-
Notifications
You must be signed in to change notification settings - Fork 24
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Use OpenProject slim image and seeder job + initcontainer for migrati…
…ons (#22) * use slim image * use core helper to wait for db * support custom root CA for outgoing SSL * fix labels * fix tls option name * use https=false to make linting work, maybe * set timeout for testing to 600s * fix health check * Update chart to 2.0.0 due to change to slim --------- Co-authored-by: Oliver Günther <[email protected]>
- Loading branch information
1 parent
1e0631e
commit d2b4712
Showing
9 changed files
with
229 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| # Helm chart for OpenProject | ||
|
|
||
| This is the chart for OpenProject itself. | ||
|
|
||
| ## Development | ||
|
|
||
| To install or update from this directory run the following command. | ||
|
|
||
| ```bash | ||
| helm upgrade \ | ||
| --create-namespace --namespace openproject \ | ||
| --install --reuse-values openproject-dev . | ||
| ``` | ||
|
|
||
| ### TLS | ||
|
|
||
| Create a TLS certificate, e.g. using [mkcert](https://github.com/FiloSottile/mkcert). | ||
|
|
||
| ``` | ||
| mkcert helm-example.openproject-dev.com | ||
| ``` | ||
|
|
||
| Create the tls secret in kubernetes. | ||
|
|
||
| ``` | ||
| kubectl -n openproject create secret tls openproject-tls \ | ||
| --key="helm-example.openproject-dev.com-key.pem" \ | ||
| --cert="helm-example.openproject-dev.com.pem" | ||
| ``` | ||
|
|
||
| Set the tls secret value during installation or an upgrade by adding the following. | ||
|
|
||
| ``` | ||
| --set ingress.tls.enabled=true --set tls.secretName=openproject-tls | ||
| ``` | ||
|
|
||
| #### Root CA | ||
|
|
||
| If you want to add your own root CA for outgoing TLS connection, do the following. | ||
|
|
||
| 1. Put the certificate into a config map. | ||
|
|
||
| ``` | ||
| kubectl -n openproject-dev create configmap ca-pemstore --from-file=/path/to/rootCA.pem | ||
| ``` | ||
|
|
||
| To make OpenProject use this CA for outgoing TLS connection, set the following options. | ||
|
|
||
| ``` | ||
| --set egress.tls.rootCA.configMap=ca-pemstore \ | ||
| --set egress.tls.rootCA.fileName=rootCA.pem | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| apiVersion: batch/v1 | ||
| kind: Job | ||
| metadata: | ||
| name: {{ include "common.names.fullname" . }}-seeder-{{ now | date "20060102150405" }} | ||
| labels: | ||
| {{- include "common.labels.standard" . | nindent 4 }} | ||
| spec: | ||
| ttlSecondsAfterFinished: 6000 | ||
| template: | ||
| spec: | ||
| containers: | ||
| - name: seeder | ||
| image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}{{ if .Values.image.sha256 }}@sha256:{{ .Values.image.sha256 }}{{ else }}:{{ .Values.image.tag }}{{ end }}" | ||
| imagePullPolicy: {{ .Values.image.imagePullPolicy }} | ||
| args: | ||
| - bash | ||
| - /app/docker/prod/seeder | ||
| envFrom: | ||
| - secretRef: | ||
| name: {{ include "common.names.fullname" . }} | ||
| restartPolicy: OnFailure |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,106 @@ | ||
| --- | ||
| apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} | ||
| kind: Deployment | ||
| metadata: | ||
| name: {{ include "common.names.fullname" . }}-worker | ||
| labels: | ||
| {{- include "common.labels.standard" . | nindent 4 }} | ||
| openproject/process: worker | ||
| spec: | ||
| replicas: {{ .Values.backgroundReplicaCount }} | ||
| strategy: | ||
| type: {{ .Values.strategy.type }} | ||
| selector: | ||
| matchLabels: | ||
| {{- include "common.labels.matchLabels" . | nindent 6 }} | ||
| openproject/process: worker | ||
| template: | ||
| metadata: | ||
| annotations: | ||
| {{- range $key, $val := .Values.podAnnotations }} | ||
| {{ $key }}: {{ $val | quote }} | ||
| {{- end }} | ||
| # annotate pods with env value checksum so changes trigger re-deployments | ||
| {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace (include "common.names.fullname" .)) | default dict }} | ||
| {{- $secretData := (get $secretObj "data") | default dict }} | ||
| checksum/config: {{ values $secretData | sortAlpha | cat | sha256sum }} | ||
| labels: | ||
| {{- include "common.labels.standard" . | nindent 8 }} | ||
| openproject/process: worker | ||
| spec: | ||
| {{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }} | ||
| imagePullSecrets: | ||
| {{- range (coalesce .Values.imagePullSecrets .Values.global.imagePullSecrets) }} | ||
| - name: "{{ . }}" | ||
| {{- end }} | ||
| {{- end }} | ||
| {{- with .Values.affinity }} | ||
| affinity: | ||
| {{ toYaml . | nindent 8 | trim }} | ||
| {{- end }} | ||
| {{- with .Values.tolerations }} | ||
| tolerations: | ||
| {{ toYaml . | nindent 8 | trim }} | ||
| {{- end }} | ||
| {{- with .Values.nodeSelector }} | ||
| nodeSelector: | ||
| {{ toYaml . | nindent 8 | trim }} | ||
| {{- end }} | ||
| {{- with .Values.podSecurityContext }} | ||
| securityContext: | ||
| {{ toYaml . | nindent 8 | trim }} | ||
| {{- end }} | ||
| serviceAccountName: {{ include "common.names.fullname" . }} | ||
| volumes: | ||
| {{- if .Values.egress.tls.rootCA.fileName }} | ||
| - name: ca-pemstore | ||
| configMap: | ||
| name: "{{- .Values.egress.tls.rootCA.configMap }}" | ||
| {{- end }} | ||
| {{- if .Values.persistence.enabled }} | ||
| - name: "data" | ||
| persistentVolumeClaim: | ||
| claimName: {{ include "common.names.fullname" . }} | ||
| {{- end }} | ||
| initContainers: | ||
| - name: wait-for-db | ||
| securityContext: | ||
| {{- toYaml .Values.securityContext | nindent 12 }} | ||
| image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}{{ if .Values.image.sha256 }}@sha256:{{ .Values.image.sha256 }}{{ else }}:{{ .Values.image.tag }}{{ end }}" | ||
| imagePullPolicy: {{ .Values.image.imagePullPolicy }} | ||
| envFrom: | ||
| - secretRef: | ||
| name: {{ include "common.names.fullname" . }} | ||
| command: | ||
| - bash | ||
| - /app/docker/prod/wait-for-db | ||
| containers: | ||
| - name: "openproject" | ||
| securityContext: | ||
| {{- toYaml .Values.securityContext | nindent 12 }} | ||
| image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}{{ if .Values.image.sha256 }}@sha256:{{ .Values.image.sha256 }}{{ else }}:{{ .Values.image.tag }}{{ end }}" | ||
| imagePullPolicy: {{ .Values.image.imagePullPolicy }} | ||
| envFrom: | ||
| - secretRef: | ||
| name: {{ include "common.names.fullname" . }} | ||
| {{- if .Values.egress.tls.rootCA.fileName }} | ||
| env: | ||
| - name: SSL_CERT_FILE | ||
| value: "/etc/ssl/certs/custom-ca.pem" | ||
| {{- end }} | ||
| command: | ||
| - bash | ||
| - /app/docker/prod/worker | ||
| volumeMounts: | ||
| {{- if .Values.persistence.enabled }} | ||
| - name: "data" | ||
| mountPath: "/var/openproject/assets" | ||
| {{- end }} | ||
| {{- if .Values.egress.tls.rootCA.fileName }} | ||
| - name: ca-pemstore | ||
| mountPath: /etc/ssl/certs/custom-ca.pem | ||
| subPath: {{ .Values.egress.tls.rootCA.fileName }} | ||
| readOnly: false | ||
| {{- end }} | ||
| resources: | ||
| {{- toYaml .Values.resources | nindent 12 }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters