Merge pull request #58 from regulaforensics/sp-20484-database-initial…

…ization-improvements SP-20484 database init improvements
regulaforensics · Jan 11, 2025 · e6d2b1f · e6d2b1f
2 parents ce6f343 + b7e051f
commit e6d2b1f
Show file tree

Hide file tree

Showing 5 changed files with 88 additions and 2 deletions.
diff --git a/charts/docreader/Chart.yaml b/charts/docreader/Chart.yaml
@@ -3,7 +3,7 @@
 apiVersion: v2
 name: docreader
 home: https://api.regulaforensics.com/
-version: 1.4.0
+version: 2.0.0
 appVersion: nightly
 description: Fast and accurate data extraction from identity documents. On-premise and cloud integration
 icon: https://secure.gravatar.com/avatar/71a5efd69d82e444129ad18f51224bbb.jpg

diff --git a/charts/docreader/templates/NOTES.txt b/charts/docreader/templates/NOTES.txt
@@ -6,9 +6,13 @@
 ***********************************************************************
 
 Chart version: {{ .Chart.Version }}
-Docreader version compatibility: >= 7.1
+Docreader version compatibility: >= 7.6
 Kubernetes version compatibility: >= 1.23.0
 
+{{- if eq .Values.image.tag "latest" }}
+NOTE: Do not use "latest" mutable tag in production. Mutable tags can introduce multiple functional and security issues.
+{{- end }}
+
 1. Get the application URL by running these commands:
 {{- if .Values.ingress.enabled }}
 {{- $paths := .Values.ingress.paths -}}

diff --git a/charts/docreader/templates/_helpers.tpl b/charts/docreader/templates/_helpers.tpl
@@ -99,6 +99,11 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{ default (printf "%s-postgresql" .Release.Name) }}
 {{- end }}
 
+{{/* DB Migrations Job Name */}}
+{{- define "docreader.migration" -}}
+{{ default (printf "%s-db-migration-job" .Release.Name) }}
+{{- end }}
+
 {{/* User defined docreader environment variables */}}
 {{- define "docreader.envs" -}}
   {{- range $i, $config := .Values.env }}

diff --git a/charts/docreader/templates/check-values.yaml b/charts/docreader/templates/check-values.yaml
@@ -1,5 +1,10 @@
 {{/* The purpose of this yaml file is it to check the values file is consistent for some complexe combinations. */}}
 
+{{- /* App Version check */ -}}
+{{- if lt (default .Chart.AppVersion .Values.image.tag) "7.6" }}
+    {{ required "Chart is not compatibile with Docreader version < 7.6\n Please upgrade to version 7.6 or higher" nil }}
+{{- end }}
+
 {{- /* SSL checks */ -}}
 {{- if .Values.config.service.webServer.ssl.enabled }}
     {{- if not .Values.config.service.webServer.ssl.certificatesSecretName }}

diff --git a/charts/docreader/templates/db-migration-job.yaml b/charts/docreader/templates/db-migration-job.yaml
@@ -0,0 +1,72 @@
+{{- if or .Values.config.service.sessionApi.enabled .Values.config.sdk.rfid.chipVerification.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "docreader.migration" . }}
+  labels: {{- include "docreader.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-upgrade
+spec:
+  backoffLimit: 1
+  template:
+    metadata:
+      annotations:
+        {{- if .Values.podAnnotations }}
+        {{- toYaml .Values.podAnnotations | nindent 8 }}
+        {{- end }}
+      labels: {{- include "docreader.selectorLabels" . | nindent 8 }}
+    spec:
+      serviceAccountName: {{ include "docreader.serviceAccount" . }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector: {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.priorityClassName }}
+      priorityClassName: {{ .Values.priorityClassName }}
+      {{- end }}
+      {{- with .Values.terminationGracePeriodSeconds }}
+      terminationGracePeriodSeconds: {{ . }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity: {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations: {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints: {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets: {{- toYaml . | nindent 8 }}
+      {{- end }}
+      securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      restartPolicy: Never
+      containers:
+        - name: {{ include "docreader.migration" . }}
+          securityContext: {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command:
+            - pipenv
+            - run
+            - python
+            - src/main.py
+            - migrate
+          env:
+            {{- include "docreader.envs" . | indent 10 }}
+            {{- if and (not .Values.postgresql.enabled) .Values.config.service.database.connectionStringSecretName }}
+            - name: SQL_CONNECTION_STRING
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "docreader.db.credentials.secret" . }}
+                  key: SQL_CONNECTION_STRING
+            {{- end }}
+          volumeMounts:
+            - name: docreader-config
+              mountPath: /app/config.yaml
+              subPath: config.yaml
+              readOnly: true
+      volumes:
+        - name: docreader-config
+          configMap:
+            name: {{ include "docreader.config.name" . }}
+{{- end }}