Hardening (#7)

* resource request

* run

* StatefulSet

* probes

* probes

* probes

* probes

* probes

* probes

* probes

* probes

* probes

* probes

* probes

* probes

* updates

.github/workflows/deploy.yaml

@@ -24,4 +24,5 @@ jobs:
     with:
       environment: prod1
     secrets: inherit
+    needs: deploy_to_dev3
     if: github.ref == 'refs/heads/master'

.github/workflows/helm_deploy.yaml

@@ -55,3 +55,6 @@ jobs:
             --set bookstack.aws.access_key_id="${{ secrets.ACCESS_KEY_ID }}" \
             --set bookstack.aws.secret_access_key="${{ secrets.SECRET_ACCESS_KEY }}" \
             --set bookstack.aws.backup_s3_url="${{ secrets.BACKUP_S3_URL }}"
+          
+          # Rolling restart
+          kubectl --kubeconfig ./config --server https://${{ secrets.SSH_TARGET_IP }}:6443 -n ${{ vars.APP_NAMESPACE }} rollout restart statefulset

bookstack-helm/templates/bookstack.yaml

@@ -1,5 +1,5 @@
 apiVersion: apps/v1
-kind: Deployment
+kind: StatefulSet
 metadata:
   name: {{ include "bookstack-helm.fullname" . }}-bookstack
   namespace: {{ .Values.meshwiki_app_namespace }}
@@ -144,12 +144,24 @@ spec:
               mountPath: /backup.files.hook.sh
               subPath: backup.files.hook.sh
               readOnly: true
+          {{- if .Values.bookstack.enableLivenessProbe }}
           livenessProbe:
-            {{- toYaml .Values.livenessProbe | nindent 12 }}
+            httpGet:
+              path: /status
+              port: 80
+            initialDelaySeconds: {{ .Values.bookstack.livenessProbeInitialDelaySeconds }}
+            periodSeconds: {{ .Values.bookstack.livenessProbePeriodSeconds }}
+          {{- end }}
+          {{- if .Values.bookstack.enableReadinessProbe }}
           readinessProbe:
-            {{- toYaml .Values.readinessProbe | nindent 12 }}
+            httpGet:
+              path: /status
+              port: 80
+            initialDelaySeconds: {{ .Values.bookstack.readinessProbeInitialDelaySeconds }}
+            periodSeconds: {{ .Values.bookstack.readinessProbePeriodSeconds }}
+          {{- end }}
           resources:
-            {{- toYaml .Values.resources | nindent 12 }}
+            {{- toYaml .Values.bookstack.resources | nindent 12 }}
           lifecycle:
             postStart:
               exec:

bookstack-helm/templates/db.yaml

@@ -1,5 +1,5 @@
 apiVersion: apps/v1
-kind: Deployment
+kind: StatefulSet
 metadata:
   name: {{ include "bookstack-helm.fullname" . }}-db
   namespace: {{ .Values.meshwiki_app_namespace }}
@@ -64,12 +64,27 @@ spec:
           volumeMounts:
             - name: mysql-data-vol
               mountPath: /config
-          livenessProbe:
-            {{- toYaml .Values.livenessProbe | nindent 12 }}
+          {{- if .Values.bookstack.db.enableReadinessProbe }}
           readinessProbe:
-            {{- toYaml .Values.readinessProbe | nindent 12 }}
+            exec:
+              command:
+                - sh 
+                - "-c" 
+                - "mysql -uroot -p$MYSQL_ROOT_PASSWORD -e 'SELECT 1'"
+            initialDelaySeconds: {{ .Values.bookstack.db.readinessProbeInitialDelaySeconds }}
+          {{- end }}
+          {{- if .Values.bookstack.db.enableLivenessProbe }}
+          livenessProbe:
+            exec:
+              command:
+                - sh 
+                - "-c" 
+                - "mysql -uroot -p$MYSQL_ROOT_PASSWORD -e 'SELECT 1'"
+            initialDelaySeconds: {{ .Values.bookstack.db.livenessProbeInitialDelaySeconds }}
+            periodSeconds: {{ .Values.bookstack.db.livenessProbePeriodSeconds }}
+          {{- end }}
           resources:
-            {{- toYaml .Values.resources | nindent 12 }}
+            {{- toYaml .Values.bookstack.db.resources | nindent 12 }}
           {{- with .Values.volumeMounts }}
           volumeMounts:
             {{- toYaml . | nindent 12 }}

bookstack-helm/values.yaml

@@ -16,6 +16,15 @@ bookstack:
     pvc_name: wikidb
     pvc_size: 5Gi
     port: 3306
+    resources:
+      requests:
+        cpu: 256m
+        memory: 384Mi
+    enableReadinessProbe: true
+    readinessProbeInitialDelaySeconds: 5
+    enableLivenessProbe: true
+    livenessProbeInitialDelaySeconds: 5
+    livenessProbePeriodSeconds: 10
   mail:
     host: smtp.gmail.com
     port: 587
@@ -27,17 +36,24 @@ bookstack:
   image_pvc_size: 5Gi
   backup:
     cron_schedule: "33 3 * * *"
+  resources:
+    requests:
+      cpu: 512m
+      memory: 384Mi
+  enableReadinessProbe: false
+  readinessProbeInitialDelaySeconds: 20
+  enableLivenessProbe: true
+  livenessProbeInitialDelaySeconds: 20
+  livenessProbePeriodSeconds: 15
 
 image:
   repository: lscr.io/linuxserver/bookstack
   pullPolicy: IfNotPresent
-  # Overrides the image tag whose default is the chart appVersion.
   tag: "v23.02.2-ls71"
 
 db_image:
   repository: lscr.io/linuxserver/mariadb
   pullPolicy: IfNotPresent
-  # Overrides the image tag whose default is the chart appVersion.
   tag: "latest"
 
 nameOverride: ""
@@ -69,30 +85,8 @@ securityContext: {}
   # runAsUser: 1000
 
 service:
-  type: ClusterIP
   port: 8080
 
-resources: {}
-  # We usually recommend not to specify default resources and to leave this as a conscious
-  # choice for the user. This also increases chances charts run on environments with little
-  # resources, such as Minikube. If you do want to specify resources, uncomment the following
-  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
-  #   cpu: 100m
-  #   memory: 128Mi
-  # requests:
-  #   cpu: 100m
-  #   memory: 128Mi
-
-# livenessProbe:
-#   httpGet:
-#     path: /
-#     port: http
-# readinessProbe:
-#   httpGet:
-#     path: /
-#     port: http
-
 # autoscaling:
 #   enabled: false
 #   minReplicas: 1