Optional standalone dbconnector (#204)

* add standalone dbconnector deployment, opt-in

* clean up dbconnector template

* bump minor

* make dbconnector port configurable

Author: ryanartecona

charts/retool/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: retool
 description: A Helm chart for Kubernetes
 type: application
-version: 6.3.6
+version: 6.4.0
 maintainers:
   - name: Retool Engineering
     email: [email protected]

charts/retool/ci/standalone-dbconnector-enabled-option.yaml

@@ -0,0 +1,2 @@
+dbconnector:
+  enabled: true

charts/retool/templates/_helpers.tpl

@@ -57,6 +57,23 @@ app.kubernetes.io/name: {{ include "retool.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
+{{/*
+Selector labels for standalone dbconnector. Note changes here will require manual
+deployment recreation and incur downtime, so should be avoided.
+*/}}
+{{- define "retool.dbconnector.selectorLabels" -}}
+retoolService: {{ include "retool.dbconnector.name" . }}
+{{- end }}
+
+{{/*
+Extra (non-selector) labels for standalone dbconnector.
+*/}}
+{{- define "retool.dbconnector.labels" -}}
+app.kubernetes.io/name: {{ include "retool.dbconnector.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+telemetry.retool.com/service-name: dbconnector
+{{- end }}
+
 {{/*
 Selector labels for workflow backend. Note changes here will require manual
 deployment recreation and incur downtime, so should be avoided.
@@ -286,6 +303,13 @@ Set Temporal namespace
 {{- end -}}
 {{- end -}}
 
+{{/*
+Set dbconnector service name
+*/}}
+{{- define "retool.dbconnector.name" -}}
+{{ template "retool.fullname" . }}-dbconnector
+{{- end -}}
+
 {{/*
 Set workflow backend service name
 */}}

charts/retool/templates/deployment_backend.yaml

@@ -77,14 +77,21 @@ spec:
             value: {{ template "retool.deploymentTemplateVersion" . }}
           - name: NODE_ENV
             value: production
-          {{- $serviceType := list "MAIN_BACKEND" "DB_CONNECTOR" "DB_SSH_CONNECTOR" }}
+          {{- $serviceType := list "MAIN_BACKEND" }}
           {{- /*
             JAVA_DBCONNECTOR in the service type only applies before the version of Retool that changes it to opt-out (3.93.0-edge),
             and only if the Java dbconnector is enabled in values.yaml.
           */}}
           {{- if and ( not ( include "retool_version_with_java_dbconnector_opt_out" . ) ) ( $.Values.dbconnector.java.enabled ) }}
             {{- $serviceType = append $serviceType "JAVA_DBCONNECTOR" }}
           {{- end }}
+          {{- /* 
+            The dbconnector.enabled setting is to enable a standalone dbconnector deployment.
+            If it is not enabled (default), the main backend acts as its own dbconnector.
+          */ -}}
+          {{- if not $.Values.dbconnector.enabled -}}
+            {{- $serviceType = concat $serviceType (list "DB_CONNECTOR" "DB_SSH_CONNECTOR") -}}
+          {{- end }}
           {{- /*
             It may seem counterintuitive to add the JOBS_RUNNER service type only without a jobs runner.
             The reason for this is that the backend needs to act as a jobs runner, if the jobs runner is not enabled.
@@ -112,6 +119,12 @@ spec:
             value: {{ template "retool.postgresql.user" . }}
           - name: POSTGRES_SSL_ENABLED
             value: {{ template "retool.postgresql.ssl_enabled" . }}
+          {{- if .Values.dbconnector.enabled }}
+          - name: DB_CONNECTOR_HOST
+            value: http://{{ template "retool.fullname" . }}-dbconnector
+          - name: DB_CONNECTOR_PORT
+            value: {{ .Values.dbconnector.port | quote }}
+          {{- end }}
           {{- if .Values.config.dbConnectorTimeout }}
           - name: DBCONNECTOR_QUERY_TIMEOUT_MS
             value: {{ .Values.config.dbConnectorTimeout | quote }}

charts/retool/templates/deployment_dbconnector.yaml

@@ -0,0 +1,270 @@
+{{- if .Values.dbconnector.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "retool.dbconnector.name" . }}
+  labels:
+    {{- include "retool.dbconnector.selectorLabels" . | nindent 4 }}
+    {{- include "retool.dbconnector.labels" . | nindent 4 }}
+    {{- include "retool.labels" . | nindent 4 }}
+  {{- if .Values.deployment.annotations }}
+  annotations:
+    {{- toYaml .Values.deployment.annotations | nindent 4 }}
+  {{- end }}
+spec:
+  replicas: {{ .Values.dbconnector.replicas }}
+  selector:
+    matchLabels:
+      {{- include "retool.dbconnector.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        {{- if .Values.podAnnotations }}
+        {{ toYaml .Values.podAnnotations | indent 8 }}
+        {{- end }}
+        {{- if .Values.backend.annotations }}
+        {{ toYaml .Values.backend.annotations | indent 8 }}
+        {{- end }}
+      labels:
+        {{- include "retool.dbconnector.selectorLabels" . | nindent 8 }}
+        {{- include "retool.dbconnector.labels" . | nindent 8 }}
+        {{- include "retool.labels" . | nindent 8 }}
+    spec:
+      {{- if .Values.dbconnector.terminationGracePeriodSeconds }}
+      terminationGracePeriodSeconds: {{ .Values.dbconnector.terminationGracePeriodSeconds }} 
+      {{- end }}
+      containers:
+      - args:
+        - bash
+        - -c
+        - chmod -R +x ./docker_scripts; sync; ./docker_scripts/start_api.sh
+        image: "{{ .Values.image.repository }}:{{ required "Please set a value for .Values.image.tag" .Values.image.tag }}"
+        name: {{ include "retool.dbconnector.name" . }}
+        readinessProbe:
+          httpGet:
+            path: {{ .Values.readinessProbe.path }}
+            port: {{ .Values.dbconnector.port }}
+          initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+          timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.readinessProbe.successThreshold }}
+          periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+        livenessProbe:
+          httpGet:
+            path: {{ .Values.livenessProbe.path }}
+            port: {{ .Values.dbconnector.port }}
+          initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
+          timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
+          failureThreshold:  {{ .Values.livenessProbe.failureThreshold }}
+        resources:
+          {{- if .Values.dbconnector.resources }}
+          {{- toYaml .Values.dbconnector.resources | nindent 10 }}
+          {{- else }}
+          {{- toYaml .Values.resources | nindent 10 }}
+          {{- end }}
+        env:
+          {{- if $.Values.dbconnector.java.enabled }}
+          - name: SERVICE_TYPE
+            value: DB_CONNECTOR,DB_SSH_CONNECTOR,JAVA_DBCONNECTOR
+          {{- else }}
+          - name: SERVICE_TYPE
+            value: DB_CONNECTOR,DB_SSH_CONNECTOR
+          {{- end }}
+          - name: DEPLOYMENT_TEMPLATE_TYPE
+            value: {{ template "retool.deploymentTemplateType" . }}
+          - name: DEPLOYMENT_TEMPLATE_VERSION
+            value: {{ template "retool.deploymentTemplateVersion" . }}
+          - name: NODE_ENV
+            value: production
+          - name: NODE_OPTIONS
+            value: {{ .Values.dbconnector.config.nodeOptions }}
+          - name: DBCONNECTOR_HTTP_AGENT_MAX_SOCKETS
+            value: {{ .Values.dbconnector.config.httpAgentMaxSockets | quote }}
+          - name: DBCONNECTOR_POSTGRES_POOL_MAX_SIZE
+            value: {{ .Values.dbconnector.config.postgresPoolMaxSize | quote }}
+          - name: DISABLE_DATABASE_MIGRATIONS
+            value: "true"
+          - name: WORKFLOW_BACKEND_HOST
+            value: http://{{ template "retool.fullname" . }}-workflow-backend
+          - name: CLIENT_ID
+            value: {{ default "" .Values.config.auth.google.clientId }}
+          - name: COOKIE_INSECURE
+            value: {{ .Values.config.useInsecureCookies | quote }}
+          {{- if and (not .Values.externalSecrets.enabled) (not .Values.externalSecrets.externalSecretsOperator.enabled) }}
+          - name: LICENSE_KEY
+            valueFrom:
+              secretKeyRef:
+                {{- if .Values.config.licenseKeySecretName }}
+                name: {{ .Values.config.licenseKeySecretName }}
+                key: {{ .Values.config.licenseKeySecretKey | default "license-key" }}
+                {{- else }}
+                name: {{ template "retool.fullname" . }}
+                key: license-key
+                {{- end }}
+          - name: JWT_SECRET
+            valueFrom:
+              secretKeyRef:
+                {{- if .Values.config.jwtSecretSecretName }}
+                name: {{ .Values.config.jwtSecretSecretName }}
+                key: {{ .Values.config.jwtSecretSecretKey | default "jwt-secret" }}
+                {{- else }}
+                name: {{ template "retool.fullname" . }}
+                key: jwt-secret
+                {{- end }}
+          - name: ENCRYPTION_KEY
+            valueFrom:
+              secretKeyRef:
+                {{- if .Values.config.encryptionKeySecretName }}
+                name: {{ .Values.config.encryptionKeySecretName }}
+                key: {{ .Values.config.encryptionKeySecretKey | default "encryption-key" }}
+                {{- else }}
+                name: {{ template "retool.fullname" . }}
+                key: encryption-key
+                {{- end }}
+          - name: POSTGRES_PASSWORD
+            valueFrom:
+              secretKeyRef:
+              {{- if .Values.postgresql.enabled }}
+                name: {{ template "retool.postgresql.fullname" . }}
+                # `postgres` is the default admin username for postgres in the subchart we use, so it needs the admin password
+                # if a different username is picked, then it needs the custom password instead.
+                {{- if eq .Values.postgresql.auth.username "postgres" }}
+                key: postgres-password
+                {{- else }}
+                key: password
+                {{- end }}
+              {{- else }}
+                {{- if .Values.config.postgresql.passwordSecretName }}
+                name: {{ .Values.config.postgresql.passwordSecretName }}
+                key: {{ .Values.config.postgresql.passwordSecretKey | default "postgresql-password" }}
+                {{- else }}
+                name: {{ template "retool.fullname" . }}
+                key: postgresql-password
+                {{- end }}
+              {{- end }}
+          - name: CLIENT_SECRET
+            valueFrom:
+              secretKeyRef:
+                {{- if .Values.config.auth.google.clientSecretSecretName }}
+                name: {{ .Values.config.auth.google.clientSecretSecretName }}
+                key: {{ .Values.config.auth.google.clientSecretSecretKey | default "google-client-secret" }}
+                {{- else }}
+                name: {{ template "retool.fullname" . }}
+                key: google-client-secret
+                {{- end }}
+          {{- end }}
+          {{- range $key, $value := .Values.env }}
+          - name: "{{ $key }}"
+            value: "{{ $value }}"
+          {{- end }}
+          {{- range .Values.environmentSecrets }}
+          - name: {{ .name }}
+            valueFrom:
+              secretKeyRef:
+                name: {{ .secretKeyRef.name }}
+                key: {{ .secretKeyRef.key }}
+          {{- end }}
+          {{- with .Values.environmentVariables }}
+{{ toYaml . | indent 10 }}
+          {{- end }}
+        {{- if .Values.externalSecrets.enabled }}
+        envFrom:
+        - secretRef:
+            name: {{ .Values.externalSecrets.name }}
+        {{- range .Values.externalSecrets.secrets }}
+        - secretRef:
+            name: {{ .name }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.externalSecrets.externalSecretsOperator.enabled  }}
+        envFrom:
+        {{- range .Values.externalSecrets.externalSecretsOperator.secretRef }}
+        - secretRef:
+            name: {{ .name }}
+        {{- end }}
+        {{- end }}
+        volumeMounts:
+        {{- range $configFile := (keys .Values.files) }}
+        - name: {{ template "retool.name" $ }}
+          mountPath: "/usr/share/retool/config/{{ $configFile }}"
+          subPath: {{ $configFile }}
+        {{- end }}
+        {{- if and .Values.persistentVolumeClaim.enabled .Values.persistentVolumeClaim.mountPath }}
+        - name: retool-pv
+          mountPath: {{ .Values.persistentVolumeClaim.mountPath }}
+        {{- end }}
+        {{- if .Values.extraVolumeMounts }}
+        {{- toYaml .Values.extraVolumeMounts | nindent 8 }}
+        {{- end }}
+        {{- with .Values.extraContainers }}
+        {{- tpl . $ | indent 8 }}
+        {{- end }}
+        {{- range .Values.extraConfigMapMounts }}
+        - name: {{ .name }}
+          mountPath: {{ .mountPath }}
+          subPath: {{ .subPath }}
+        {{- end }}
+      {{- if .Values.image.pullSecrets }}
+      imagePullSecrets:
+        {{- toYaml .Values.image.pullSecrets | nindent 8 }}
+      {{- end }}
+      {{- if .Values.affinity }}
+      affinity:
+        {{- toYaml .Values.affinity | nindent 8 }}
+      {{- end }}
+      {{- if .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml .Values.nodeSelector | nindent 8 }}
+      {{- end }}
+      tolerations:
+        {{- toYaml .Values.tolerations | nindent 8 }}
+      {{- if .Values.securityContext.enabled }}
+      securityContext:
+        runAsUser: {{ .Values.securityContext.runAsUser }}
+        fsGroup: {{ .Values.securityContext.fsGroup }}
+      {{- end }}
+      volumes:
+        {{- range .Values.extraConfigMapMounts }}
+        - name: {{ .name }}
+          configMap:
+            name: {{ .configMap }}
+        {{- end }}
+        {{- if .Values.persistentVolumeClaim.enabled }}
+        - name: retool-pv
+          persistentVolumeClaim:
+            claimName: {{ default (include "retool.fullname" .) .Values.persistentVolumeClaim.existingClaim }}
+        {{- end }}
+        {{- if .Values.extraVolumes }}
+        {{- toYaml .Values.extraVolumes | nindent 8 }}
+        {{- end }}
+---
+
+{{- if .Values.podDisruptionBudget }}
+{{- if semverCompare ">=1.21-0" .Capabilities.KubeVersion.Version -}}
+apiVersion: policy/v1
+{{- else -}}
+apiVersion: policy/v1beta1
+{{- end }}
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "retool.dbconnector.name" . }}
+spec:
+  {{ toYaml .Values.podDisruptionBudget }}
+  selector:
+    matchLabels:
+      {{- include "retool.dbconnector.selectorLabels" . | nindent 6 }}
+---
+{{- end }}
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "retool.dbconnector.name" . }}
+spec:
+  selector:
+    retoolService: {{ include "retool.dbconnector.name" . }}
+  ports:
+  - protocol: TCP
+    name: http-server
+    port: {{ .Values.dbconnector.port }}
+    targetPort: {{ .Values.dbconnector.port }}
+{{- end }}

charts/retool/templates/deployment_workflows.yaml

@@ -66,16 +66,29 @@ spec:
             value: {{ template "retool.deploymentTemplateVersion" . }}
           - name: NODE_ENV
             value: production
-          {{- $serviceType := list "WORKFLOW_BACKEND" "DB_CONNECTOR" "DB_SSH_CONNECTOR" }}
+          {{- $serviceType := list "WORKFLOW_BACKEND" }}
           {{- /*
             JAVA_DBCONNECTOR in the service type only applies before the version of Retool that changes it to opt-out (3.93.0-edge),
             and only if the Java dbconnector is enabled in values.yaml.
           */}}
           {{- if and ( not ( include "retool_version_with_java_dbconnector_opt_out" . ) ) ( $.Values.dbconnector.java.enabled ) }}
             {{- $serviceType = append $serviceType "JAVA_DBCONNECTOR" }}
           {{- end }}
+          {{- /* 
+            The dbconnector.enabled setting is to enable a standalone dbconnector deployment.
+            If it is not enabled (default), the main backend acts as its own dbconnector.
+          */ -}}
+          {{- if not $.Values.dbconnector.enabled -}}
+            {{- $serviceType = concat $serviceType (list "DB_CONNECTOR" "DB_SSH_CONNECTOR") -}}
+          {{- end }}
           - name: SERVICE_TYPE
             value: {{ join "," $serviceType }}
+          {{- if $.Values.dbconnector.enabled }}
+          - name: DB_CONNECTOR_HOST
+            value: http://{{ template "retool.fullname" . }}-dbconnector
+          - name: DB_CONNECTOR_PORT
+            value: {{ .Values.dbconnector.port | quote }}
+          {{- end }}
           {{ if and ( include "retool_version_with_java_dbconnector_opt_out" . ) ( not $.Values.dbconnector.java.enabled ) }}
           - name: DISABLE_JAVA_DBCONNECTOR
             value: "true"