Merge branch 'main' into feat/replica-urls-json

rolodato · rolodato · commit 571b0910f29a · 2025-04-16T14:01:02.000-03:00
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -23,7 +23,7 @@ jobs:
           version: v3.5.4
 
       - name: Add chart repo dependencies
-        # Note: this repos should match whith the repos set in ct.yaml
+        # Note: this repos should match with the repos set in ct.yaml
         # See https://github.com/Flagsmith/flagsmith-charts/issues/105
         run: |
           helm repo add stable https://charts.helm.sh/stable
@@ -44,9 +44,3 @@ jobs:
         uses: helm/chart-releaser-action@v1.2.0
         env:
           CR_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
-
-      - name: Check if release was published
-        if: steps.chart-releaser.outputs.changed_charts == ''
-        run: |
-          echo "No new releases were published. If a tag and/or release already exist for this version but they have not been published to the Helm repository, delete them and run this workflow again."
-          exit 1
diff --git a/charts/flagsmith/Chart.yaml b/charts/flagsmith/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: flagsmith
 description: Flagsmith
 type: application
-version: 0.72.0
-appVersion: 2.169.0
+version: 0.73.1
+appVersion: 2.171.0
 dependencies:
   - name: postgresql
     repository: https://charts.bitnami.com/bitnami
diff --git a/charts/flagsmith/templates/_api_environment.yaml b/charts/flagsmith/templates/_api_environment.yaml
@@ -39,8 +39,7 @@ Replica database URLs can be passed in different ways:
 - name: DJANGO_SECRET_KEY
   valueFrom:
     secretKeyRef:
-      name: django-secret-key
-      key: django-secret-key
+      {{ include "flagsmith.api.secretKeySecretRef" . | nindent 6 }}
 {{- if .Values.influxdb2.enabled }}
 - name: INFLUXDB_URL
   value: http://{{- template "flagsmith.influxdb.hostname" . -}}:80
@@ -136,8 +135,7 @@ Replica database URLs can be passed in different ways:
 - name: SSE_AUTHENTICATION_TOKEN
   valueFrom:
     secretKeyRef:
-      name: {{ include "flagsmith.fullname" . }}-sse
-      key: SSE_AUTHENTICATION_TOKEN
+      {{ include "flagsmith.sse.authenticationTokenSecretRef" . | nindent 6}}
 - name: SSE_SERVER_BASE_URL
   value: http://{{ include "flagsmith.fullname" . }}-sse.{{ .Release.Namespace }}:{{ .Values.service.sse.port }}
 {{- end }}
diff --git a/charts/flagsmith/templates/_helpers.tpl b/charts/flagsmith/templates/_helpers.tpl
@@ -315,7 +315,6 @@ replicas: {{ . }}
 {{- end }}
 {{- end }}
 
-
 {{/*
 Real-time flag updates (SSE)
 */}}
@@ -344,3 +343,29 @@ Determine database URL for direct URL format or component parts
   {{- end -}}
 {{- end -}}
 {{- end -}}
+
+{{- define "flagsmith.api.secretKeySecretName" -}}
+{{- if .Values.api.secretKeyFromExistingSecret.enabled -}}
+{{- .Values.api.secretKeyFromExistingSecret.name -}}
+{{- else }}
+{{- printf "%s-django-secret-key" (include "flagsmith.fullname" .) -}}
+{{- end }}
+{{- end }}
+
+{{- define "flagsmith.api.secretKeySecretRef" -}}
+name: {{ include "flagsmith.api.secretKeySecretName" . }}
+key: {{ default "django-secret-key" .Values.api.secretKeyFromExistingSecret.key }}
+{{- end }}
+
+{{- define "flagsmith.sse.authenticationTokenSecretName" -}}
+{{- if .Values.sse.authenticationTokenFromExistingSecret.enabled -}}
+{{- .Values.sse.authenticationTokenFromExistingSecret.name -}}
+{{- else }}
+{{- printf "%s-sse-authentication-token" (include "flagsmith.fullname" .) -}}
+{{- end }}
+{{- end }}
+
+{{- define "flagsmith.sse.authenticationTokenSecretRef" -}}
+name: {{ include "flagsmith.sse.authenticationTokenSecretName" . }}
+key: {{ default "sse-authentication-token" .Values.sse.authenticationTokenFromExistingSecret.key }}
+{{- end }}
diff --git a/charts/flagsmith/templates/_sse_environment.yaml b/charts/flagsmith/templates/_sse_environment.yaml
@@ -12,5 +12,4 @@
 - name: SSE_AUTHENTICATION_TOKEN
   valueFrom:
     secretKeyRef:
-      name: {{ include "flagsmith.fullname" . }}-sse
-      key: SSE_AUTHENTICATION_TOKEN
+      {{ include "flagsmith.sse.authenticationTokenSecretRef" . | nindent 6 }}
diff --git a/charts/flagsmith/templates/deployment-sse.yaml b/charts/flagsmith/templates/deployment-sse.yaml
@@ -23,7 +23,6 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/secrets-sse: {{ include (print $.Template.BasePath "/secrets-sse.yaml") . | sha256sum }}
 {{- if .Values.sse.podAnnotations }}
 {{ toYaml .Values.sse.podAnnotations | nindent 8 }}
 {{- end }}
diff --git a/charts/flagsmith/templates/deployment-task-processor.yaml b/charts/flagsmith/templates/deployment-task-processor.yaml
@@ -83,6 +83,8 @@ spec:
           - ./scripts/run-docker.sh
         args:
           - run-task-processor
+        ports:
+        - containerPort: {{ .Values.service.taskProcessor.port }}
         env: {{ include (print $.Template.BasePath "/_task_processor_environment.yaml") . | nindent 8 }}
         livenessProbe:
           failureThreshold: {{ .Values.taskProcessor.livenessProbe.failureThreshold }}
diff --git a/charts/flagsmith/templates/django-secret-init/job.yaml b/charts/flagsmith/templates/django-secret-init/job.yaml
@@ -0,0 +1,47 @@
+{{- if not .Values.api.secretKeyFromExistingSecret.enabled -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "flagsmith.api.secretKeySecretName" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "flagsmith.labels" . | nindent 4 }}
+    app.kubernetes.io/component: django-secret-init
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  ttlSecondsAfterFinished: 60
+  template:
+    metadata:
+      name: {{ include "flagsmith.api.secretKeySecretName" . }}
+      labels:
+        {{- include "flagsmith.labels" . | nindent 8 }}
+        app.kubernetes.io/component: django-secret-init
+    spec:
+      restartPolicy: OnFailure
+      serviceAccountName: {{ include "flagsmith.api.secretKeySecretName" . }}
+      containers:
+        - name: secret-creator
+          image: bitnami/kubectl:latest
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+            - -c
+            - |
+              SECRET_NAME={{ include "flagsmith.api.secretKeySecretName" . }}
+              NAMESPACE={{ .Release.Namespace }}
+              echo "Checking for secret $SECRET_NAME in namespace $NAMESPACE"
+              # Attempt to get the secret; if it fails (exit code != 0), create it.
+              if ! kubectl get secret "$SECRET_NAME" -n "$NAMESPACE" -o name; then
+                echo "Secret $SECRET_NAME not found. Creating..."
+                # Generate a 64-character hex key (32 bytes)
+                GENERATED_KEY=$(openssl rand -hex 32)
+                kubectl create secret generic "$SECRET_NAME" -n "$NAMESPACE" \
+                  --from-literal=django-secret-key="$GENERATED_KEY" \
+                  --dry-run=client -o yaml | kubectl apply -f -
+                echo "Secret $SECRET_NAME created."
+              else
+                echo "Secret $SECRET_NAME already exists. No action taken."
+              fi
+{{- end }}
diff --git a/charts/flagsmith/templates/django-secret-init/rbac.yaml b/charts/flagsmith/templates/django-secret-init/rbac.yaml
@@ -0,0 +1,35 @@
+{{- if not .Values.api.secretKeyFromExistingSecret.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "flagsmith.api.secretKeySecretName" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "flagsmith.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "flagsmith.api.secretKeySecretName" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "flagsmith.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "flagsmith.api.secretKeySecretName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "flagsmith.api.secretKeySecretName" . }}
+  namespace: {{ .Release.Namespace | quote }}
+{{- end }}
diff --git a/charts/flagsmith/templates/django-secret-init/serviceaccount.yaml b/charts/flagsmith/templates/django-secret-init/serviceaccount.yaml
@@ -0,0 +1,12 @@
+{{- if not .Values.api.secretKeyFromExistingSecret.enabled -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "flagsmith.api.secretKeySecretName" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "flagsmith.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+{{- end }}
diff --git a/charts/flagsmith/templates/secrets-api.yaml b/charts/flagsmith/templates/secrets-api.yaml
@@ -13,39 +13,3 @@ metadata:
 type: Opaque
 data:
   DATABASE_URL: {{ include "flagsmith.api.databaseUrl" . | trim | b64enc | quote }}
----
-{{/*
- If no secrets were provided in values, check if a previously deployed secret exists
- If none exists, create one, which will be reused in future deployments
- */}}
-{{- $secretKey := default (randAlphaNum 50) .Values.api.secretKey -}}
-{{ if ((.Values.api).secretKeyFromExistingSecret).enabled -}}
-  {{ $existingSecret := (lookup "v1" "Secret" .Release.Namespace .Values.api.secretKeyFromExistingSecret.name).data }}
-  {{ if $existingSecret }}
-    {{ $secretKey = index $existingSecret .Values.api.secretKeyFromExistingSecret.key | b64dec }}
-  {{ end }}
-{{ else }}
-  {{ $knownSecret := (lookup "v1" "Secret" .Release.Namespace "django-secret-key").data }}
-  {{ if $knownSecret }}
-    {{ $secretValue := index $knownSecret "django-secret-key" }}
-    {{ if $secretValue }}
-      {{ $secretKey = $secretValue | b64dec }}
-    {{ end }}
-  {{ end }}
-{{- end -}}
-
-apiVersion: v1
-kind: Secret
-metadata:
-  name: django-secret-key
-  {{- with $annotations }}
-  annotations:
-    {{- . | nindent 4 }}
-  {{- end }}
-  labels:
-    {{- include "flagsmith.labels" . | nindent 4 }}
-    app.kubernetes.io/component: api
-type: Opaque
-{{/* Don't use stringData https://github.com/kubernetes/kubernetes/issues/89938 */ -}}
-data:
-  django-secret-key: {{ $secretKey | b64enc | quote}}
diff --git a/charts/flagsmith/templates/secrets-sse.yaml b/charts/flagsmith/templates/secrets-sse.yaml
diff --git a/charts/flagsmith/templates/sse-secret-init/job.yaml b/charts/flagsmith/templates/sse-secret-init/job.yaml
@@ -0,0 +1,47 @@
+{{- if and .Values.sse.enabled (not .Values.sse.authenticationTokenFromExistingSecret.enabled) -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "flagsmith.sse.authenticationTokenSecretName" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "flagsmith.labels" . | nindent 4 }}
+    app.kubernetes.io/component: sse-secret-init
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  ttlSecondsAfterFinished: 60
+  template:
+    metadata:
+      name: {{ include "flagsmith.sse.authenticationTokenSecretName" . }}
+      labels:
+        {{- include "flagsmith.labels" . | nindent 8 }}
+        app.kubernetes.io/component: sse-secret-init
+    spec:
+      restartPolicy: OnFailure
+      serviceAccountName: {{ include "flagsmith.sse.authenticationTokenSecretName" . }}
+      containers:
+        - name: secret-creator
+          image: bitnami/kubectl:latest
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+            - -c
+            - |
+              SECRET_NAME={{ include "flagsmith.sse.authenticationTokenSecretName" . }}
+              NAMESPACE={{ .Release.Namespace }}
+              echo "Checking for secret $SECRET_NAME in namespace $NAMESPACE"
+              # Attempt to get the secret; if it fails (exit code != 0), create it.
+              if ! kubectl get secret "$SECRET_NAME" -n "$NAMESPACE" -o name; then
+                echo "Secret $SECRET_NAME not found. Creating..."
+                # Generate a 64-character hex key (32 bytes)
+                GENERATED_KEY=$(openssl rand -hex 32)
+                kubectl create secret generic "$SECRET_NAME" -n "$NAMESPACE" \
+                  --from-literal=sse-authentication-token="$GENERATED_KEY" \
+                  --dry-run=client -o yaml | kubectl apply -f -
+                echo "Secret $SECRET_NAME created."
+              else
+                echo "Secret $SECRET_NAME already exists. No action taken."
+              fi
+{{- end }}
diff --git a/charts/flagsmith/templates/sse-secret-init/rbac.yaml b/charts/flagsmith/templates/sse-secret-init/rbac.yaml
@@ -0,0 +1,35 @@
+{{- if and .Values.sse.enabled (not .Values.sse.authenticationTokenFromExistingSecret.enabled) -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "flagsmith.sse.authenticationTokenSecretName" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "flagsmith.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "flagsmith.sse.authenticationTokenSecretName" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "flagsmith.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "flagsmith.sse.authenticationTokenSecretName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "flagsmith.sse.authenticationTokenSecretName" . }}
+  namespace: {{ .Release.Namespace | quote }}
+{{- end }}
diff --git a/charts/flagsmith/templates/sse-secret-init/serviceaccount.yaml b/charts/flagsmith/templates/sse-secret-init/serviceaccount.yaml
@@ -0,0 +1,12 @@
+{{- if and .Values.sse.enabled (not .Values.sse.authenticationTokenFromExistingSecret.enabled) -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "flagsmith.sse.authenticationTokenSecretName" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "flagsmith.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+{{- end }}
diff --git a/charts/flagsmith/values.yaml b/charts/flagsmith/values.yaml
@@ -88,6 +88,14 @@ api:
     projectName: null
     extraSpec: {} # Will be added to `spec` for `flagsmith-api` deployment.
 
+  # secretKeyFromExistingSecret points to the Secret that contains the Django secret key. If none is provided, a Job
+  # will be created to generate one.
+  # See https://docs.djangoproject.com/en/4.2/topics/signing/
+  secretKeyFromExistingSecret:
+    enabled: false
+    name: ""
+    key: ""
+
 frontend:
   # Set this to `false` to switch off the frontend (deployment,
   # service and ingress). Set api.separateApiAndFrontend to false to
@@ -345,6 +353,13 @@ sse:
   #   REDIS_PASSWORD:
   #    secretName: my_redis_secrets
   #    secretKey: my_redis_password
+
+  # authenticationTokenFromExistingSecret is a shared secret between the API and SSE service. If none is provided, a Job
+  # will be created to generate one.
+  authenticationTokenFromExistingSecret:
+    enabled: false
+    name: ""
+    key: ""
   replicaCount: 1
   deploymentStrategy: null
   podAnnotations: {}
