Merge pull request #768 from MetaCell/feature/CH-32

Neo4J browser
MetaCell · Sep 11, 2024 · 958aa9f · 958aa9f
2 parents f8bf3b2 + 9f5130f
commit 958aa9f
Show file tree

Hide file tree

Showing 9 changed files with 128 additions and 3 deletions.
diff --git a/applications/neo4j/.gitignore b/applications/neo4j/.gitignore
@@ -0,0 +1 @@
+helm-charts
diff --git a/applications/neo4j/README.md b/applications/neo4j/README.md
@@ -0,0 +1,22 @@
+# Neo4j browser helm chart
+
+Enable this application to deploy a Neo4j server with the neo4j browser enabled.
+
+## How to use
+The neo4j browser will be enabled at neo4j.[DOMAIN].
+
+![Neo4j browser login](docs/browser-login.png)
+
+The default credentials are set in the [application configuration file](deploy/values.yaml).
+
+It is recommended to change the password during the first login, such as:
+
+```
+ALTER USER default SET PASSWORD '<new-password>'
+```
+
+## Implementation
+This implementation uses the Neo4j reverse proxy server to enable usage via Ingress and http(s).
+
+For more information, see https://neo4j.com/docs/operations-manual/current/kubernetes/accessing-neo4j-ingress/
+
diff --git a/applications/neo4j/deploy/templates/reverseProxyServer.yaml b/applications/neo4j/deploy/templates/reverseProxyServer.yaml
@@ -0,0 +1,37 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Values.apps.neo4j.harness.deployment.name }}
+  labels:
+    app: {{ .Values.apps.neo4j.harness.deployment.name }}
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ .Values.apps.neo4j.harness.deployment.name }}
+  template:
+    metadata:
+      name: {{ .Values.apps.neo4j.harness.deployment.name }}
+      labels:
+        name: {{ .Values.apps.neo4j.harness.deployment.name }}
+        app: {{ .Values.apps.neo4j.harness.deployment.name }}
+    spec:
+      securityContext: {{ toYaml .Values.apps.neo4j.reverseProxy.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Values.apps.neo4j.harness.deployment.name }}
+          image: {{ .Values.apps.neo4j.reverseProxy.image }}
+          imagePullPolicy: Always
+          securityContext: {{ toYaml .Values.apps.neo4j.reverseProxy.containerSecurityContext | nindent 12 }}
+          ports:
+            - containerPort: {{ .Values.apps.neo4j.harness.deployment.port }}
+          env:
+            - name: SERVICE_NAME
+              value: {{ .Values.apps.neo4j.harness.database.name }}
+            - name: PORT
+              value: {{ .Values.apps.neo4j.harness.deployment.port  | quote }}
+            - name: DOMAIN
+              value: {{ .Values.apps.neo4j.reverseProxy.domain | default "cluster.local" }}
+            - name: NAMESPACE
+              value: {{ .Release.Namespace }}
+---
diff --git a/applications/neo4j/deploy/values.yaml b/applications/neo4j/deploy/values.yaml
@@ -0,0 +1,41 @@
+harness:
+  subdomain: neo4j
+  database:
+    auto: true
+    name: neo4j-db
+    type: neo4j
+    user: default
+    pass: default
+  deployment:
+    auto: false
+  service:
+    auto: true
+# Parameters for reverse proxy
+reverseProxy:
+  image: "neo4j/helm-charts-reverse-proxy:5.23"
+
+  # Name of the kubernetes service. This service should have the ports 7474 and 7687 open.
+  # This could be the admin service ex: "standalone-admin" or the loadbalancer service ex: "standalone" created via the neo4j helm chart
+  # serviceName , namespace , domain together will form the complete k8s service url. Ex: standalone-admin.default.svc.cluster.local
+  # When used against a cluster ensure the service being used is pointing to all the cluster instances.
+  # This could be the loadbalancer from neo4j helm chart or the headless service installed via neo4j-headless-service helm chart
+  serviceName: ""
+  # default is set to cluster.local
+  domain: "cluster.local"
+
+  # securityContext defines privilege and access control settings for a Container. Making sure that we dont run Neo4j as root user.
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    runAsNonRoot: true
+    runAsUser: 7474
+    runAsGroup: 7474
+    capabilities:
+      drop:
+        - all
+
+  podSecurityContext:
+    runAsNonRoot: true
+    runAsUser: 7474
+    runAsGroup: 7474
+    fsGroup: 7474
+    fsGroupChangePolicy: "Always"
diff --git a/applications/neo4j/docs/browser-login.png b/applications/neo4j/docs/browser-login.png
diff --git a/deployment-configuration/helm/templates/auto-database-neo4j.yaml b/deployment-configuration/helm/templates/auto-database-neo4j.yaml
@@ -21,4 +21,6 @@
             value: {{ .app.harness.database.neo4j.memory.heap.max }}
           - name: NEO4J_dbms_security_auth__enabled
             value: {{ .app.harness.database.neo4j.dbms_security_auth_enabled | quote }}
+          - name: NEO4J_auth
+            value: {{ .app.harness.database.user }}/{{ .app.harness.database.pass }}
 {{- end }}
diff --git a/deployment-configuration/helm/templates/auto-database.yaml b/deployment-configuration/helm/templates/auto-database.yaml
@@ -102,7 +102,7 @@ metadata:
     app: {{ .app.harness.deployment.name | quote }}
 {{ include "deploy_utils.labels" .root | indent 4 }}
 spec:
-  type: ClusterIP
+  type: {{ if .app.harness.database.expose }}LoadBalancer{{ else }}ClusterIP{{ end }}
   selector:
     app: {{ .app.harness.database.name | quote }}
   ports:

diff --git a/deployment-configuration/value-template.yaml b/deployment-configuration/value-template.yaml
@@ -75,6 +75,8 @@ harness:
     pass: metacell
     # -- image ref for referencing images from the build, e.g. image_ref: myownpgimage
     image_ref:
+    # -- expose database to the public with ingress
+    expose: false
     # -- settings for mongo database (for type==mongo)
     mongo:
       image: mongo:5
@@ -90,7 +92,7 @@ harness:
           port: 5432
     # -- settings for neo4j database (for type==neo4j)
     neo4j:
-      image: neo4j:4.1.9
+      image: neo4j:5
       memory:
         size: 256M
         pagecache:

diff --git a/docs/applications/databases.md b/docs/applications/databases.md
@@ -35,6 +35,9 @@ harness:
 
 `image_ref`: Optional setting, used for referencing a base/static image from the build. The complete image name with tag will automagically being generated from the values.yaml file. This setting overrides the `image` setting specific for the database type (e.g. postgres/image). Note: the referenced image must be included as a build dependency in order to be built by the pipelines.
 
+`expose`: This option allows you to expose the database port through a load balancer.
+Do not use on production!
+
 
 ### Specific database settings
 
@@ -91,7 +94,24 @@ harness
 
 #### Neo4j
 
-Not yet supported!
+Defaults:
+```yaml
+harness
+  database:
+    neo4j:
+      dbms_security_auth_enabled: "false"
+      image: neo4j:5
+      memory:
+        heap: { initial: 64M, max: 128M }
+        pagecache: { size: 64M }
+        size: 256M
+        ports:
+          - { name: http, port: 7474 }
+          - { name: bolt, port: 7687 }
+```
+
+Not that the default resource values are not optimized and increasing the default memory is recommended for production.
+Mapping memory configuration with Kubernetes resource requests is also recommended.
 
 ## Programmatic API