties": {
- "type": {
- "type": "string"
- }
- },
- "type": "object"
- }
- },
- "type": "object"
- },
- "podSecurityContext": {
- "properties": {
- "enabled": {
- "type": "boolean"
- }
- },
- "type": "object"
- }
- },
- "type": "object"
- }
- },
- "type": "object"
- },
"enabled": {
"type": "boolean"
},
- "metrics": {
+ "tls": {
"properties": {
- "containerSecurityContext": {
- "properties": {
- "allowPrivilegeEscalation": {
- "type": "boolean"
- },
- "capabilities": {
- "properties": {
- "drop": {
- "items": {
- "type": "string"
- },
- "type": "array"
- }
- },
- "type": "object"
- },
- "enabled": {
- "type": "boolean"
- },
- "runAsNonRoot": {
- "type": "boolean"
- },
- "seccompProfile": {
- "properties": {
- "type": {
- "type": "string"
- }
- },
- "type": "object"
- }
- },
- "type": "object"
+ "enabled": {
+ "type": "boolean"
}
},
"type": "object"
},
- "primary": {
+ "compatibility": {
"properties": {
- "containerSecurityContext": {
- "properties": {
- "allowPrivilegeEscalation": {
- "type": "boolean"
- },
- "capabilities": {
- "properties": {
- "drop": {
- "items": {
- "type": "string"
- },
- "type": "array"
- }
- },
- "type": "object"
- },
- "enabled": {
- "type": "boolean"
- },
- "runAsNonRoot": {
- "type": "boolean"
- },
- "seccompProfile": {
- "properties": {
- "type": {
- "type": "string"
- }
- },
- "type": "object"
- }
- },
- "type": "object"
- },
- "persistence": {
- "properties": {
- "size": {
- "type": "string"
- }
- },
- "type": "object"
- },
- "podSecurityContext": {
- "properties": {
- "enabled": {
- "type": "boolean"
- }
- },
- "type": "object"
- },
- "service": {
+ "openshift": {
"properties": {
- "type": {
+ "adaptSecurityContext": {
"type": "string"
}
- },
- "type": "object"
- }
- },
- "type": "object"
- },
- "readReplicas": {
- "properties": {
- "containerSecurityContext": {
- "properties": {
- "allowPrivilegeEscalation": {
- "type": "boolean"
- },
- "capabilities": {
- "properties": {
- "drop": {
- "items": {
- "type": "string"
- },
- "type": "array"
- }
- },
- "type": "object"
- },
- "enabled": {
- "type": "boolean"
- },
- "runAsNonRoot": {
- "type": "boolean"
- },
- "seccompProfile": {
- "properties": {
- "type": {
- "type": "string"
- }
- },
- "type": "object"
- }
- },
- "type": "object"
- },
- "podSecurityContext": {
- "properties": {
- "enabled": {
- "type": "boolean"
- }
- },
- "type": "object"
- }
- },
- "type": "object"
- },
- "tls": {
- "properties": {
- "enabled": {
- "type": "boolean"
+ }
}
- },
- "type": "object"
+ }
}
},
"type": "object"
},
+ "postgresqlExternal": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ }
+ }
+ },
"route": {
"properties": {
"insecureEdgeTerminationPolicy": {
diff --git a/charts/hedgedoc/values.yaml b/charts/hedgedoc/values.yaml
index f527b1b..7a30cdb 100644
--- a/charts/hedgedoc/values.yaml
+++ b/charts/hedgedoc/values.yaml
@@ -28,13 +28,13 @@ hedgedoc:
storageSpace: 5Gi
service:
type: ClusterIP
- random_pw_secret_key: database-password
+ random_pw_secret_key: database-password # Used by random_pw_reusable function in _helpers.tpl
secret:
database-name: postgres
database-user: postgres
database-password: '{{- include "random_pw_reusable" . -}}'
-# Parameters related to the deployment of PostgreSQL
+# Parameters related to the deployment of PostgreSQL in Rahti
postgresql:
enabled: true
@@ -45,58 +45,13 @@ postgresql:
tls:
enabled: false
- # SecurityContext disabled by default for OpenShift.
- primary:
- service:
- type: ClusterIP
- persistence:
- size: 5Gi
- podSecurityContext:
- enabled: false
- containerSecurityContext:
- enabled: false
- runAsNonRoot: true
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- seccompProfile:
- type: RuntimeDefault
+ # Use to remove the SCC and use the OpenShift SCC
+ compatibility:
+ openshift:
+ adaptSecurityContext: force
- readReplicas:
- podSecurityContext:
- enabled: false
- containerSecurityContext:
- enabled: false
- runAsNonRoot: true
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- seccompProfile:
- type: RuntimeDefault
-
- backup:
- cronjob:
- podSecurityContext:
- enabled: false
- containerSecurityContext:
- enabled: false
- runAsNonRoot: true
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- seccompProfile:
- type: RuntimeDefault
-
- metrics:
- containerSecurityContext:
- enabled: false
- runAsNonRoot: true
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- seccompProfile:
- type: RuntimeDefault
+# Parameters related to the deployment of an external PostgreSQL (like Pukki)
+postgresqlExternal:
+ enabled: false
+ # If using an external database, enter the DNS name or public IP
+ externalDatabase: