From e25b38a5d04156525f1cb854b2413639b8625661 Mon Sep 17 00:00:00 2001 From: james-otten Date: Fri, 8 Nov 2024 21:16:11 -0500 Subject: [PATCH] Hardening (#7) * resource request * run * StatefulSet * probes * probes * probes * probes * probes * probes * probes * probes * probes * probes * probes * probes * updates --- .github/workflows/deploy.yaml | 1 + .github/workflows/helm_deploy.yaml | 3 ++ bookstack-helm/templates/bookstack.yaml | 20 +++++++++--- bookstack-helm/templates/db.yaml | 25 ++++++++++++--- bookstack-helm/values.yaml | 42 +++++++++++-------------- 5 files changed, 58 insertions(+), 33 deletions(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 2f5da0f..dc700bd 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -24,4 +24,5 @@ jobs: with: environment: prod1 secrets: inherit + needs: deploy_to_dev3 if: github.ref == 'refs/heads/master' diff --git a/.github/workflows/helm_deploy.yaml b/.github/workflows/helm_deploy.yaml index 6818f3e..d6564a8 100644 --- a/.github/workflows/helm_deploy.yaml +++ b/.github/workflows/helm_deploy.yaml @@ -55,3 +55,6 @@ jobs: --set bookstack.aws.access_key_id="${{ secrets.ACCESS_KEY_ID }}" \ --set bookstack.aws.secret_access_key="${{ secrets.SECRET_ACCESS_KEY }}" \ --set bookstack.aws.backup_s3_url="${{ secrets.BACKUP_S3_URL }}" + + # Rolling restart + kubectl --kubeconfig ./config --server https://${{ secrets.SSH_TARGET_IP }}:6443 -n ${{ vars.APP_NAMESPACE }} rollout restart statefulset diff --git a/bookstack-helm/templates/bookstack.yaml b/bookstack-helm/templates/bookstack.yaml index 597aae5..c7e8e97 100644 --- a/bookstack-helm/templates/bookstack.yaml +++ b/bookstack-helm/templates/bookstack.yaml @@ -1,5 +1,5 @@ apiVersion: apps/v1 -kind: Deployment +kind: StatefulSet metadata: name: {{ include "bookstack-helm.fullname" . }}-bookstack namespace: {{ .Values.meshwiki_app_namespace }} @@ -144,12 +144,24 @@ spec: mountPath: /backup.files.hook.sh subPath: backup.files.hook.sh readOnly: true + {{- if .Values.bookstack.enableLivenessProbe }} livenessProbe: - {{- toYaml .Values.livenessProbe | nindent 12 }} + httpGet: + path: /status + port: 80 + initialDelaySeconds: {{ .Values.bookstack.livenessProbeInitialDelaySeconds }} + periodSeconds: {{ .Values.bookstack.livenessProbePeriodSeconds }} + {{- end }} + {{- if .Values.bookstack.enableReadinessProbe }} readinessProbe: - {{- toYaml .Values.readinessProbe | nindent 12 }} + httpGet: + path: /status + port: 80 + initialDelaySeconds: {{ .Values.bookstack.readinessProbeInitialDelaySeconds }} + periodSeconds: {{ .Values.bookstack.readinessProbePeriodSeconds }} + {{- end }} resources: - {{- toYaml .Values.resources | nindent 12 }} + {{- toYaml .Values.bookstack.resources | nindent 12 }} lifecycle: postStart: exec: diff --git a/bookstack-helm/templates/db.yaml b/bookstack-helm/templates/db.yaml index 1793250..8282e9a 100644 --- a/bookstack-helm/templates/db.yaml +++ b/bookstack-helm/templates/db.yaml @@ -1,5 +1,5 @@ apiVersion: apps/v1 -kind: Deployment +kind: StatefulSet metadata: name: {{ include "bookstack-helm.fullname" . }}-db namespace: {{ .Values.meshwiki_app_namespace }} @@ -64,12 +64,27 @@ spec: volumeMounts: - name: mysql-data-vol mountPath: /config - livenessProbe: - {{- toYaml .Values.livenessProbe | nindent 12 }} + {{- if .Values.bookstack.db.enableReadinessProbe }} readinessProbe: - {{- toYaml .Values.readinessProbe | nindent 12 }} + exec: + command: + - sh + - "-c" + - "mysql -uroot -p$MYSQL_ROOT_PASSWORD -e 'SELECT 1'" + initialDelaySeconds: {{ .Values.bookstack.db.readinessProbeInitialDelaySeconds }} + {{- end }} + {{- if .Values.bookstack.db.enableLivenessProbe }} + livenessProbe: + exec: + command: + - sh + - "-c" + - "mysql -uroot -p$MYSQL_ROOT_PASSWORD -e 'SELECT 1'" + initialDelaySeconds: {{ .Values.bookstack.db.livenessProbeInitialDelaySeconds }} + periodSeconds: {{ .Values.bookstack.db.livenessProbePeriodSeconds }} + {{- end }} resources: - {{- toYaml .Values.resources | nindent 12 }} + {{- toYaml .Values.bookstack.db.resources | nindent 12 }} {{- with .Values.volumeMounts }} volumeMounts: {{- toYaml . | nindent 12 }} diff --git a/bookstack-helm/values.yaml b/bookstack-helm/values.yaml index ff0cc32..73531b1 100644 --- a/bookstack-helm/values.yaml +++ b/bookstack-helm/values.yaml @@ -16,6 +16,15 @@ bookstack: pvc_name: wikidb pvc_size: 5Gi port: 3306 + resources: + requests: + cpu: 256m + memory: 384Mi + enableReadinessProbe: true + readinessProbeInitialDelaySeconds: 5 + enableLivenessProbe: true + livenessProbeInitialDelaySeconds: 5 + livenessProbePeriodSeconds: 10 mail: host: smtp.gmail.com port: 587 @@ -27,17 +36,24 @@ bookstack: image_pvc_size: 5Gi backup: cron_schedule: "33 3 * * *" + resources: + requests: + cpu: 512m + memory: 384Mi + enableReadinessProbe: false + readinessProbeInitialDelaySeconds: 20 + enableLivenessProbe: true + livenessProbeInitialDelaySeconds: 20 + livenessProbePeriodSeconds: 15 image: repository: lscr.io/linuxserver/bookstack pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. tag: "v23.02.2-ls71" db_image: repository: lscr.io/linuxserver/mariadb pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. tag: "latest" nameOverride: "" @@ -69,30 +85,8 @@ securityContext: {} # runAsUser: 1000 service: - type: ClusterIP port: 8080 -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -# livenessProbe: -# httpGet: -# path: / -# port: http -# readinessProbe: -# httpGet: -# path: / -# port: http - # autoscaling: # enabled: false # minReplicas: 1