Open-Zaak 1.12.4, Open-Notificaties 1.6.0

charts/open-notificaties/Chart.yaml

@@ -3,22 +3,23 @@ name: open-notificaties
 description: API voor het routeren van notificaties
 
 type: application
-version: 0.8.0
-appVersion: "1.4.0"
+version: 0.8.2
+# https://github.com/open-zaak/open-notificaties/tags
+appVersion: "1.6.0"
 
 dependencies:
   - name: postgresql
-    version: ~10.12.0
+    version: ~15.5.5
     repository: https://charts.bitnami.com/bitnami
     tags:
       - postgresql
   - name: redis
-    version: ~13.0.0
+    version: ~19.5.2
     repository: https://charts.bitnami.com/bitnami
     tags:
       - redis
   - name: rabbitmq
-    version: ~8.23.0
+    version: ~14.4.1
     repository: https://charts.bitnami.com/bitnami
     tags:
       - rabbitmq

charts/open-notificaties/README.md

@@ -20,12 +20,35 @@ Install the Helm chart with:
 ```bash
 helm install open-notificaties open-zaak/open-notificaties \
     --set "settings.allowedHosts=open-notificaties.gemeente.nl" \
+    --set "settings.envVars.DJANGO_SUPERUSER_PASSWORD=appelmoes" \
     --set "ingress.enabled=true" \
     --set "ingress.hosts={open-notificaties.gemeente.nl}"
 ```
 
 :warning: The default settings are unsafe for production usage. Configure proper secrets, enable persistency and consider High Availability (HA) for the database and the application.
 
+:warning: When you uninstall the chart, the PVCs will not be deleted. This can cause confusion during testing.
+
+If you want to use your own instances of Redis, Postgres and RabbitMQ instead, you can disable the subcharts:
+
+```bash
+helm install open-notificaties open-zaak/open-notificaties \
+    --set "tags.redis=false" \
+    --set "tags.postgresql=false" \
+    --set "tags.rabbitmq=false" \
+    --set "settings.database.host=postgres.gemeente.nl" \
+    --set "settings.cache.default=redis.gemeente.nl:6379/1" \
+    --set "settings.cache.axes=redis.gemeente.nl:6379/1" \
+    --set "settings.celery.resultBackend=redis.gemeente.nl:6379/2" \
+    --set "settings.messageBroker.host=rabbitmq.gemeente.nl" \
+    --set "settings.allowedHosts=open-notificaties.gemeente.nl" \
+    --set "settings.envVars.DJANGO_SUPERUSER_PASSWORD=appelmoes" \
+    --set "ingress.enabled=true" \
+    --set "ingress.hosts={open-notificaties.gemeente.nl}"
+```
+
+You will probably need to set more values to configure the connection to your own Redis, Postgres and RabbitMQ instances.
+
 ## Chart and Open Notificaties versions alignment
 
 Not every version of the chart is compatible with every version of Open Notificaties. The
@@ -80,12 +103,13 @@ table below describes the supported versions
 | `settings.autoRetry.backoffMax` | Upper limit (in seconds) of the exponential backoff. If `null`, the upstream defaults are used. | `null` |
 | `settings.flower.urlPrefix` | If enabled, deploy Flower on a non-root URL | `""` |
 | `settings.flower.basicAuth` | Secure Flower with [Basic Authentication](https://flower.readthedocs.io/en/latest/config.html#basic-auth). This is a comma-separated list of `username:password`. You should configure this when `flower.ingress.enabled` is set to true. | `""` |
+| `settings.envVars.*` | Environment variables for the application. See [Example config](https://github.com/open-zaak/open-notificaties/blob/main/docker-compose.yml) for more info | see [values.yaml]                                 |
 | `worker.podLabels` | Additional labels to be set on the open-notification worker pods | `{}` |
-| `postgresql.persistence.enabled` | Enable PostgreSQL persistency | `false` |
-| `postgresql.persistence.size` | Configure PostgreSQL size | `"1Gi"` |
-| `postgresql.persistence.existingClaim` | Use an existing persistent volume claim | `null` |
-| `postgresql.postgresqlDatabase` | The PostgreSQL database name | `"open-notificaties"` |
-| `postgresql.postgresqlPassword` | The PostgreSQL administrative password | `"SUPER-SECRET"` |
+| `postgresql.primary.ersistence.enabled` | Enable PostgreSQL persistency | `false` |
+| `postgresql.primary.persistence.size` | Configure PostgreSQL size | `"1Gi"` |
+| `postgresql.primary.persistence.existingClaim` | Use an existing persistent volume claim | `null` |
+| `postgresql.global.postgresql.auth.database` | The PostgreSQL database name | `"open-notificaties"` |
+| `postgresql.global.postgresql.auth.postgresqlPassword` | The PostgreSQL administrative password | `"SUPER-SECRET"` |
 | `flower.enabled` | Whether or not to deploy the [Flower](https://flower.readthedocs.io/en/latest/) component, which is a monitoring tool for Celery  | `false` |
 | `flower.replicaCount` | The number of replicas for Celery Flower | `1` | 
 | `flower.podLabels` | Additional labels to be set for Celery Flower | `{}` | 
@@ -95,11 +119,10 @@ table below describes the supported versions
 | `flower.ingress.annotations` | Additional annotations on the Flower Ingress | `{}` |
 | `flower.ingress.hosts` | Flower Ingress hosts | `"{open-notificaties-flower.gemeente.nl}"` |
 | `flower.ingress.tls` | Flower Ingress TLS settings | `"[]"` |
-| `redis.usePassword` | Use a Redis password | `false` |
-| `redis.cluster.enabled` | Enable Redis cluster | `false` |
-| `redis.persistence.existingClaim` | Use existing persistent volume claim for Redis | `""` |
+| `redis.auth.enabled` | Use a Redis password | `false` |
 | `redis.master.persistence.enabled` | Enable persistency for Redis master | `false` |
 | `redis.master.persistence.size` | The size of the Redis master persistent volume | `"1Gi"` |
+| `redis.master.persistence.existingClaim` | Use existing persistent volume claim for Redis | `""` |
 | `rabbitmq.auth.username` | RabbitMQ username | `"guest"` |
 | `rabbitmq.auth.password` | RabbitMQ password | `"guest"` |
 | `rabbitmq.auth.erlangCookie` | RabbitMQ Erlang Cookie | `"SUPER-SECRET"` |

charts/open-notificaties/templates/configmap.yaml

@@ -5,7 +5,7 @@ metadata:
   labels:
     {{- include "open-notificaties.labels" . | nindent 4 }}
 data:
-  ALLOWED_HOSTS: "{{ include "open-notificaties.fullname" . }},{{ .Values.settings.allowedHosts | toString }}"
+  ALLOWED_HOSTS: "{{ include "open-notificaties.fullname" . }},{{ include "open-notificaties.fullname" . }}.{{ .Release.Namespace }},{{ include "open-notificaties.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local,{{ .Values.settings.allowedHosts | toString }}"
   CACHE_AXES: {{ .Values.settings.cache.axes | toString | quote }}
   CACHE_DEFAULT: {{ .Values.settings.cache.default | toString | quote }}
   DB_NAME: {{ .Values.settings.database.name | toString | quote }}
@@ -41,3 +41,6 @@ data:
   {{ $index }}: {{ $index_value | toString | quote }}
   {{- end }}
   {{- end }}
+  {{- range $index, $value := .Values.settings.envVars }}
+  {{ $index }}: {{ $value | toString | quote }}
+  {{- end }}

charts/open-notificaties/templates/deployment.yaml

@@ -47,6 +47,21 @@ spec:
             - name: http
               containerPort: 8000
               protocol: TCP
+          lifecycle:
+            postStart:
+              exec:
+                # exit 0 = Don't fail because then the container will keep restarting without logging what is wrong.
+                command:
+                  - bash
+                  - -c
+                  - |
+                    ( echo "=== postStart script started at $(date) ==="
+                      set -x
+                      HEXPORT=$( printf '%X' 8000 )
+                      until grep -q ":$HEXPORT" /proc/net/tcp; do sleep 5; done
+                      python /app/src/manage.py setup_configuration --no-selftest
+                      exit 0
+                    ) >> /app/log/postStart.log 2>&1
           livenessProbe:
             httpGet:
               path: /
@@ -212,4 +227,4 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-{{- end }}
+{{- end }}

charts/open-notificaties/values.yaml

@@ -104,7 +104,7 @@ worker:
     # targetMemoryUtilizationPercentage: 80
 
 flower:
-  enabled: true
+  enabled: false
   replicaCount: 1
   podLabels: {}
   service:
@@ -186,36 +186,51 @@ settings:
     urlPrefix: ""
     basicAuth: ""
 
+  envVars:
+    OPENNOTIFICATIES_SUPERUSER_USERNAME: admin
+    OPENNOTIFICATIES_SUPERUSER_EMAIL: [email protected]
+    # To provide an initial password set: settings.envVars.DJANGO_SUPERUSER_PASSWORD
+    OPENNOTIFICATIES_DOMAIN: open-notificaties.gemeente.nl
+    OPENNOTIFICATIES_ORGANIZATION: Gemeente
+    DEMO_CONFIG_ENABLE: false
+    # Notificaties -> OpenZaak auth config
+    AUTORISATIES_API_ROOT: http://open-zaak.default.svc.cluster.local/autorisaties/api/v1/
+    NOTIF_OPENZAAK_CLIENT_ID: open-notificaties
+    NOTIF_OPENZAAK_SECRET: NOTIF_OPENZAAK_SECRET
+    # OpenZaak -> Notificaties auth config
+    OPENZAAK_NOTIF_CLIENT_ID: open-zaak
+    OPENZAAK_NOTIF_SECRET: OPENZAAK_NOTIF_SECRET
+
 #######################
 # PostgreSQL subchart #
 #######################
 
 postgresql:
-  persistence:
-    enabled: false
-    size: 1Gi
-    existingClaim: null
+  primary:
+    persistence:
+      enabled: false
+      size: 1Gi
+      existingClaim: null
 
-  postgresqlDatabase: open-notificaties
-  postgresqlPassword: SUPER-SECRET
+  global:
+    postgresql:
+      auth:
+        database: open-notificaties
+        postgresPassword: SUPER-SECRET
 
 ##################
 # Redis subchart #
 ##################
 
 redis:
-  usePassword: false
-
-  cluster:
+  auth:
     enabled: false
 
-  persistence:
-    existingClaim: null
-
   master:
     persistence:
       enabled: false
       size: 1Gi
+      existingClaim: null
 
 #####################
 # RabbitMQ subchart #

charts/open-zaak/Chart.yaml

@@ -3,17 +3,18 @@ name: open-zaak
 description: Productiewaardige API's voor Zaakgericht Werken
 
 type: application
-version: 0.8.1
-appVersion: "1.7.1"
+version: 0.8.2
+# https://github.com/open-zaak/open-zaak/tags
+appVersion: 1.12.4
 
-# dependencies:
-#   - name: postgresql
-#     version: ~10.12.0
-#     repository: https://charts.bitnami.com/bitnami
-#     tags:
-#       - postgresql
-#   - name: redis
-#     version: ~13.0.0
-#     repository: https://charts.bitnami.com/bitnami
-#     tags:
-#       - redis
+dependencies:
+  - name: postgresql
+    version: ~15.5.5
+    repository: https://charts.bitnami.com/bitnami
+    tags:
+      - postgresql
+  - name: redis
+    version: ~19.5.2
+    repository: https://charts.bitnami.com/bitnami
+    tags:
+      - redis

charts/open-zaak/README.md

@@ -19,12 +19,32 @@ Install the Helm chart with:
 ```bash
 helm install open-zaak open-zaak/open-zaak \
     --set "settings.allowedHosts=open-zaak.gemeente.nl" \
+    --set "settings.envVars.DJANGO_SUPERUSER_PASSWORD=appelmoes" \
     --set "ingress.enabled=true" \
     --set "ingress.hosts={open-zaak.gemeente.nl}"
 ```
 
 :warning: The default settings are unsafe for production usage. Configure proper secrets, enable persistency and consider High Availability (HA) for the database and the application.
 
+:warning: When you uninstall the chart, the PVCs will not be deleted. This can cause confusion during testing.
+
+If you want to use your own instance of Redis and Postgres instead, you can disable the subcharts:
+
+```bash
+helm install open-zaak open-zaak/open-zaak \
+    --set "tags.redis=false" \
+    --set "tags.postgresql=false" \
+    --set "settings.database.host=postgres.gemeente.nl" \
+    --set "settings.cache.default=redis.gemeente.nl:6379/0" \
+    --set "settings.cache.axes=redis.gemeente.nl:6379/0" \
+    --set "settings.allowedHosts=open-zaak.gemeente.nl" \
+    --set "settings.envVars.DJANGO_SUPERUSER_PASSWORD=appelmoes" \
+    --set "ingress.enabled=true" \
+    --set "ingress.hosts={open-zaak.gemeente.nl}"
+```
+
+You will probably need to set more values to configure the connection to your own Redis and Postgres instances.
+
 ## Chart and Open Zaak versions alignment
 
 Not every version of the chart is compatible with every version of Open Zaak. The
@@ -79,16 +99,16 @@ table below describes the supported versions
 | `settings.sentry.dsn` | The DSN for Sentry Logging | `""` |
 | `settings.isHttps` | Used to construct absolute URLs and controls a variety of security settings | `true` |
 | `settings.debug` | Only set this to True on a local development environment. Various other security settings are derived from this setting | `false` |
+| `settings.envVars.*` | Environment variables for the application. See [docs](https://open-zaak.readthedocs.io/en/latest/installation/config/env_config.html) for more info | see [values.yaml]                        |
 | `nginx.podLabels` | Additional labels to be set on the nginx pods | `{}` |
-| `postgresql.persistence.enabled` | Enable PostgreSQL persistency | `false` |
-| `postgresql.persistence.size` | Configure PostgreSQL size | `"1Gi"` |
-| `postgresql.persistence.existingClaim` | Use an existing persistent volume claim | `null` |
-| `postgresql.postgresqlDatabase` | The PostgreSQL database name | `"open-zaak"` |
-| `postgresql.postgresqlPassword` | The PostgreSQL administrative password | `"SUPER-SECRET"` |
-| `redis.usePassword` | Use a Redis password | `false` |
-| `redis.cluster.enabled` | Enable Redis cluster | `false` |
-| `redis.persistence.existingClaim` | Use existing persistent volume claim for Redis | `""` |
-| `redis.master.persistence.enabled` | Enable persistency for Redis master | `false` |
-| `redis.master.persistence.size` | The size of the Redis master persistent volume | `"1Gi"` |
+| `postgresql.primary.persistence.enabled` | Enable PostgreSQL persistency | `false`                                  |
+| `postgresql.primary.persistence.size` | Configure PostgreSQL size | `"1Gi"`                                  |
+| `postgresql.primary.persistence.existingClaim` | Use an existing persistent volume claim | `null`                                   |
+| `postgresql.global.postgresql.auth.database` | The PostgreSQL database name | `"open-zaak"`                            |
+| `postgresql.global.postgresql.auth.postgresqlPassword` | The PostgreSQL administrative password | `"SUPER-SECRET"`                         |
+| `redis.auth.enabled` | Use a Redis password | `false`                                  |
+| `redis.master.persistence.enabled`  | Enable persistency for Redis master | `false`                                  |
+| `redis.master.persistence.size` | The size of the Redis master persistent volume | `"1Gi"`                                  |
+| `redis.master.persistence.existingClaim` | Use existing persistent volume claim for Redis | `""`                                     |
 
 Check [values.yaml](./values.yaml) for all the possible configuration options.

charts/open-zaak/templates/configmap.yaml

@@ -5,7 +5,7 @@ metadata:
   labels:
     {{- include "open-zaak.labels" . | nindent 4 }}
 data:
-  ALLOWED_HOSTS: "{{ include "open-zaak.fullname" . }},{{ include "open-zaak.fullname" . }}.{{ .Release.Namespace }},{{ .Values.settings.allowedHosts | toString }}"
+  ALLOWED_HOSTS: "{{ include "open-zaak.fullname" . }},{{ include "open-zaak.fullname" . }}.{{ .Release.Namespace }},{{ include "open-zaak.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local,{{ .Values.settings.allowedHosts | toString }}"
   {{- if .Values.settings.useXForwardedHost }}
   USE_X_FORWARDED_HOST: "True"
   {{- end }}
@@ -33,3 +33,6 @@ data:
   {{- end }}
   IS_HTTPS: {{ if .Values.settings.isHttps }}"True"{{ else }}"False"{{ end }}
   JWT_EXPIRY: {{ .Values.settings.jwtExpiry | toString | quote }}
+  {{- range $index, $value := .Values.settings.envVars }}
+  {{ $index }}: {{ $value | toString | quote }}
+  {{- end }}

charts/open-zaak/templates/deployment.yaml

@@ -62,6 +62,21 @@ spec:
             - name: http
               containerPort: 8000
               protocol: TCP
+          lifecycle:
+            postStart:
+              exec:
+                # exit 0 = Don't fail because then the container will keep restarting without logging what is wrong.
+                command:
+                  - bash
+                  - -c
+                  - |
+                    ( echo "=== postStart script started at $(date) ==="
+                      set -x
+                      HEXPORT=$( printf '%X' 8000 )
+                      until grep -q ":$HEXPORT" /proc/net/tcp; do sleep 5; done
+                      python /app/src/manage.py setup_configuration --no-selftest
+                      exit 0
+                    ) >> /app/log/postStart.log 2>&1
           livenessProbe:
             httpGet:
               path: /