diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml index e1d615205..97d8c1489 100644 --- a/.github/workflows/merge.yml +++ b/.github/workflows/merge.yml @@ -11,41 +11,63 @@ concurrency: cancel-in-progress: true jobs: + semantic-version: + outputs: + semanticVersion: ${{ steps.changelog.outputs.version }} + tag: ${{ steps.changelog.outputs.tag }} + clean_changelog: ${{ steps.changelog.outputs.clean_changelog }} + runs-on: ubuntu-22.04 + timeout-minutes: 1 + steps: + - uses: actions/checkout@v4 + - name: Conventional Changelog Update + uses: TriPSs/conventional-changelog-action@v3 + id: changelog + continue-on-error: true + with: + github-token: ${{ github.token }} + output-file: 'CHANGELOG.md' + skip-version-file: 'true' + skip-commit: 'true' + skip-on-empty: 'false' + git-push: 'true' + retag-images: + needs: [semantic-version] + runs-on: ubuntu-22.04 + strategy: + matrix: + package: [backend, migrations, frontend] + steps: + - name: Tag Docker Images + uses: shrink/actions-docker-registry-tag@v3 + with: + registry: ghcr.io + repository: ${{ github.repository }}/${{ matrix.package }} + target: test + tags: ${{ needs.semantic-version.outputs.semanticVersion }} + deploys-test: + needs: [retag-images, semantic-version] name: TEST Deploys environment: test runs-on: ubuntu-22.04 - permissions: - issues: write - strategy: - matrix: - name: [database, backend, frontend] - include: - - name: database - file: database/openshift.deploy.yml - overwrite: false - - name: backend - file: backend/openshift.deploy.yml - overwrite: true - verification_path: /api - - name: frontend - file: frontend/openshift.deploy.yml - overwrite: true timeout-minutes: 10 steps: - - uses: bcgov-nr/action-deployer-openshift@v2.0.0 - with: - file: ${{ matrix.file }} - oc_namespace: ${{ vars.OC_NAMESPACE }} - oc_server: ${{ vars.OC_SERVER }} - oc_token: ${{ secrets.OC_TOKEN }} - overwrite: ${{ matrix.overwrite }} - parameters: - -p ZONE=test -p NAME=${{ github.event.repository.name }} - ${{ matrix.parameters }} - name: ${{ matrix.name }} - penetration_test_token: ${{ secrets.GITHUB_TOKEN }} - verification_path: ${{ matrix.verification_path }} + - uses: actions/checkout@v4 + - name: Deploy + shell: bash + run: | + # Allow pipefail, since we could be catching oc create errors + set +o pipefail + + # Login to OpenShift (NOTE: project command is a safeguard) + oc login --token=${{ secrets.oc_token }} --server=${{ vars.oc_server }} + oc project ${{ vars.oc_namespace }} + + # Deploy Helm Chart + cd charts/${{ github.event.repository.name }} + helm dependency update + helm upgrade --install --wait --atomic ${{ github.event.repository.name }}-test --values values.yaml --set-string global.repository=${{ github.repository }} --set-string backend.containers[0].tag=${{ needs.semantic-version.outputs.semanticVersion }} --set-string backend.initContainers[0].tag=${{ needs.semantic-version.outputs.semanticVersion }} --set-string frontend.containers[0].tag=${{ needs.semantic-version.outputs.semanticVersion }} --set-string bitnami-pg.auth.password=${{secrets.DB_PASSWORD}} --set-string bitnami-pg.auth.postgresPassword=${{secrets.DB_PASSWORD}} --timeout 10m . cleanup-test: name: TEST Pod cleanup @@ -84,7 +106,7 @@ jobs: - name: Install dependencies run: npm ci - name: Run integration tests - run: BASE_URL=https://${{ github.event.repository.name }}-test-backend.apps.silver.devops.gov.bc.ca API_NAME=nest node src/main.js + run: BASE_URL=https://${{ github.event.repository.name }}-test-frontend.apps.silver.devops.gov.bc.ca API_NAME=nest node src/main.js cypress-e2e: name: Cypress end to end test @@ -124,56 +146,40 @@ jobs: path: ./cypress/screenshots if-no-files-found: ignore # 'warn' or 'error' are also available, defaults to `warn` - image-promotions: - name: Promote images - needs: [integration-tests, cypress-e2e, cleanup-test] - runs-on: ubuntu-22.04 - permissions: - packages: write - strategy: - matrix: - component: [database, backend, migrations, frontend] - timeout-minutes: 1 - steps: - - uses: shrink/actions-docker-registry-tag@v3 - with: - registry: ghcr.io - repository: ${{ github.repository }}/${{ matrix.component }} - target: test - tags: prod deploys-prod: name: PROD Deploys - needs: [image-promotions] + needs: [cypress-e2e, integration-tests,deploys-test, semantic-version] # all of this needed to Go To PROD. environment: prod runs-on: ubuntu-22.04 timeout-minutes: 10 - strategy: - matrix: - name: [database, backend, frontend] - include: - - name: database - file: database/openshift.deploy.yml - overwrite: false - - name: backend - file: backend/openshift.deploy.yml - overwrite: true - verification_path: /api - - name: frontend - file: frontend/openshift.deploy.yml - overwrite: true steps: - - uses: bcgov-nr/action-deployer-openshift@v2.0.0 + - uses: actions/checkout@v4 + - name: Deploy + shell: bash + run: | + # Allow pipefail, since we could be catching oc create errors + set +o pipefail + + # Login to OpenShift (NOTE: project command is a safeguard) + oc login --token=${{ secrets.oc_token }} --server=${{ vars.oc_server }} + oc project ${{ vars.oc_namespace }} + + # Deploy Helm Chart + cd charts/${{ github.event.repository.name }} + helm dependency update + helm upgrade --install --wait --atomic ${{ github.event.repository.name }} --values values.yaml --set-string global.repository=${{ github.repository }} --set-string backend.containers[0].tag=${{ needs.semantic-version.outputs.semanticVersion }} --set-string backend.initContainers[0].tag=${{ needs.semantic-version.outputs.semanticVersion }} --set-string frontend.containers[0].tag=${{ needs.semantic-version.outputs.semanticVersion }} --set-string bitnami-pg.auth.password=${{secrets.DB_PASSWORD}} --set-string bitnami-pg.auth.postgresPassword=${{secrets.DB_PASSWORD}} --timeout 10m . + - name: Create Release + uses: softprops/action-gh-release@v1 + if: ${{ needs.semantic-version.outputs.semanticVersion != '' }} + continue-on-error: true + env: + GITHUB_TOKEN: ${{ github.token }} with: - file: ${{ matrix.file }} - oc_namespace: ${{ vars.OC_NAMESPACE }} - oc_server: ${{ vars.OC_SERVER }} - oc_token: ${{ secrets.OC_TOKEN }} - overwrite: ${{ matrix.overwrite }} - parameters: - -p ZONE=prod -p NAME=${{ github.event.repository.name }} - ${{ matrix.parameters }} - verification_path: ${{ matrix.verification_path }} + token: ${{ github.token }} + tag_name: ${{ needs.semantic-version.outputs.tag }} + name: ${{ needs.semantic-version.outputs.tag }} + body: ${{ needs.semantic-version.outputs.clean_changelog }} cleanup-prod: name: PROD Pod cleanup diff --git a/.github/workflows/pr-close.yml b/.github/workflows/pr-close.yml index 615595edf..d67b75eb3 100644 --- a/.github/workflows/pr-close.yml +++ b/.github/workflows/pr-close.yml @@ -14,7 +14,6 @@ jobs: # Clean up OpenShift when PR closed, no conditions cleanup-openshift: name: Cleanup OpenShift - if: "!github.event.pull_request.head.repo.fork" runs-on: ubuntu-22.04 timeout-minutes: 10 steps: @@ -24,7 +23,7 @@ jobs: oc project ${{ vars.OC_NAMESPACE }} # Remove old build runs, build pods and deployment pods - oc delete all,pvc,secret -l app=${{ github.event.repository.name }}-${{ github.event.number }} + helm uninstall ${{ github.event.repository.name }}-${{ github.event.number }} # If merged into main, then handle any image promotions image-promotions: @@ -35,7 +34,7 @@ jobs: packages: write strategy: matrix: - package: [database, migrations, backend, frontend] + package: [migrations, backend, frontend] timeout-minutes: 1 steps: - uses: shrink/actions-docker-registry-tag@v3 diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml index 2a556724a..1b788dc76 100644 --- a/.github/workflows/pr-open.yml +++ b/.github/workflows/pr-open.yml @@ -12,7 +12,6 @@ concurrency: jobs: pr-greeting: - if: "!github.event.pull_request.head.repo.fork" name: PR Greeting env: DOMAIN: apps.silver.devops.gov.bc.ca @@ -33,7 +32,7 @@ jobs: Deployments, as required, will be available below: - [Frontend](https://${{ env.PREFIX }}-frontend.${{ env.DOMAIN }}) - - [Backend](https://${{ env.PREFIX }}-backend.${{ env.DOMAIN }}/api) + - [Backend](https://${{ env.PREFIX }}-frontend.${{ env.DOMAIN }}/api) Please create PRs in draft mode. Mark as ready to enable: - [Analysis Workflow](https://github.com/${{ github.repository }}/actions/workflows/analysis.yml) @@ -44,16 +43,13 @@ jobs: # https://github.com/bcgov-nr/action-builder-ghcr builds: name: Builds - if: "!github.event.pull_request.head.repo.fork" runs-on: ubuntu-22.04 permissions: packages: write strategy: matrix: - package: [database, migrations, backend, frontend] + package: [ migrations, backend, frontend] include: - - package: database - triggers: ('database/') - package: migrations build_context: ./backend/db triggers: ('backend/db') @@ -67,48 +63,38 @@ jobs: with: keep_versions: 50 package: ${{ matrix.package }} - tag: ${{ github.event.number }} + tag: ${{ github.sha }} tag_fallback: test token: ${{ secrets.GITHUB_TOKEN }} triggers: ${{ matrix.triggers }} build_context: ${{ matrix.build_context }} + - name: Tag Docker Images + uses: shrink/actions-docker-registry-tag@v3 + with: + registry: ghcr.io + repository: ${{ github.repository }}/${{ matrix.package }} + target: ${{ github.sha }} + tags: ${{ github.event.number }} # https://github.com/bcgov-nr/action-deployer-openshift deploys: name: Deploys - if: "!github.event.pull_request.head.repo.fork" needs: [builds] runs-on: ubuntu-22.04 timeout-minutes: 10 - strategy: - matrix: - name: [database, backend, frontend] - include: - - name: database - file: database/openshift.deploy.yml - overwrite: false - triggers: ('database/' 'backend/' 'frontend/') - - name: backend - file: backend/openshift.deploy.yml - overwrite: true - parameters: -p MIN_REPLICAS=1 -p MAX_REPLICAS=2 - triggers: ('database/' 'backend/' 'frontend/') - verification_path: /api - - name: frontend - file: frontend/openshift.deploy.yml - overwrite: true - parameters: -p MIN_REPLICAS=1 -p MAX_REPLICAS=2 - triggers: ('database/' 'backend/' 'frontend/') steps: - - uses: bcgov-nr/action-deployer-openshift@v2.0.0 - with: - file: ${{ matrix.file }} - oc_namespace: ${{ vars.OC_NAMESPACE }} - oc_server: ${{ vars.OC_SERVER }} - oc_token: ${{ secrets.OC_TOKEN }} - overwrite: ${{ matrix.overwrite }} - parameters: - -p ZONE=${{ github.event.number }} -p NAME=${{ github.event.repository.name }} - ${{ matrix.parameters }} - triggers: ${{ matrix.triggers }} - verification_path: ${{ matrix.verification_path }} + - uses: actions/checkout@v3 + - name: Deploy + shell: bash + run: | + # Allow pipefail, since we could be catching oc create errors + set +o pipefail + echo "IncrementalTag is $IncrementalTag" + # Login to OpenShift (NOTE: project command is a safeguard) + oc login --token=${{ secrets.oc_token }} --server=${{ vars.oc_server }} + oc project ${{ vars.oc_namespace }} + + # Deploy Helm Chart + cd charts/${{ github.event.repository.name }} + helm dependency update + helm upgrade --install --wait --atomic ${{ github.event.repository.name }}-${{ github.event.number }} --values values-pr.yaml --set-string global.repository=${{ github.repository }} --set-string backend.containers[0].tag="${{ github.sha }}" --set-string backend.initContainers[0].tag="${{ github.sha }}" --set-string frontend.containers[0].tag="${{ github.sha }}" --set-string bitnami-pg.auth.password=${{secrets.DB_PASSWORD}} --set-string bitnami-pg.auth.postgresPassword=${{secrets.DB_PASSWORD}} --timeout 10m . diff --git a/database/charts/.helmignore b/charts/quickstart-openshift/.helmignore similarity index 100% rename from database/charts/.helmignore rename to charts/quickstart-openshift/.helmignore diff --git a/database/charts/Chart.yaml b/charts/quickstart-openshift/Chart.yaml similarity index 63% rename from database/charts/Chart.yaml rename to charts/quickstart-openshift/Chart.yaml index bb37b4407..ab99e51e2 100644 --- a/database/charts/Chart.yaml +++ b/charts/quickstart-openshift/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 -name: database -description: Postgres +name: quickstart-openshift +description: A Helm chart for Kubernetes deployment. icon: https://www.nicepng.com/png/detail/521-5211827_bc-icon-british-columbia-government-logo.png # A chart can be either an 'application' or a 'library' chart. @@ -23,3 +23,29 @@ version: 0.1.0 # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. appVersion: "1.16.0" + +dependencies: + - name: component + condition: backend.enabled + version: 0.0.12 + repository: https://bcgov.github.io/helm-service + alias: backend + + - name: component + condition: frontend.enabled + version: 0.0.12 + repository: https://bcgov.github.io/helm-service + alias: frontend + + + - name: postgresql + condition: bitnami-pg.enabled + version: 13.0.0 + repository: https://charts.bitnami.com/bitnami + alias: bitnami-pg + + - name: component + condition: backup.enabled + version: 0.0.12 + repository: https://bcgov.github.io/helm-service + alias: backup diff --git a/charts/quickstart-openshift/templates/_helpers.tpl b/charts/quickstart-openshift/templates/_helpers.tpl new file mode 100644 index 000000000..9f6bfa397 --- /dev/null +++ b/charts/quickstart-openshift/templates/_helpers.tpl @@ -0,0 +1,48 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s" .Release.Name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "name.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "labels" -}} +helm.sh/chart: {{ include "name.chart" . }} +{{ include "selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "selectorLabels" -}} +app.kubernetes.io/name: {{ include "fullname" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + + diff --git a/charts/quickstart-openshift/templates/knp.yaml b/charts/quickstart-openshift/templates/knp.yaml new file mode 100644 index 000000000..dbd89d277 --- /dev/null +++ b/charts/quickstart-openshift/templates/knp.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ .Release.Name }}-openshift-ingress + labels: {{- include "selectorLabels" . | nindent 4 }} +spec: + podSelector: {} + ingress: + - from: + - namespaceSelector: + matchLabels: + network.openshift.io/policy-group: ingress + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ .Release.Name }}-allow-same-namespace + labels: {{- include "selectorLabels" . | nindent 4 }} +spec: + podSelector: {} + ingress: + - from: + - podSelector: {} + policyTypes: + - Ingress + diff --git a/charts/quickstart-openshift/templates/secret.yaml b/charts/quickstart-openshift/templates/secret.yaml new file mode 100644 index 000000000..579489272 --- /dev/null +++ b/charts/quickstart-openshift/templates/secret.yaml @@ -0,0 +1,12 @@ +{{- if and .Values.global.secrets .Values.global.secrets.enabled}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }} + labels: {{- include "selectorLabels" . | nindent 4 }} +data: + databasePassword: {{ .Values.global.secrets.databasePassword | b64enc | quote }} + databaseUser: {{ .Values.global.secrets.databaseUser| default "postgres" | b64enc | quote }} + databaseName: {{ .Values.global.secrets.databaseName| default "postgres" | b64enc | quote }} +{{- end }} diff --git a/charts/quickstart-openshift/values-pr.yaml b/charts/quickstart-openshift/values-pr.yaml new file mode 100644 index 000000000..a84581ebf --- /dev/null +++ b/charts/quickstart-openshift/values-pr.yaml @@ -0,0 +1,434 @@ +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +global: + repository: ~ # the repository where the images are stored. + registry: ghcr.io # the registry where the images are stored. override during runtime for other registry at global level or individual level. + secrets: + annotation: + helm.sh/policy: "keep" + domain: "apps.silver.devops.gov.bc.ca" # it is required, apps.silver.devops.gov.bc.ca for silver cluster + openshiftImageRegistry: "image-registry.openshift-image-registry.svc:5000" + +backend: + enabled: true + deployment: # can be either a statefulSet or a deployment not both + enabled: true + + containers: + - name: backend + registry: '{{ .Values.global.registry }}' + repository: '{{ .Values.global.repository }}' # example, it includes registry and repository + image: backend # the exact component name, be it backend, api-1 etc... + tag: prod # the tag of the image, it can be latest, 1.0.0 etc..., or the sha256 hash + env: + fromLocalSecret: + - name: POSTGRES_PASSWORD + key: password + secretName: '{{ .Release.Name }}-bitnami-pg' # this is interpolated, it will be replaced with the actual value, pg is the alias for crunchy. + #- name: POSTGRES_PASSWORD + # key: password + # secretName: '{{ .Release.Name }}-bitnami-pg-ha' # this is interpolated, it will be replaced with the actual value, pg is the alias for crunchy. + + fromValues: + - name: POSTGRES_HOST + value: '{{ .Release.Name }}-bitnami-pg' # this is interpolated, it will be replaced with the actual value, pg is the alias for crunchy. + #- name: POSTGRES_HOST + # value: '{{ .Release.Name }}-bitnami-pg-pool' # this is interpolated, it will be replaced with the actual value, pg is the alias for crunchy. + - name: POSTGRES_USER + value: quickstart + - name: POSTGRES_DATABASE + value: quickstart + + ports: + - name: http + containerPort: 3000 + protocol: TCP + resources: # this is optional + limits: + cpu: 150m + memory: 250Mi + requests: + cpu: 100m + memory: 150Mi + readinessProbe: + httpGet: + path: /api + port: 3000 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 2 + timeoutSeconds: 2 + successThreshold: 1 + failureThreshold: 30 + livenessProbe: + successThreshold: 1 + failureThreshold: 3 + httpGet: + path: /api + port: 3000 + scheme: HTTP + initialDelaySeconds: 15 + periodSeconds: 30 + timeoutSeconds: 5 + initContainers: + - name: database-migrations + registry: '{{ .Values.global.registry }}' # example, it includes registry + repository: '{{ .Values.global.repository }}' # example, it includes registry and repository + image: migrations + tag: prod + env: + fromLocalSecret: + - name: FLYWAY_PASSWORD + key: password + secretName: '{{ .Release.Name }}-bitnami-pg' # this is interpolated, it will be replaced with the actual value, pg is the alias for crunchy. + #- name: FLYWAY_PASSWORD + # key: password + # secretName: '{{ .Release.Name }}-bitnami-pg-ha' # this is interpolated, it will be replaced with the actual value, pg is the alias for crunchy. + fromValues: + - name: FLYWAY_URL + value: 'jdbc:postgresql://{{ .Release.Name }}-bitnami-pg:5432/quickstart' + - name: FLYWAY_BASELINE_ON_MIGRATE + value: "true" + - name: FLYWAY_DEFAULT_SCHEMA + value: "USERS" + - name: FLYWAY_USER + value: "quickstart" + resources: + limits: + cpu: 250m + memory: 250Mi + requests: + cpu: 200m + memory: 150Mi + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 1 + targetCPUUtilizationPercentage: 80 # this percentage from request cpu + vault: + enabled: false + entrypoint: ~ # the entrypoint for vault, this is the override of container command. + role: ~ #licenseplate-prod or licenseplate-nonprod + secretPaths: # the paths where secrets live. dev/api-1, dev/api-2, test/api-1 etc... + - dev/api-1 + - dev/api-2 + - test/api-1 + - test/api-2 + - prod/api-1 + - prod/api-2 + resources: + limits: + cpu: 50m + memory: 50Mi + requests: + cpu: 20m + memory: 25Mi + service: + enabled: true + type: ClusterIP + ports: + - name: http + port: 80 + targetPort: 3000 # the container port where the application is listening on + protocol: TCP + nodeSelector: { } + tolerations: [ ] + affinity: { } + +frontend: + enabled: true + deployment: # can be either a statefulSet or a deployment not both + enabled: true + configmap: + enabled: true + data: # below is just for example. + config.js: |- + const envConfig = (() => { + return { + "VITE_DEPLOY_ENVIRONMENT":"{{ .Release.Name }}-{{ .Release.Namespace }}" + }; + })(); + config.prod.js: |- + const envConfig = (() => { + return { + "VITE_DEPLOY_ENVIRONMENT":"static" + }; + })(); + containers: + - name: frontend + registry: '{{ .Values.global.registry }}' # example, it includes registry + repository: '{{ .Values.global.repository }}' # example, it includes repository + image: frontend # the exact component name, be it backend, api-1 etc... + tag: prod # the tag of the image, it can be latest, 1.0.0 etc..., or the sha256 hash + securityContext: + capabilities: + add: [ "NET_BIND_SERVICE" ] + env: + fromValues: + - name: BACKEND_URL + value: "http://{{ .Release.Name }}-backend" + - name: LOG_LEVEL + value: "info" + fromLocalConfigmap: # just for example purpose. + - name: frontend-configmap + key: config.js + - name: frontend-prod-configmap + key: config.prod.js + ports: + - name: http + containerPort: 3000 + protocol: TCP + - name: http2 + containerPort: 3001 + protocol: TCP + resources: # this is optional + limits: + cpu: 100m + memory: 150Mi + requests: + cpu: 50m + memory: 50Mi + readinessProbe: + httpGet: + path: /health + port: 3001 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 2 + timeoutSeconds: 2 + successThreshold: 1 + failureThreshold: 30 + livenessProbe: + successThreshold: 1 + failureThreshold: 3 + httpGet: + path: /health + port: 3001 + scheme: HTTP + initialDelaySeconds: 15 + periodSeconds: 30 + timeoutSeconds: 5 + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 1 + targetCPUUtilizationPercentage: 80 # this percentage from request cpu + service: + enabled: true + type: ClusterIP + ports: + - name: http + port: 80 + targetPort: 3000 # the container port where the application is listening on + protocol: TCP + route: + enabled: true + host: "{{ .Release.Name }}-frontend.{{ .Values.global.domain }}" + targetPort: http # look at line#164 refer to the name. + +crunchy: # enable it for TEST and PROD, for PR based pipelines simply use single postgres + enabled: false + + crunchyImage: artifacts.developer.gov.bc.ca/bcgov-docker-local/crunchy-postgres-gis:ubi8-15.2-3.3-0 + + postgresVersion: 15 + postGISVersion: '3.3' + imagePullPolicy: Always + instances: + name: ha # high availability + replicas: 1 # 2 or 3 for high availability in TEST and PROD. + metadata: + annotations: + prometheus.io/scrape: 'true' + prometheus.io/port: '9187' + dataVolumeClaimSpec: + storage: 120Mi + storageClassName: netapp-block-standard + requests: + cpu: 25m + memory: 256Mi + limits: + cpu: 100m + memory: 512Mi + replicaCertCopy: + requests: + cpu: 1m + memory: 32Mi + limits: + cpu: 50m + memory: 64Mi + + pgBackRest: + enabled: false + image: # it's not necessary to specify an image as the images specified in the Crunchy Postgres Operator will be pulled by default + retention: "1" # Ideally a larger number such as 30 backups/days + # If retention-full-type set to 'count' then the oldest backups will expire when the number of backups reach the number defined in retention + # If retention-full-type set to 'time' then the number defined in retention will take that many days worth of full backups before expiration + retentionFullType: count + repos: + schedules: + full: 0 8 * * * + incremental: 0 0,4,12,16,20 * * * + volume: + accessModes: "ReadWriteOnce" + storage: 64Mi + storageClassName: netapp-file-backup + repoHost: + requests: + cpu: 1m + memory: 64Mi + limits: + cpu: 50m + memory: 128Mi + sidecars: + requests: + cpu: 1m + memory: 64Mi + limits: + cpu: 50m + memory: 128Mi + + patroni: + postgresql: + pg_hba: "host all all 0.0.0.0/0 md5" + parameters: + shared_buffers: 16MB # default is 128MB; a good tuned default for shared_buffers is 25% of the memory allocated to the pod + wal_buffers: "64kB" # this can be set to -1 to automatically set as 1/32 of shared_buffers or 64kB, whichever is larger + min_wal_size: 32MB + max_wal_size: 64MB # default is 1GB + max_slot_wal_keep_size: 128MB # default is -1, allowing unlimited wal growth when replicas fall behind + + proxy: + pgBouncer: + image: # it's not necessary to specify an image as the images specified in the Crunchy Postgres Operator will be pulled by default + replicas: 1 + requests: + cpu: 1m + memory: 64Mi + limits: + cpu: 50m + memory: 128Mi + + # Postgres Cluster resource values: + pgmonitor: + enabled: false + exporter: + image: # it's not necessary to specify an image as the images specified in the Crunchy Postgres Operator will be pulled by default + requests: + cpu: 1m + memory: 64Mi + limits: + cpu: 50m + memory: 128Mi + +bitnami-pg: + enabled: true + image: + registry: ghcr.io + repository: bcgov/nr-containers/bitnami/postgresql + tag: 16.0.0 + auth: + username: quickstart + password: default # overridden at deployment + database: quickstart + postgresPassword: default # overridden at deployment + shmVolume: + enabled: false + backup: + enabled: false + cronjob: + containerSecurityContext: { } + podSecurityContext: + enabled: false + storage: + size: 200Mi + primary: + persistence: + enabled: true + storageClass: netapp-file-standard + accessModes: + - ReadWriteOnce + size: 100Mi + containerSecurityContext: + enabled: false + podSecurityContext: + enabled: false + initdb: + scripts: + postgis.sql: | + CREATE EXTENSION postgis; + + resources: + requests: + cpu: 50m + memory: 150Mi + limits: + cpu: 150m + memory: 250Mi + +backup: + enabled: true + pvc: + enabled: true + size: 256Mi + storageClassName: netapp-file-standard + accessModes: ReadWriteOnce + cronjob: + enabled: true + volumes: + - name: "{{.Release.Name}}-backup" + persistentVolumeClaim: + claimName: "{{.Release.Name}}-backup" + restartPolicy: "Never" + schedule: "0 0 * * *" + concurrencyPolicy: "Replace" + failedJobsHistoryLimit: 7 + successfulJobsHistoryLimit: 30 + startingDeadlineSeconds: 3600 + containers: + - name: backup + registry: 'docker.io' + repository: 'bcgovimages' # example, it includes registry and repository + image: backup-container # the exact component name, be it backend, api-1 etc... + tag: latest # the tag of the image, it can be latest, 1.0.0 etc..., or the sha256 hash + command: + - "/bin/bash" + - "-c" + - "/backup.sh -1" + volumeMounts: + - mountPath: "/backups/" + name: "{{.Release.Name}}-backup" + env: + fromValues: + - name: BACKUP_DIR + value: "/backups/" + - name: BACKUP_STRATEGY + value: "rolling" + - name: NUM_BACKUPS + value: '5' + - name: DAILY_BACKUPS + value: '7' + - name: WEEKLY_BACKUPS + value: '4' + - name: MONTHLY_BACKUPS + value: '1' + - name: DATABASE_SERVICE_NAME # depends on which chart being used, adjust accordingly. + value: '{{.Release.Name}}-bitnami-pg' + - name: DEFAULT_PORT + value: "5432" + - name: POSTGRESQL_DATABASE + value: "quickstart" + - name: DATABASE_USER + value: "quickstart" + fromLocalSecret: + - name: DATABASE_PASSWORD + key: password + secretName: '{{ .Release.Name }}-bitnami-pg' # this is interpolated, it will be replaced with the actual value, pg is the alias for crunchy. + resources: + limits: + cpu: 50m + memory: 256Mi + requests: + cpu: 20m + memory: 128Mi + diff --git a/charts/quickstart-openshift/values.yaml b/charts/quickstart-openshift/values.yaml new file mode 100644 index 000000000..8f77ca039 --- /dev/null +++ b/charts/quickstart-openshift/values.yaml @@ -0,0 +1,424 @@ +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +global: + repository: ~ # the repository where the images are stored. + registry: ghcr.io # the registry where the images are stored. override during runtime for other registry at global level or individual level. + secrets: + annotation: + helm.sh/policy: "keep" + domain: "apps.silver.devops.gov.bc.ca" # it is required, apps.silver.devops.gov.bc.ca for silver cluster + openshiftImageRegistry: "image-registry.openshift-image-registry.svc:5000" + +backend: + enabled: true + deployment: # can be either a statefulSet or a deployment not both + enabled: true + + containers: + - name: backend + registry: '{{ .Values.global.registry }}' + repository: '{{ .Values.global.repository }}' # example, it includes registry and repository + image: backend # the exact component name, be it backend, api-1 etc... + tag: prod # the tag of the image, it can be latest, 1.0.0 etc..., or the sha256 hash + env: + fromLocalSecret: + - name: POSTGRES_PASSWORD + key: password + secretName: '{{ .Release.Name }}-bitnami-pg' # this is interpolated, it will be replaced with the actual value, pg is the alias for crunchy. + + fromValues: + - name: POSTGRES_HOST + value: '{{ .Release.Name }}-bitnami-pg' # this is interpolated, it will be replaced with the actual value, pg is the alias for crunchy. + - name: POSTGRES_USER + value: quickstart + - name: POSTGRES_DATABASE + value: quickstart + + ports: + - name: http + containerPort: 3000 + protocol: TCP + resources: # this is optional + limits: + cpu: 150m + memory: 250Mi + requests: + cpu: 75m + memory: 150Mi + readinessProbe: + httpGet: + path: /api + port: 3000 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 2 + timeoutSeconds: 2 + successThreshold: 1 + failureThreshold: 30 + livenessProbe: + successThreshold: 1 + failureThreshold: 3 + httpGet: + path: /api + port: 3000 + scheme: HTTP + initialDelaySeconds: 15 + periodSeconds: 30 + timeoutSeconds: 5 + initContainers: + - name: database-migrations + registry: '{{ .Values.global.registry }}' + repository: '{{ .Values.global.repository }}' # example, it includes registry and repository + image: migrations + tag: prod + env: + fromLocalSecret: + - name: FLYWAY_PASSWORD + key: password + secretName: '{{ .Release.Name }}-bitnami-pg' # this is interpolated, it will be replaced with the actual value, pg is the alias for crunchy. + fromValues: + - name: FLYWAY_URL + value: 'jdbc:postgresql://{{ .Release.Name }}-bitnami-pg:5432/quickstart' + - name: FLYWAY_BASELINE_ON_MIGRATE + value: "true" + - name: FLYWAY_DEFAULT_SCHEMA + value: "USERS" + - name: FLYWAY_USER + value: "quickstart" + resources: + limits: + cpu: 250m + memory: 250Mi + requests: + cpu: 200m + memory: 150Mi + autoscaling: + enabled: true + minReplicas: 3 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 # this percentage from request cpu + vault: + enabled: false + entrypoint: ~ # the entrypoint for vault, this is the override of container command. + role: ~ #licenseplate-prod or licenseplate-nonprod + secretPaths: # the paths where secrets live. dev/api-1, dev/api-2, test/api-1 etc... + - dev/api-1 + - dev/api-2 + - test/api-1 + - test/api-2 + - prod/api-1 + - prod/api-2 + resources: + limits: + cpu: 50m + memory: 50Mi + requests: + cpu: 50m + memory: 25Mi + service: + enabled: true + type: ClusterIP + ports: + - name: http + port: 80 + targetPort: 3000 # the container port where the application is listening on + protocol: TCP + nodeSelector: { } + tolerations: [ ] + affinity: { } + +frontend: + enabled: true + deployment: # can be either a statefulSet or a deployment not both + enabled: true + configmap: + enabled: true + data: # below is just for example. + config.js: |- + const envConfig = (() => { + return { + "VITE_DEPLOY_ENVIRONMENT":"{{ .Release.Name }}-{{ .Release.Namespace }}" + }; + })(); + config.prod.js: |- + const envConfig = (() => { + return { + "VITE_DEPLOY_ENVIRONMENT":"static" + }; + })(); + containers: + - name: frontend + registry: '{{ .Values.global.registry }}' + repository: '{{ .Values.global.repository }}' # example, it includes registry and repository + image: frontend # the exact component name, be it backend, api-1 etc... + tag: prod # the tag of the image, it can be latest, 1.0.0 etc..., or the sha256 hash + securityContext: + capabilities: + add: [ "NET_BIND_SERVICE" ] + env: + fromValues: + - name: BACKEND_URL + value: "http://{{ .Release.Name }}-backend" + - name: LOG_LEVEL + value: "info" + fromLocalConfigmap: # just for example purpose. + - name: frontend-configmap + key: config.js + - name: frontend-prod-configmap + key: config.prod.js + ports: + - name: http + containerPort: 3000 + protocol: TCP + - name: http2 + containerPort: 3001 + protocol: TCP + resources: # this is optional + limits: + cpu: 100m + memory: 150Mi + requests: + cpu: 30m + memory: 50Mi + readinessProbe: + httpGet: + path: /health + port: 3001 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 2 + timeoutSeconds: 2 + successThreshold: 1 + failureThreshold: 30 + livenessProbe: + successThreshold: 1 + failureThreshold: 3 + httpGet: + path: /health + port: 3001 + scheme: HTTP + initialDelaySeconds: 15 + periodSeconds: 30 + timeoutSeconds: 5 + autoscaling: + enabled: true + minReplicas: 3 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 # this percentage from request cpu + service: + enabled: true + type: ClusterIP + ports: + - name: http + port: 80 + targetPort: 3000 # the container port where the application is listening on + protocol: TCP + route: + enabled: true + host: "{{ .Release.Name }}-frontend.{{ .Values.global.domain }}" + targetPort: http # look at line#164 refer to the name. + +crunchy: # enable it for TEST and PROD, for PR based pipelines simply use single postgres + enabled: false + + crunchyImage: artifacts.developer.gov.bc.ca/bcgov-docker-local/crunchy-postgres-gis:ubi8-15.2-3.3-0 + + postgresVersion: 15 + postGISVersion: '3.3' + imagePullPolicy: Always + instances: + name: ha # high availability + replicas: 1 # 2 or 3 for high availability in TEST and PROD. + metadata: + annotations: + prometheus.io/scrape: 'true' + prometheus.io/port: '9187' + dataVolumeClaimSpec: + storage: 120Mi + storageClassName: netapp-block-standard + requests: + cpu: 25m + memory: 256Mi + limits: + cpu: 100m + memory: 512Mi + replicaCertCopy: + requests: + cpu: 1m + memory: 32Mi + limits: + cpu: 50m + memory: 64Mi + + pgBackRest: + enabled: false + image: # it's not necessary to specify an image as the images specified in the Crunchy Postgres Operator will be pulled by default + retention: "1" # Ideally a larger number such as 30 backups/days + # If retention-full-type set to 'count' then the oldest backups will expire when the number of backups reach the number defined in retention + # If retention-full-type set to 'time' then the number defined in retention will take that many days worth of full backups before expiration + retentionFullType: count + repos: + schedules: + full: 0 8 * * * + incremental: 0 0,4,12,16,20 * * * + volume: + accessModes: "ReadWriteOnce" + storage: 64Mi + storageClassName: netapp-file-backup + repoHost: + requests: + cpu: 1m + memory: 64Mi + limits: + cpu: 50m + memory: 128Mi + sidecars: + requests: + cpu: 1m + memory: 64Mi + limits: + cpu: 50m + memory: 128Mi + + patroni: + postgresql: + pg_hba: "host all all 0.0.0.0/0 md5" + parameters: + shared_buffers: 16MB # default is 128MB; a good tuned default for shared_buffers is 25% of the memory allocated to the pod + wal_buffers: "64kB" # this can be set to -1 to automatically set as 1/32 of shared_buffers or 64kB, whichever is larger + min_wal_size: 32MB + max_wal_size: 64MB # default is 1GB + max_slot_wal_keep_size: 128MB # default is -1, allowing unlimited wal growth when replicas fall behind + + proxy: + pgBouncer: + image: # it's not necessary to specify an image as the images specified in the Crunchy Postgres Operator will be pulled by default + replicas: 1 + requests: + cpu: 1m + memory: 64Mi + limits: + cpu: 50m + memory: 128Mi + + # Postgres Cluster resource values: + pgmonitor: + enabled: false + exporter: + image: # it's not necessary to specify an image as the images specified in the Crunchy Postgres Operator will be pulled by default + requests: + cpu: 1m + memory: 64Mi + limits: + cpu: 50m + memory: 128Mi + +bitnami-pg: + enabled: true + image: + registry: ghcr.io + repository: bcgov/nr-containers/bitnami/postgresql + tag: 16.0.0 + auth: + username: quickstart + password: default # overridden at deployment + database: quickstart + postgresPassword: default # overridden at deployment + shmVolume: + enabled: false + backup: + enabled: true + cronjob: + containerSecurityContext: { } + podSecurityContext: + enabled: false + storage: + size: 200Mi + primary: + persistence: + enabled: true + storageClass: netapp-file-standard + accessModes: + - ReadWriteOnce + size: 100Mi + containerSecurityContext: + enabled: false + podSecurityContext: + enabled: false + initdb: + scripts: + postgis.sql: | + CREATE EXTENSION postgis; + resources: + requests: + cpu: 50m + memory: 150Mi + limits: + cpu: 150m + memory: 250Mi + +backup: + enabled: true + pvc: + enabled: true + size: 256Mi + storageClassName: netapp-file-standard + accessModes: ReadWriteOnce + cronjob: + enabled: true + volumes: + - name: "{{.Release.Name}}-backup" + persistentVolumeClaim: + claimName: "{{.Release.Name}}-backup" + restartPolicy: "Never" + schedule: "0 0 * * *" + concurrencyPolicy: "Replace" + failedJobsHistoryLimit: 7 + successfulJobsHistoryLimit: 30 + startingDeadlineSeconds: 3600 + containers: + - name: backup + registry: 'docker.io' + repository: 'bcgovimages' # example, it includes registry and repository + image: backup-container # the exact component name, be it backend, api-1 etc... + tag: latest # the tag of the image, it can be latest, 1.0.0 etc..., or the sha256 hash + command: + - "/bin/bash" + - "-c" + - "/backup.sh -1" + volumeMounts: + - mountPath: "/backups/" + name: "{{.Release.Name}}-backup" + env: + fromValues: + - name: BACKUP_DIR + value: "/backups/" + - name: BACKUP_STRATEGY + value: "rolling" + - name: NUM_BACKUPS + value: '5' + - name: DAILY_BACKUPS + value: '7' + - name: WEEKLY_BACKUPS + value: '4' + - name: MONTHLY_BACKUPS + value: '1' + - name: DATABASE_SERVICE_NAME # depends on which chart being used, adjust accordingly. + value: '{{.Release.Name}}-bitnami-pg' + - name: DEFAULT_PORT + value: "5432" + - name: POSTGRESQL_DATABASE + value: "quickstart" + - name: DATABASE_USER + value: "quickstart" + fromLocalSecret: + - name: DATABASE_PASSWORD + key: password + secretName: '{{ .Release.Name }}-bitnami-pg' # this is interpolated, it will be replaced with the actual value, pg is the alias for crunchy. + resources: + limits: + cpu: 50m + memory: 256Mi + requests: + cpu: 20m + memory: 128Mi diff --git a/database/Dockerfile b/database/Dockerfile deleted file mode 100644 index 6e2d924c3..000000000 --- a/database/Dockerfile +++ /dev/null @@ -1,5 +0,0 @@ -FROM postgres:15 - -# Health check and non-privileged user -HEALTHCHECK --interval=15s --timeout=5s --retries=3 CMD [ "pg_isready" ] -USER postgres diff --git a/database/charts/templates/NOTES.txt b/database/charts/templates/NOTES.txt deleted file mode 100644 index 7f9a77775..000000000 --- a/database/charts/templates/NOTES.txt +++ /dev/null @@ -1,9 +0,0 @@ -Thank you for installing {{ .Chart.Name }}. - -Your release is named {{ .Release.Name }}. - -To learn more about the release, try: - - $ helm status {{ .Release.Name }} - $ helm get all {{ .Release.Name }} - diff --git a/database/charts/templates/_helpers.tpl b/database/charts/templates/_helpers.tpl deleted file mode 100644 index 052d6a88a..000000000 --- a/database/charts/templates/_helpers.tpl +++ /dev/null @@ -1,72 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "database.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "database.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "database.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "database.labels" -}} -helm.sh/chart: {{ include "database.chart" . }} -{{ include "database.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "database.selectorLabels" -}} -app.kubernetes.io/name: {{ include "database.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "database.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "database.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} - -{{/* -Custom content (non-boilerplate) starts here -*/}} -{{- define "metadata" }} -metadata: - name: "{{ .Values.repo }}-{{ .Values.zone }}-{{ .Values.component }}" - labels: - app: "{{ .Values.repo }}-{{ .Values.zone }}" -{{- end }} diff --git a/database/charts/templates/backups.yaml b/database/charts/templates/backups.yaml deleted file mode 100644 index 60f49f4b7..000000000 --- a/database/charts/templates/backups.yaml +++ /dev/null @@ -1,82 +0,0 @@ ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ tpl .Values.id.backups . }} -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: {{ .Values.resources.pvc.size }} - storageClassName: netapp-file-standard ---- -kind: CronJob -apiVersion: batch/v1 -metadata: - name: {{ tpl .Values.id.backups . }} -spec: - schedule: {{ .Values.backups.schedule | quote }} - concurrencyPolicy: "Replace" - successfulJobsHistoryLimit: {{ .Values.backups.job.history }} - failedJobsHistoryLimit: {{ .Values.backups.job.keep.failed }} - jobTemplate: - {{- include "metadata" . | indent 4 }} - spec: - backoffLimit: {{ .Values.backups.job.retries }} - template: - {{- include "metadata" . | indent 8 }} - cronjob: {{ tpl .Values.id.backups . }} - spec: - containers: - - name: {{ tpl .Values.id.backups . }} - image: {{ .Values.backups.image }} - command: - - "/bin/bash" - - "-c" - - "/backup.sh -1" - volumeMounts: - - mountPath: {{ .Values.backups.dir }} - name: "backup" - env: - - name: BACKUP_DIR - value: {{ .Values.backups.dir }} - - name: BACKUP_STRATEGY - value: {{ .Values.backups.dir }} - - name: NUM_BACKUPS - value: {{ .Values.backups.count | default 5 | quote }} - - name: DAILY_BACKUPS - value: {{ .Values.backups.dailies | default 7 | quote }} - - name: WEEKLY_BACKUPS - value: {{ .Values.backups.weeklies | default 4 | quote }} - - name: MONTHLY_BACKUPS - value: {{ .Values.backups.monthlies | default 1 | quote }} - - name: DATABASE_SERVICE_NAME - value: {{ tpl .Values.id.database . }} - - name: DEFAULT_PORT - value: {{ .Values.backups.port | default 5432 | quote }} - - name: POSTGRES_DATABASE - valueFrom: - secretKeyRef: - name: {{ tpl .Values.id.database . }} - key: "database-name" - - name: DATABASE_USER - valueFrom: - secretKeyRef: - name: {{ tpl .Values.id.database . }} - key: "database-user" - - name: DATABASE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ tpl .Values.id.database . }} - key: "database-password" - volumes: - - name: backup - persistentVolumeClaim: - claimName: {{ tpl .Values.id.backups . }} - restartPolicy: "Never" - terminationGracePeriodSeconds: 30 - activeDeadlineSeconds: 1600 - dnsPolicy: "ClusterFirst" - serviceAccountName: {{ .Values.backups.job.name | default "default" | quote }} - serviceAccount: {{ .Values.backups.job.name | default "default" | quote }} diff --git a/database/charts/templates/database.yaml b/database/charts/templates/database.yaml deleted file mode 100644 index 9be8f722f..000000000 --- a/database/charts/templates/database.yaml +++ /dev/null @@ -1,127 +0,0 @@ ---- -kind: PersistentVolumeClaim -apiVersion: v1 -{{- include "metadata" . }} -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: {{ .Values.resources.pvc.size }} - storageClassName: netapp-file-standard ---- -kind: ImageStream -apiVersion: image.openshift.io/v1 -{{- include "metadata" . }} -spec: - lookupPolicy: - local: false - tags: - - name: {{ tpl .Values.id.database . }} - from: - kind: DockerImage - name: "{{ .Values.image.registry }}/{{ .Values.org }}/{{ .Values.repo }}/{{ .Values.component }}:{{ .Values.image.tag }}" - referencePolicy: - type: Local ---- -kind: DeploymentConfig -apiVersion: apps.openshift.io/v1 -{{- include "metadata" . }} -spec: - replicas: 1 - triggers: - - type: ConfigChange - - type: ImageChange - imageChangeParams: - automatic: true - containerNames: - - {{ tpl .Values.id.database . }} - from: - kind: ImageStreamTag - name: "{{ tpl .Values.id.database . }}:{{ .Values.image.tag }}" - selector: - deploymentconfig: {{ tpl .Values.id.database . }} - strategy: - type: Recreate - recreateParams: - timeoutSeconds: 600 - activeDeadlineSeconds: 21600 - template: - {{- include "metadata" . | indent 4 }} - deploymentconfig: {{ tpl .Values.id.database . }} - spec: - volumes: - - name: {{ tpl .Values.id.database . }} - persistentVolumeClaim: - claimName: {{ tpl .Values.id.database . }} - containers: - - name: {{ tpl .Values.id.database . }} - image: "{{ tpl .Values.id.database . }}:{{ .Values.image.tag }}" - securityContext: - allowPrivilegeEscalation: false - ports: - - containerPort: 5432 - protocol: TCP - readinessProbe: - exec: - command: - - /usr/bin/env - - bash - - -c - - psql -q -U $POSTGRES_USER -d $POSTGRES_DB -c 'SELECT 1' - failureThreshold: 5 - initialDelaySeconds: 30 - periodSeconds: 15 - timeoutSeconds: 1 - livenessProbe: - exec: - command: - - /usr/bin/env - - bash - - -c - - psql -q -U $POSTGRES_USER -d $POSTGRES_DB -c 'SELECT 1' - failureThreshold: 5 - initialDelaySeconds: 30 - periodSeconds: 15 - timeoutSeconds: 1 - env: - - name: POSTGRES_DB - valueFrom: - secretKeyRef: - name: {{ tpl .Values.id.database . }} - key: database-user - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: {{ tpl .Values.id.database . }} - key: database-password - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - name: {{ tpl .Values.id.database . }} - key: database-user - volumeMounts: - - name: {{ tpl .Values.id.database . }} - mountPath: {{ .Values.resources.pvc.mount }} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - imagePullPolicy: Always - restartPolicy: Always - terminationGracePeriodSeconds: 30 - dnsPolicy: ClusterFirst - schedulerName: default-scheduler ---- -apiVersion: v1 -kind: Service -{{- include "metadata" . }} -spec: - ports: - - name: postgresql - nodePort: 0 - port: 5432 - protocol: TCP - targetPort: 5432 - selector: - deploymentconfig: {{ tpl .Values.id.database . }} - sessionAffinity: None - type: ClusterIP diff --git a/database/charts/templates/secret.yaml b/database/charts/templates/secret.yaml deleted file mode 100644 index 86065d821..000000000 --- a/database/charts/templates/secret.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -Secret for database -- Uses annotation to prevent removal from zone=(test|prod) -- Reuses existing passwords, if found -*/}} ---- -apiVersion: v1 -kind: Secret -{{- include "metadata" . }} -{{- if or (eq (.Values.zone | toString ) "test") (eq (.Values.zone | toString ) "prod") }} - annotations: - "helm.sh/resource-policy": "keep" # Retain secret for non-PRs (test|prod) -{{- end }} -data: - database-name: {{ .Values.database.name | b64enc }} - database-user: {{ .Values.database.user | b64enc }} - {{- $secretData := (lookup "v1" "Secret" .Release.Namespace (tpl .Values.id .)).data | default dict }} - database-password: {{ get $secretData "database-password" | default (randAlphaNum 32 | b64enc ) | quote }} diff --git a/database/charts/values.schema.json b/database/charts/values.schema.json deleted file mode 100644 index 60b3f0ee4..000000000 --- a/database/charts/values.schema.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-07/schema#", - "type": "object", - "properties": { - "component": { - "type": "string" - }, - "org": { - "type": "string" - }, - "repo": { - "type": "string" - } - }, - "required": [ - "org", - "repo", - "zone" - ] -} diff --git a/database/charts/values.yaml b/database/charts/values.yaml deleted file mode 100644 index 258a4edc8..000000000 --- a/database/charts/values.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Default values for charts. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -component: database -image: - tag: latest - registry: ghcr.io -org: ~ -repo: ~ -resources: - pvc: - mount: /var/lib/postgresql - size: 256Mi -zone: ~ - -backups: - component: database-backup - dir: /backups/ - image: bcgovimages/backup-container:latest - job: - retries: 0 - history: 5 - keep: - successful: 5 - failed: 2 - pvc-size: 256Mi - schedule: "05 8 * * *" # Run daily at 8:05 AM UTC - strategy: rolling - -# Templated/calculated values -# - Consume with: {{ tpl "whatever" . }} -id: - database: "{{ .Values.repo }}-{{ .Values.zone }}-{{ .Values.component }}" - backups: "{{ .Values.repo }}-{{ .Values.zone }}-{{ .Values.backups.component }}" diff --git a/database/openshift.deploy.yml b/database/openshift.deploy.yml deleted file mode 100644 index 45c42ea5a..000000000 --- a/database/openshift.deploy.yml +++ /dev/null @@ -1,364 +0,0 @@ -apiVersion: template.openshift.io/v1 -kind: Template -parameters: - - name: NAME - description: Module name - required: true - - name: COMPONENT - description: Component name - value: database - - name: ZONE - description: Deployment zone, e.g. pr-### or prod - required: true - - name: REGISTRY - description: Container registry to import from (internal is image-registry.openshift-image-registry.svc:5000) - value: ghcr.io - - name: ORG_NAME - description: Organization name, e.g. bcgov - value: bcgov - - name: IMAGE_TAG - description: Image tag to use - value: latest - - name: PVC_MOUNT_PATH - description: Where to mount the PVC, subpath (e.g. data/) - value: /var/lib/postgresql - - name: DB_PVC_SIZE - description: Volume space available for data, e.g. 512Mi, 2Gi. - displayName: Database Volume Capacity - required: true - value: 256Mi - - name: REGISTRY - description: Container registry to import from (internal is image-registry.openshift-image-registry.svc:5000) - value: ghcr.io - - name: PG_DATABASE - description: Postgres database name - value: database - - name: DB_PASSWORD - description: Password for the PostgreSQL connection user. - from: "[a-zA-Z0-9]{16}" - generate: expression - ### Backup-Container starts here ### - - name: BACKUP_COMPONENT - description: BACKUP_COMPONENT name - value: database-backup - - name: "DATABASE_DEFAULT_PORT" - description: "The configured port for the database service" - value: "5432" - - name: "BACKUP_STRATEGY" - description: "The strategy to use for backups; for example daily, or rolling." - required: true - value: "rolling" - - name: "BACKUP_DIR" - description: "The name of the root backup directory" - required: true - value: "/backups/" - - name: "NUM_BACKUPS" - description: "The number of backup files to be retained. Used for the `daily` backup strategy. Ignored when using the `rolling` backup strategy." - required: false - value: "5" - - name: "DAILY_BACKUPS" - description: "The number of daily backup files to be retained. Used for the `rolling` backup strategy." - required: false - value: "7" - - name: "WEEKLY_BACKUPS" - description: "The number of weekly backup files to be retained. Used for the `rolling` backup strategy." - required: false - value: "4" - - name: "MONTHLY_BACKUPS" - displayName: "Number of Monthly Backups to Retain" - description: "The number of monthly backup files to be retained. Used for the `rolling` backup strategy." - required: false - value: "1" - - name: "JOB_SERVICE_ACCOUNT" - description: "Name of the Service Account To Exeucte the Job As." - value: "default" - required: true - - name: "SUCCESS_JOBS_HISTORY_LIMIT" - description: "The number of successful jobs that will be retained" - value: "5" - required: true - - name: "FAILED_JOBS_HISTORY_LIMIT" - description: "The number of failed jobs that will be retained" - value: "2" - required: true - - name: "JOB_BACKOFF_LIMIT" - description: "The number of attempts to try for a successful job outcome" - value: "0" - - description: Volume space available for data, e.g. 512Mi, 2Gi. - name: PVC_SIZE - value: 256Mi - - name: CRON_MINUTES - description: Random number, 0-60, for scheduling cronjobs - from: "[0-5]{1}[0-9]{1}" - generate: expression -objects: - - apiVersion: v1 - kind: Secret - metadata: - name: "${NAME}-${ZONE}-${PG_DATABASE}" - labels: - app: "${NAME}-${ZONE}" - stringData: - database-name: "${NAME}" - database-password: "${DB_PASSWORD}" - database-user: "${NAME}" - - apiVersion: networking.k8s.io/v1 - kind: NetworkPolicy - metadata: - name: allow-from-openshift-ingress - labels: - template: openshift-test - spec: - podSelector: {} - ingress: - - from: - - namespaceSelector: - matchLabels: - network.openshift.io/policy-group: ingress - policyTypes: - - Ingress - - apiVersion: networking.k8s.io/v1 - kind: NetworkPolicy - metadata: - name: allow-same-namespace - labels: - template: quickstart-network-security-policy - spec: - podSelector: {} - ingress: - - from: - - podSelector: {} - policyTypes: - - Ingress - - kind: PersistentVolumeClaim - apiVersion: v1 - metadata: - name: "${NAME}-${ZONE}-${COMPONENT}" - labels: - app: "${NAME}-${ZONE}" - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: "${DB_PVC_SIZE}" - storageClassName: netapp-file-standard - - kind: ImageStream - apiVersion: v1 - metadata: - name: "${NAME}-${ZONE}-${COMPONENT}" - labels: - app: "${NAME}-${ZONE}" - spec: - lookupPolicy: - local: false - tags: - - name: "${IMAGE_TAG}" - from: - kind: DockerImage - name: "${REGISTRY}/${ORG_NAME}/${NAME}/${COMPONENT}:${ZONE}" - referencePolicy: - type: Local - - kind: DeploymentConfig - apiVersion: v1 - metadata: - name: "${NAME}-${ZONE}-${COMPONENT}" - labels: - app: "${NAME}-${ZONE}" - spec: - replicas: 1 - triggers: - - type: ConfigChange - - type: ImageChange - imageChangeParams: - automatic: true - containerNames: - - "${NAME}" - from: - kind: ImageStreamTag - name: "${NAME}-${ZONE}-${COMPONENT}:${IMAGE_TAG}" - selector: - deploymentconfig: "${NAME}-${ZONE}-${COMPONENT}" - strategy: - type: Recreate - recreateParams: - timeoutSeconds: 600 - activeDeadlineSeconds: 21600 - template: - metadata: - name: "${NAME}-${ZONE}-${COMPONENT}" - labels: - app: "${NAME}-${ZONE}" - deploymentconfig: "${NAME}-${ZONE}-${COMPONENT}" - spec: - volumes: - - name: "${NAME}-${ZONE}-${COMPONENT}" - persistentVolumeClaim: - claimName: "${NAME}-${ZONE}-${COMPONENT}" - containers: - - name: "${NAME}" - image: "${NAME}-${ZONE}-${COMPONENT}:${IMAGE_TAG}" - ports: - - containerPort: 5432 - protocol: TCP - readinessProbe: - exec: - command: - - /usr/bin/env - - bash - - -c - - psql -q -U $POSTGRES_USER -d $POSTGRES_DB -c 'SELECT 1' - failureThreshold: 5 - initialDelaySeconds: 30 - periodSeconds: 15 - timeoutSeconds: 1 - livenessProbe: - exec: - command: - - /usr/bin/env - - bash - - -c - - psql -q -U $POSTGRES_USER -d $POSTGRES_DB -c 'SELECT 1' - failureThreshold: 5 - initialDelaySeconds: 30 - periodSeconds: 15 - timeoutSeconds: 1 - env: - - name: POSTGRES_DB - valueFrom: - secretKeyRef: - name: "${NAME}-${ZONE}-${COMPONENT}" - key: database-name - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: "${NAME}-${ZONE}-${COMPONENT}" - key: database-password - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - name: "${NAME}-${ZONE}-${COMPONENT}" - key: database-user - volumeMounts: - - name: "${NAME}-${ZONE}-${COMPONENT}" - mountPath: "${PVC_MOUNT_PATH}" - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - imagePullPolicy: Always - restartPolicy: Always - terminationGracePeriodSeconds: 30 - dnsPolicy: ClusterFirst - schedulerName: default-scheduler - - apiVersion: v1 - kind: Service - metadata: - labels: - app: "${NAME}-${ZONE}" - name: "${NAME}-${ZONE}-${COMPONENT}" - spec: - ports: - - name: postgresql - nodePort: 0 - port: 5432 - protocol: TCP - targetPort: 5432 - selector: - deploymentconfig: "${NAME}-${ZONE}-${COMPONENT}" - sessionAffinity: None - type: ClusterIP - ### Backup-Container starts here ### - - kind: PersistentVolumeClaim - apiVersion: v1 - metadata: - name: "${NAME}-${ZONE}-${BACKUP_COMPONENT}" - labels: - app: "${NAME}-${ZONE}" - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: "${PVC_SIZE}" - storageClassName: netapp-file-standard - - kind: CronJob - apiVersion: "batch/v1" - metadata: - name: "${NAME}-${ZONE}-${BACKUP_COMPONENT}" - labels: - app: "${NAME}-${ZONE}" - cronjob: "${NAME}-${ZONE}" - spec: - schedule: "${CRON_MINUTES} 8 * * *" # Run daily at 8:xx AM UTC - concurrencyPolicy: "Replace" - successfulJobsHistoryLimit: "${{SUCCESS_JOBS_HISTORY_LIMIT}}" - failedJobsHistoryLimit: "${{FAILED_JOBS_HISTORY_LIMIT}}" - jobTemplate: - metadata: - labels: - app: "${NAME}-${ZONE}" - cronjob: "${NAME}-${ZONE}" - spec: - backoffLimit: "${{JOB_BACKOFF_LIMIT}}" - template: - metadata: - labels: - app: "${NAME}-${ZONE}" - cronjob: "${NAME}-${ZONE}" - spec: - containers: - - name: "${NAME}-${ZONE}" - image: "bcgovimages/backup-container:latest" - command: - - "/bin/bash" - - "-c" - - "/backup.sh -1" - volumeMounts: - - mountPath: "${BACKUP_DIR}" - name: "backup" - env: - - name: BACKUP_DIR - value: "${BACKUP_DIR}" - - name: BACKUP_STRATEGY - value: "${BACKUP_STRATEGY}" - optional: true - - name: NUM_BACKUPS - value: "${NUM_BACKUPS}" - optional: true - - name: DAILY_BACKUPS - value: "${DAILY_BACKUPS}" - optional: true - - name: WEEKLY_BACKUPS - value: "${WEEKLY_BACKUPS}" - optional: true - - name: MONTHLY_BACKUPS - value: "${MONTHLY_BACKUPS}" - optional: true - - name: DATABASE_SERVICE_NAME - value: "${NAME}-${ZONE}-database" - - name: DEFAULT_PORT - value: "${DATABASE_DEFAULT_PORT}" - - name: POSTGRES_DATABASE - valueFrom: - secretKeyRef: - name: "${NAME}-${ZONE}-database" - key: "database-name" - - name: DATABASE_USER - valueFrom: - secretKeyRef: - name: "${NAME}-${ZONE}-database" - key: "database-user" - - name: DATABASE_PASSWORD - valueFrom: - secretKeyRef: - name: "${NAME}-${ZONE}-database" - key: "database-password" - volumes: - - name: backup - persistentVolumeClaim: - claimName: "${NAME}-${ZONE}-${BACKUP_COMPONENT}" - restartPolicy: "Never" - terminationGracePeriodSeconds: 30 - activeDeadlineSeconds: 1600 - dnsPolicy: "ClusterFirst" - serviceAccountName: "${JOB_SERVICE_ACCOUNT}" - serviceAccount: "${JOB_SERVICE_ACCOUNT}" diff --git a/database/postgis/Dockerfile b/database/postgis/Dockerfile deleted file mode 100644 index dbdff90cd..000000000 --- a/database/postgis/Dockerfile +++ /dev/null @@ -1,9 +0,0 @@ -FROM postgis/postgis:15-master - -# Enable extensions using this pattern on startup -# RUN sed -i '/EXISTS postgis_tiger_geocoder;*/a CREATE EXTENSION IF NOT EXISTS pgcrypto;' \ -# /docker-entrypoint-initdb.d/10_postgis.sh - -# Health check and non-privileged user -HEALTHCHECK --interval=15s --timeout=5s --retries=3 CMD [ "pg_isready" ] -USER postgres