Skip to content

Commit

Permalink
feat(platine-management): export config in values
Browse files Browse the repository at this point in the history
- container port var is now different from service port
- add configuration for liveness/readiness/startup probes
- add vault secrets
- add sealed secrets
  • Loading branch information
davdarras committed Apr 5, 2024
1 parent 5135a60 commit e9b1988
Show file tree
Hide file tree
Showing 6 changed files with 171 additions and 36 deletions.
2 changes: 1 addition & 1 deletion charts/platine-management/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,5 +9,5 @@ dependencies:
repository: https://charts.bitnami.com/bitnami

type: application
version: 0.7.0
version: 0.8.0
appVersion: "1.16.0"
70 changes: 37 additions & 33 deletions charts/platine-management/templates/api/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -32,58 +32,62 @@ spec:
{{- toYaml .Values.api.securityContext | nindent 12 }}
image: "{{ .Values.api.image.repository }}:{{ .Values.api.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.api.image.pullPolicy }}
{{- if .Values.postgresql.enabled }}
{{ $host := include "postgresql.primary.fullname" . }}
{{ $port := .Values.postgresql.global.postgresql.service.ports.postgresql }}
{{ $database := .Values.postgresql.auth.database }}
{{ $databaseUrl := printf "jdbc:postgresql://%s:%.0f/%s" $host $port $database }}

{{- if or .Values.postgresql.enabled .Values.api.vaultStaticSecret.enabled }}
env:
{{- if .Values.postgresql.enabled }}
- name: SPRING_DATASOURCE_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "platine-management.postgresql.fullname" . }}
key: password
- name: SPRING_DATASOURCE_URL
value: {{ $databaseUrl | quote }}
value: {{ printf "jdbc:postgresql://%s:%.0f/%s" (include "platine-management.postgresql.fullname" .) .Values.postgresql.global.postgresql.service.ports.postgresql .Values.postgresql.auth.database | quote }}
- name: SPRING_DATASOURCE_USERNAME
value: {{ .Values.postgresql.auth.username | quote}}
{{- end }}
{{- if .Values.api.vaultStaticSecret.enabled }}
{{- range $key, $value := .Values.api.vaultStaticSecret.config }}
- name: {{ $value.nomEnv }}
valueFrom:
secretKeyRef:
name: {{ $value.secretName }}
key: {{ $value.keyUsed }}
{{- end }}
{{- end }}
{{- end }}
{{- if and .Values.api.env .Values.api.enabled }}

{{- if or .Values.api.env .Values.api.sealedSecret.enabled }}
envFrom:
{{- if .Values.api.env }}
- configMapRef:
name: {{ template "platine-management.api.fullname" . }}
{{- end }}
{{- if .Values.api.sealedSecret.enabled }}
{{- range $key, $value := .Values.api.sealedSecret.config }}
- secretRef:
name: {{ $key }}
{{- end }}
{{- end }}
{{- end }}

ports:
- name: http
containerPort: 8080
- name: container-port
containerPort: {{ .Values.api.container.port }}
protocol: TCP

{{- with .Values.api.livenessProbe }}
livenessProbe:
failureThreshold: 3
httpGet:
path: /actuator/health/liveness
port: http
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.api.readinessProbe }}
readinessProbe:
failureThreshold: 3
httpGet:
path: /actuator/health/readiness
port: http
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.api.startupProbe }}
startupProbe:
failureThreshold: 30
httpGet:
path: /actuator/health/liveness
port: http
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
{{- toYaml . | nindent 12 }}
{{- end }}
resources:
{{- toYaml .Values.api.resources | nindent 12 }}
{{- with .Values.api.nodeSelector }}
Expand Down
19 changes: 19 additions & 0 deletions charts/platine-management/templates/api/sealedsecret.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{{- if .Values.api.sealedSecret.enabled -}}
{{- range $key, $value := .Values.api.sealedSecret.config }}
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: {{ $key }}
spec:
encryptedData:
{{- range $cle, $valeur := $value.secretEnv }}
{{ $cle }}: {{ $valeur }}
{{- end }}
template:
metadata:
name: {{ $key }}
namespace: {{ $value.namespace }}
type: Opaque
{{- end }}
{{- end -}}
4 changes: 2 additions & 2 deletions charts/platine-management/templates/api/service.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,9 @@ spec:
type: {{ .Values.api.service.type }}
ports:
- port: {{ .Values.api.service.port }}
targetPort: http
targetPort: container-port
protocol: TCP
name: http
name: service-port
selector:
{{- include "platine-management.api.selectorLabels" . | nindent 4 }}
{{- end }}
32 changes: 32 additions & 0 deletions charts/platine-management/templates/api/vaultstaticsecret.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
{{- if .Values.api.vaultStaticSecret.enabled -}}
{{- range $key, $value := .Values.api.vaultStaticSecret.config }}
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: {{ $key }}
spec:
rolloutRestartTargets:
- kind: Deployment
name: {{ include "platine-management.api.fullname" $ }}

type: kv-v2

# mount path
mount: {{ $value.mount }}

# path of the secret
path: {{ $value.path }}

# dest k8s secret
destination:
name: {{ $value.secretName }}
create: true

# static secret refresh interval
refreshAfter: {{ $value.refreshAfter }}

# Name of the CRD to authenticate to Vault
vaultAuthRef: {{ $value.vaultAuthRef }}
{{- end }}
{{- end -}}
80 changes: 80 additions & 0 deletions charts/platine-management/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,9 @@ api:
# runAsNonRoot: true
# runAsUser: 1000

container:
port: 8080

service:
type: ClusterIP
port: 80
Expand All @@ -147,6 +150,48 @@ api:
# hosts:
# - chart-example.local

# check if pod is alive
# if problem with the pod itself, restart it
livenessProbe:
{}
# failureThreshold: 3
# httpGet:
# path: /health/liveness
# port: http
# scheme: HTTP
# initialDelaySeconds: 15
# periodSeconds: 10
# successThreshold: 1
# timeoutSeconds: 1

# check if pod can accept traffic
# if pod cannot accept traffic because of external system failures (db down for example)
# do not forward traffic to the pod until pod is ready again
readinessProbe:
{}
# failureThreshold: 3
# httpGet:
# path: /health/readiness
# port: http
# scheme: HTTP
# initialDelaySeconds: 15
# periodSeconds: 10
# successThreshold: 1
# timeoutSeconds: 1

# like liveness, but at startup time, it gives the opportunity to wait a little longer until the pod is ready
startupProbe:
{}
# failureThreshold: 30
# httpGet:
# path: /health/liveness
# port: http
# scheme: HTTP
# initialDelaySeconds: 15
# periodSeconds: 10
# successThreshold: 1
# timeoutSeconds: 1

resources:
{}
# We usually recommend not to specify default resources and to leave this as a conscious
Expand All @@ -173,6 +218,41 @@ api:

affinity: {}

sealedSecret:
enabled: false
# env variables to set (with ciphered values)
config: {}
# sealed-secret1:
# namespace: "namespace-name"
# secretEnv:
# password: "ciphered value"
# sealed-secret2:
# namespace: "namespace-name"
# secretEnv:
# token1:
# token2:

vaultStaticSecret:
enabled: false
# -- Configuration retrieving vault secrets
config: {}
# nameVaultStaticSecret1:
# mount: "secrets-env1"
# path: ""
# secretName: ""
# refreshAfter: "30s"
# vaultAuthRef: "namespaceName/namespaceName"
# nomEnv: ""
# keyUsed: ""
# nameVaultStaticSecret2:
# mount: "secrets-env1"
# path: ""
# secretname: ""
# refreshAfter: "30s"
# vaultAuthRef: ""
# nomEnv: ""
# keyUsed: ""

env: {}

metrics:
Expand Down

0 comments on commit e9b1988

Please sign in to comment.