feat: 0.3.0 version (#3)

- Better value names - New config for managing secret lifecycle - Updated notes
ilyannn · Jan 6, 2024 · 93cdda3 · 93cdda3
1 parent 205226d
commit 93cdda3
Show file tree

Hide file tree

Showing 8 changed files with 96 additions and 54 deletions.
diff --git a/langfuse/Chart.yaml b/langfuse/Chart.yaml
@@ -17,7 +17,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.1
+version: 0.3.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/langfuse/README.md b/langfuse/README.md
@@ -18,7 +18,7 @@ The Postgres password will be generated and saved in a `Secret` (in the example
 
 ### Connecting to an Existing Database
 
-If the bundled chart is disabled, one can authenticate to an existing database.
+If the bundled chart is disabled, one can authenticate to an existing database using the `databaseURL` value:
 
 ```yaml
 postgresql:
@@ -27,42 +27,59 @@ postgresql:
 databaseURL: "postgresql://some-existing-url"
 ```
 
-### Accessing the installation
+### Accessing the Installation
 
 The chart comes with an ingress that can be set up with
 
 ```yaml
 ingress:
   enabled: true
   hosts: ...
+  tls: ...
 ```
 
-### Additional options
+### Additional Options
 
-Any options not present in the [values file](values.yaml) can be put into a `Secret` to be passed to Langfuse:
+Any options not available in the [values file](values.yaml) can be manually put into a `Secret` and passed in the `secrets.additional` value:
 
 ```yaml
-additionalConfigurationSecret: langfuse-additional-options
+secrets:
+  additional:
+    - my-github-options
+    - my-google-options
+    - ...
 ```
 
-You can create and update the secret at any time as it will not be managed by Helm.
+You should create the secrets before installing the chart:
 
 ```shell
-kubectl create secret generic langfuse-additional-options \
+kubectl create secret generic my-github-options \
   --from-literal=AUTH_GITHUB_CLIENT_ID=... \
   --from-literal=AUTH_GITHUB_CLIENT_SECRET=...
 ```
 
-## Uninstalling
+This can also be used to avoid providing `databaseURL` in plaintext:
 
-The usual `helm uninstall RELEASE_NAME` should work, but note that the following objects are not deleted automatically:
+```yaml
+postgresql:
+  enabled: false
+
+secrets:
+  additional:
+    - my-postgres-connection # field name is DATABASE_URL
+```
+
+## Notes on Uninstalling
+
+The usual `helm uninstall RELEASE_NAME` should work,
+but note that the following objects are not deleted automatically with the default values:
 
 - the data PVC of the `postgres` subchart (if the subchart was enabled)
-- the `-postgres-secret` secret (unless `postgresql.secret.alwaysKeepWhenUninstalled` is unset)
-- the `-internal-secret` secret
+- the `-postgres-secret` secret (if the subchart was enabled, controlled by `secrets.postgresql.keepWhenUninstalled`)
+- the `-internal-secret` secret (controlled by `secrets.internal.keepWhenUninstalled`)
 
 This means that you can reinstall the chart and continue accessing the same data.
 
-## Example values
+## Example Value Chart
 
 See [megaver.se demo](https://docs.cluster.megaver.se/cluster/langfuse-demo-values.yaml)
diff --git a/langfuse/templates/_helpers.tpl b/langfuse/templates/_helpers.tpl
@@ -28,22 +28,34 @@ If release name contains chart name it will be used as a full name.
 {{- end }}
 
 {{- define "langfuse.internalSecret" -}}
-{{- printf "%s-%s" (include "langfuse.fullname" .) "internal-secret" -}}
+    {{- printf "%s" (tpl .Values.secrets.internal.name $) -}}
+{{- end }}
+
+{{- define "langfuse.internalSecret.annotations" -}}
+{{- if .Values.secrets.internal.keepWhenUninstalled }}
+    "helm.sh/resource-policy": "keep"
+    "argocd.argoproj.io/sync-options": "Prune=false"
+{{- end }}
 {{- end }}
 
 {{- define "langfuse.postgresqlSecret" -}}
     {{- printf "%s" (tpl .Values.postgresql.auth.existingSecret $) -}}
 {{- end }}
 
 {{- define "langfuse.postgresqlSecret.annotations" -}}
-{{- if .Values.postgresql.secret.alwaysKeepWhenUninstalled -}}
+{{- if .Values.secrets.postgresql.keepWhenUninstalled }}
     "helm.sh/resource-policy": "keep"
+    "argocd.argoproj.io/sync-options": "Prune=false"
 {{- end }}
 {{- end }}
 
-{{- define "langfuse.internalSecret.annotations" -}}
-    "helm.sh/resource-policy": "keep"
+{{- define "langfuse.additionalSecrets" -}}
+          {{- range .Values.secrets.additional }}
+            - secretRef:
+                name: {{ . }}
+          {{- end }}
 {{- end }}
+
 
 {{- define "langfuse.databaseHost" -}}
 {{- if .Values.postgresql.enabled -}}
@@ -106,7 +118,7 @@ Create a dictionary with keys and random values
 {{- define "langfuse.createRandomValuesForKeys" -}}
   {{- $result := dict -}}
   {{- range . -}}
-    {{- $_ := set $result . (randAlphaNum 100 | b64enc) -}}
+    {{- $_ := set $result . (randAlphaNum 50 | b64enc) -}}
   {{- end -}}
   {{- $result -}}
 {{- end -}}

diff --git a/langfuse/templates/connection-secret.yaml b/langfuse/templates/connection-secret.yaml
@@ -6,7 +6,7 @@ metadata:
   name: {{ include "langfuse.connectionSecret" . }}
 type: Opaque
 stringData:
-  {{- if .Values.databaseURL }}
+  {{- if (and (not .Values.postgresql.enabled) .Values.databaseURL) }}
   database-url: {{ .Values.databaseURL | quote}}
   {{- end }}
   {{- if .Values.directURL }}

diff --git a/langfuse/templates/deployment.yaml b/langfuse/templates/deployment.yaml
@@ -79,10 +79,7 @@ spec:
           envFrom:
             - configMapRef:
                 name: {{ include "langfuse.configMap" . }}
-            {{- if .Values.additionalConfigurationSecret }}
-            - secretRef:
-                name: {{ .Values.additionalConfigurationSecret }}
-            {{- end }}
+            {{- include "langfuse.additionalSecrets" . }}
           livenessProbe:
             httpGet:
               path: /api/public/health

diff --git a/langfuse/templates/internal-secret.yaml b/langfuse/templates/internal-secret.yaml
@@ -1,8 +1,10 @@
-{{- $secretName := (include "langfuse.internalSecret" .) -}}
+{{- if .Values.secrets.internal.automaticallyManage -}}
 
 {{- include "langfuse.mergeSecretWithRandomForKeys" (dict 
-   "name" $secretName 
+   "name" (include "langfuse.internalSecret" .)
    "annotations" (include "langfuse.internalSecret.annotations" .)
-   "keys" (list "salt" "auth-secret") 
+   "keys" (list "salt" "auth-secret")
    "context" .
- ) -}} 
+ ) -}}
+
+{{- end }}
diff --git a/langfuse/templates/postgres-secret.yaml b/langfuse/templates/postgres-secret.yaml
@@ -1,4 +1,4 @@
-{{- if (and .Values.postgresql.enabled .Values.postgresql.secret.createIfMissing) -}}
+{{- if (and .Values.postgresql.enabled .Values.secrets.postgresql.automaticallyManage) -}}
 
 {{- include "langfuse.mergeSecretWithRandomForKeys" (dict 
    "name" (include "langfuse.postgresqlSecret" .)

diff --git a/langfuse/values.yaml b/langfuse/values.yaml
@@ -3,7 +3,7 @@
 # This URL must agree with the app's URL for OAuth to work
 nextauthURL: http://localhost:3000
 
-# By default, the postgres subchart will be installed and the connection value overridden.
+# By default, the postgresql subchart will be installed and the connection value overridden.
 # Disable the bundled subchart using postgresql.enabled if you want to use this setting.
 databaseURL: "postgresql://postgres:postgres@localhost:5432/postgres"
 
@@ -16,13 +16,40 @@ toggles:
   experimentalFeatures: false
   telemetry: true
 
-# This secret's fields (in the ENV_VAR: value format) are added to the Langfuse config
-additionalConfigurationSecret:
+# Where the non-public Langfuse configuration is stored
+secrets:
+  # This group of settings is only relevant if postgresql.enabled is set.
+  postgresql:
+    # If set (default), random values are saved in the postgresql.auth.existingSecret secret
+    # for all the missing keys (existing values for these keys are preserved).
+    # If unset, you are expected to create the secret yourself before installing the chart.
+    automaticallyManage: true
+    # If set, the secret will be annotated so that it is kept with `helm uninstall`
+    # If unset, the secret will be deleted with `helm uninstall`
+    # This has no effect unless automaticallyManage is also true.
+    # Warning: reinstalling the chart with this value unset will generate a new password,
+    # but Postgres will continue to use an old password since it's stored on the PVC.
+    keepWhenUninstalled: true
+  internal:
+    # You can change the name to make several installations share the API keys.
+    name: "{{ .Release.Name }}-internal-secret"
+    # If set (default), random values are saved in the secrets.internal.name secret
+    # for all the missing keys (existing values for these keys are preserved).
+    # If unset, you are expected to create the secret yourself before installing the chart.
+    automaticallyManage: true
+    # If set, the secret will be annotated so that it is kept with `helm uninstall`
+    # If unset, the secret will be deleted with `helm uninstall`
+    # Warning: reinstalling the chart with this value unset will generate a new salt thus
+    # rendering old API keys unusable.
+    keepWhenUninstalled: true
+  # These secret's fields (in the ENV_VAR: value format) are added to the Langfuse config
+  # You will need to manage those manually; they will not be touched by the chart.
+  additional: []
 
 # ------------ Postgres subchart
 
 postgresql:
-  # Setting this to false will not install the bundled Postgres subchart
+  # Setting this to false will disable the bundled Postgres subchart.
   enabled: true
 
   auth:
@@ -32,17 +59,6 @@ postgresql:
     username: langfuse-user
     database: "{{ .Release.Name }}"
 
-  secret:
-    # If false, you are expected to manage the secret yourself.
-    # If true, random values are saved in the secret named in postgresql.auth.existingSecret
-    # for all the missing keys (existing values for these keys are preserved).
-    createIfMissing: true
-    # Set this to false if you want the secret to be deleted with `helm delete`
-    # This has no effect unless createIfMissing is also true.
-    # Warning: reinstalling the chart will generate a new password, but Postgres will
-    # continue to use an old password since it's stored on the PVC.
-    alwaysKeepWhenUninstalled: true
-
 # ------------ Standard values generated by helm create
 
 replicaCount: 1
@@ -68,18 +84,17 @@ serviceAccount:
 
 podAnnotations: {}
 
-podSecurityContext:
-  {}
-  # fsGroup: 2000
+podSecurityContext: {}
+# fsGroup: 2000
 
 securityContext:
   {}
   # capabilities:
   #   drop:
   #   - ALL
   # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
+# runAsNonRoot: true
+# runAsUser: 1000
 
 service:
   type: ClusterIP
@@ -88,10 +103,9 @@ service:
 ingress:
   enabled: false
   className: ""
-  annotations:
-    {}
-    # kubernetes.io/ingress.class: nginx
-    # kubernetes.io/tls-acme: "true"
+  annotations: {}
+  # kubernetes.io/ingress.class: nginx
+  # kubernetes.io/tls-acme: "true"
   hosts:
     - host: chart-example.local
       paths:
@@ -112,8 +126,8 @@ resources:
   #   cpu: 100m
   #   memory: 128Mi
   # requests:
-  #   cpu: 100m
-  #   memory: 128Mi
+#   cpu: 100m
+#   memory: 128Mi
 
 autoscaling:
   enabled: false