Prepare chart for migration to OCI (#372)

Signed-off-by: Sergio Castaño Arteaga <[email protected]>

Author: tegioz

.ct.yaml

@@ -1,3 +1,4 @@
 helm-extra-args: --timeout 180s
 chart-repos:
-  - stable=https://charts.helm.sh/stable
+  - bitnami=https://charts.bitnami.com/bitnami
+validate-maintainers: false

charts/clowarden/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: clowarden
 description: CLOWarden is a tool that manages access to resources across multiple services
 type: application
-version: 0.2.2
+version: 0.2.3-0
 appVersion: 0.2.2
 kubeVersion: ">= 1.19.0-0"
 home: https://clowarden.io
@@ -16,8 +16,8 @@ maintainers:
     email: [email protected]
 dependencies:
   - name: postgresql
-    version: 8.2.1
-    repository: https://charts.helm.sh/stable
+    version: 18.0.15
+    repository: https://charts.bitnami.com/bitnami
     condition: postgresql.enabled
 annotations:
   artifacthub.io/category: skip-prediction

charts/clowarden/templates/_helpers.tpl

@@ -79,8 +79,13 @@ longest resource name ("dbmigrator-install" = 18 chars).
 Provide an init container to verify the database is accessible
 */}}
 {{- define "chart.checkDbIsReadyInitContainer" -}}
+{{- $securityContext := default (dict) .Values.checkDbIsReadyInitContainer.securityContext }}
 name: check-db-ready
+{{ if .Values.postgresql.image.registry -}}
+image: {{ .Values.postgresql.image.registry }}/{{ .Values.postgresql.image.repository }}:{{ .Values.postgresql.image.tag }}
+{{- else }}
 image: {{ .Values.postgresql.image.repository }}:{{ .Values.postgresql.image.tag }}
+{{- end }}
 imagePullPolicy: {{ .Values.pullPolicy }}
 env:
   - name: PGHOST
@@ -89,5 +94,10 @@ env:
     value: "{{ .Values.db.port }}"
   - name: PGUSER
     value: "{{ .Values.db.user }}"
+{{- if $securityContext }}
+securityContext:{{- toYaml $securityContext | nindent 2 }}
+{{- else }}
+securityContext: {}
+{{- end }}
 command: ['sh', '-c', 'until pg_isready; do echo waiting for database; sleep 2; done;']
 {{- end -}}

charts/clowarden/templates/dbmigrator_job.yaml

@@ -13,6 +13,10 @@ metadata:
 spec:
   template:
     spec:
+    {{- with .Values.dbmigrator.job.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
     {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -24,6 +28,10 @@ spec:
         - name: dbmigrator
           image: {{ .Values.dbmigrator.job.image.repository }}:{{ .Values.imageTag | default (printf "v%s" .Chart.AppVersion) }}
           imagePullPolicy: {{ .Values.pullPolicy }}
+          {{- with .Values.dbmigrator.job.containerSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           env:
             - name: TERN_CONF
               value: {{ .Values.configDir }}/tern.conf

charts/clowarden/templates/dbmigrator_secret.yaml

@@ -11,3 +11,4 @@ stringData:
     database = {{ .Values.db.dbname }}
     user = {{ .Values.db.user }}
     password = {{ .Values.db.password }}
+    sslmode = prefer

charts/clowarden/templates/server_deployment.yaml

@@ -17,6 +17,10 @@ spec:
         app.kubernetes.io/component: server
         {{- include "chart.selectorLabels" . | nindent 8 }}
     spec:
+    {{- with .Values.server.deploy.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
     {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -32,12 +36,20 @@ spec:
           {{ $kubectlImageVersion := ternary "1.33" $kubeVersion (semverCompare ">=1.34.0-0" (printf "%s.0" $kubeVersion)) }}
           image: "docker.io/bitnamilegacy/kubectl:{{ $kubectlImageVersion }}"
           imagePullPolicy: IfNotPresent
+          {{- with .Values.checkDbIsReadyInitContainer.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           command: ['kubectl', 'wait', '--namespace={{ .Release.Namespace }}', '--for=condition=complete', 'job/{{ include "chart.resourceNamePrefix" . }}dbmigrator-install', '--timeout=60s']
         {{- end }}
       containers:
         - name: server
           image: {{ .Values.server.deploy.image.repository }}:{{ .Values.imageTag | default (printf "v%s" .Chart.AppVersion) }}
           imagePullPolicy: {{ .Values.pullPolicy }}
+          {{- with .Values.server.deploy.containerSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           volumeMounts:
             - name: server-config
               mountPath: {{ .Values.configDir | quote }}
@@ -46,6 +58,10 @@ spec:
             - name: http
               containerPort: 9000
               protocol: TCP
+          {{- with .Values.server.deploy.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.server.deploy.resources | nindent 12 }}
           command: ['clowarden-server', '-c', '{{ .Values.configDir }}/clowarden.yml']

charts/clowarden/templates/server_ingress.yaml

@@ -15,7 +15,7 @@ spec:
     service:
       name: {{ include "chart.resourceNamePrefix" . }}server
       port:
-        number: {{ .Values.server.service.port }}
+        number: {{ .Values.server.ingress.backendServicePort }}
   {{- with .Values.server.ingress.rules }}
   rules:
     {{- toYaml . | nindent 4 }}

charts/clowarden/templates/server_service.yaml

@@ -5,13 +5,17 @@ metadata:
   labels:
     app.kubernetes.io/component: server
     {{- include "chart.labels" . | nindent 4 }}
+  {{- with .Values.server.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
-  type: {{ .Values.server.service.type }}
+  {{- if eq (default "ClusterIP" .Values.server.service.type) "LoadBalancer" }}
+  allocateLoadBalancerNodePorts: {{ .Values.server.service.allocateLoadBalancerNodePorts }}
+  {{- end }}
+  type: {{ default "ClusterIP" .Values.server.service.type }}
   ports:
-    - port: {{ .Values.server.service.port }}
-      targetPort: http
-      protocol: TCP
-      name: http
+    {{- toYaml .Values.server.service.ports | nindent 4 }}
   selector:
     app.kubernetes.io/component: server
     {{- include "chart.selectorLabels" . | nindent 4 }}

charts/clowarden/values.yaml

@@ -18,13 +18,17 @@ fullnameOverride: ""
 # Directory path where the configuration files should be mounted
 configDir: "/home/clowarden/.config/clowarden"
 
+# Check database readiness init container configuration
+checkDbIsReadyInitContainer:
+  securityContext: {}
+
 # Database configuration
 db:
   host: ""
   port: "5432"
   dbname: clowarden
-  user: postgres
-  password: postgres
+  user: clowarden
+  password: clowarden
 
 # Log configuration
 log:
@@ -34,9 +38,11 @@ log:
 # Database migrator configuration
 dbmigrator:
   job:
+    containerSecurityContext: {}
     image:
       # Database migrator image repository (without the tag)
       repository: ghcr.io/cncf/clowarden/dbmigrator
+    podSecurityContext: {}
 
 # CLOWarden server configuration
 server:
@@ -66,24 +72,37 @@ server:
     # GitHub application webhook secret fallback (handy for webhook secret rotation)
     webhookSecretFallback: null
 
+  # Service configuration
+  service:
+    allocateLoadBalancerNodePorts: true
+    annotations: {}
+    ports:
+      - name: http
+        port: 80
+        protocol: TCP
+        targetPort: 9000
+    type: NodePort
+
   # Ingress configuration
   ingress:
     enabled: true
     annotations:
       kubernetes.io/ingress.class: nginx
+    backendServicePort: 80
     rules: []
     tls: []
 
-  # Service configuration
-  service:
-    type: NodePort
-    port: 80
-
   # Deployment configuration
   deploy:
-    replicaCount: 1  # Do not increase
+    containerSecurityContext: {}
     image:
       repository: ghcr.io/cncf/clowarden/server
+    podSecurityContext: {}
+    readinessProbe:
+      httpGet:
+        path: /health-check
+        port: 9000
+    replicaCount: 1  # Do not increase
     resources: {}
 
 # Services CLOWarden will manage
@@ -112,12 +131,22 @@ organizations:
 # PostgreSQL configuration
 postgresql:
   enabled: true
+  auth:
+    database: clowarden
+    password: clowarden
+    username: clowarden
+  global:
+    security:
+      allowInsecureImages: true
   image:
     repository: artifacthub/postgres
     tag: latest
   persistence:
     mountPath: /data
-  postgresqlUsername: postgres
-  postgresqlPassword: postgres
-  postgresqlDatabase: clowarden
-  postgresqlDataDir: /data/pgdata
+  primary:
+    extraVolumes:
+      - name: run
+        emptyDir: {}
+    extraVolumeMounts:
+      - name: run
+        mountPath: /var/run/postgresql