WIP

ICTU · Jun 18, 2024 · f30e679 · f30e679
1 parent 1ab0425
commit f30e679
Show file tree

Hide file tree

Showing 10 changed files with 71 additions and 44 deletions.
diff --git a/docs/src/deployment.md b/docs/src/deployment.md
@@ -40,6 +40,12 @@ For example:
       - "1080:${PROXY_PORT:-80}"
 ```
 
+## Kubernetes
+
+The helm chart for deploying on Kubernetes does not support overriding port numbers.
+Setting port environment variables in the `values.yaml` will not change the service port mapping, while the app within the pod will listen on the altered port.
+Instead, only the ingress should be configured.
+
 ## Configuring authentication (mandatory)
 
 You need to either configure an LDAP server to authenticate users with or configure forwarded authentication.
@@ -48,6 +54,7 @@ You need to either configure an LDAP server to authenticate users with or config
 
 To configure an LDAP server to authenticate users with, set the `LDAP_URL`, `LDAP_ROOT_DN`, `LDAP_LOOKUP_USER_DN`, `LDAP_LOOKUP_USER_PASSWORD`, and `LDAP_SEARCH_FILTER` environment variables.
 Note that `LDAP_URL` may be a comma-separated list of LDAP connection URL(s).
+
 Add the LDAP environment variables to the API-server service in the [compose file](https://github.com/ICTU/quality-time/blob/master/docker/docker-compose.yml):
 
 ```yaml
@@ -60,6 +67,18 @@ Add the LDAP environment variables to the API-server service in the [compose fil
       - LDAP_SEARCH_FILTER=(|(uid=$username)(cn=$username))
 ```
 
+Alternatively, for a Kubernetes deployment, add the LDAP environment variables to the API-server service in the [Helm values.yaml](https://github.com/ICTU/quality-time/blob/master/helm/values.yaml):
+
+```yaml
+api_server:
+  env:
+    LDAP_URL: "ldap://host.docker.internal:389"
+    LDAP_ROOT_DN: "dc=example,dc=org"
+    LDAP_LOOKUP_USER_DN: "cn=admin,dc=example,dc=org"
+    LDAP_LOOKUP_USER_PASSWORD: "admin"
+    LDAP_SEARCH_FILTER: "(|(uid=$$username)(cn=$$username))"
+```
+
 When using the `LDAP_SEARCH_FILTER` as shown above, users can use either their LDAP canonical name (`cn`) or their LDAP user id to login. The `$username` variable is filled by *Quality-time* at run time with the username that the user enters in the login dialog box.
 
 ```{seealso}

diff --git a/helm/Chart.yaml b/helm/Chart.yaml
@@ -2,7 +2,7 @@
 apiVersion: v2
 name: Quality-time
 version: 1.0.0
-appVersion: "v5.11.0"
+appVersion: "v5.13.0"
 description: Helm chart for Quality-time, an automated quality system for software development and maintenance
 type: application
 home: https://github.com/ICTU/Quality-time

diff --git a/helm/templates/api_server.yaml b/helm/templates/api_server.yaml
@@ -29,23 +29,29 @@ spec:
           envFrom:
             - configMapRef:
                 name: {{ .Release.Name }}-{{ template "api_server_name" . }}-env
-            - configMapRef:
-                name: {{ .Release.Name }}-shared-env
           env:
-            - name: DATABASE_URL
-              value: "mongodb://root:root@{{ .Release.Name }}-{{ template "database_name" . }}:27017"
-{{- if .Values.ldap }}
+            - name: DATABASE_HOST
+              value: "{{ .Release.Name }}-{{ template "database_name" . }}"
+            - name: DATABASE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "database_name" . }}-db-password-secret
+                  key: DATABASE_PASSWORD
+                  optional: true
             - name: LDAP_LOOKUP_USER_DN
-              value: "{{ .Values.ldap.lookupUserDN }}"
+              value: "{{ .Values.api_server.env.LDAP_LOOKUP_USER_DN }}"
             - name: LDAP_LOOKUP_USER_PASSWORD
-              value: "{{ .Values.ldap.lookupUserPassword }}"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "api_server_name" . }}-ldap-password-secret
+                  key: LDAP_LOOKUP_USER_PASSWORD
+                  optional: true
             - name: LDAP_ROOT_DN
-              value: "{{ .Values.ldap.rootDN }}"
+              value: "{{ .Values.api_server.env.LDAP_ROOT_DN }}"
             - name: LDAP_SEARCH_FILTER
-              value: "{{ .Values.ldap.search }}"
+              value: "{{ .Values.api_server.env.LDAP_SEARCH_FILTER }}"
             - name: LDAP_URL
-              value: "{{ .Values.ldap.url }}"
-{{- end }}
+              value: "{{ .Values.api_server.env.LDAP_URL }}"
           resources: {}
           securityContext:
             capabilities:

diff --git a/helm/templates/collector.yaml b/helm/templates/collector.yaml
@@ -30,8 +30,14 @@ spec:
             - configMapRef:
                 name: {{ .Release.Name }}-{{ template "collector_name" . }}-env
           env:
-            - name: DATABASE_URL
-              value: "mongodb://root:root@{{ .Release.Name }}-{{ template "database_name" . }}:27017"
+            - name: DATABASE_HOST
+              value: "{{ .Release.Name }}-{{ template "database_name" . }}"
+            - name: DATABASE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "database_name" . }}-db-password-secret
+                  key: DATABASE_PASSWORD
+                  optional: true
           resources: {}
           securityContext:
             capabilities:

diff --git a/helm/templates/database.yaml b/helm/templates/database.yaml
@@ -36,9 +36,11 @@ spec:
                 name: {{ .Release.Name }}-{{ template "database_name" . }}-env
           env:
             - name: MONGO_INITDB_ROOT_PASSWORD
-              value: "root"
-            - name: MONGO_INITDB_ROOT_USERNAME
-              value: "root"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "database_name" . }}-db-password-secret
+                  key: DATABASE_PASSWORD
+                  optional: true
           resources:
             limits:
               cpu: "2"

diff --git a/helm/templates/frontend.yaml b/helm/templates/frontend.yaml
@@ -29,8 +29,6 @@ spec:
           envFrom:
             - configMapRef:
                 name: {{ .Release.Name }}-{{ template "frontend_name" . }}-env
-            - configMapRef:
-                name: {{ .Release.Name }}-shared-env
           resources: {}
           securityContext:
             capabilities:

diff --git a/helm/templates/notifier.yaml b/helm/templates/notifier.yaml
@@ -30,8 +30,14 @@ spec:
             - configMapRef:
                 name: {{ .Release.Name }}-{{ template "notifier_name" . }}-env
           env:
-            - name: DATABASE_URL
-              value: "mongodb://root:root@{{ .Release.Name }}-{{ template "database_name" . }}:27017"
+            - name: DATABASE_HOST
+              value: "{{ .Release.Name }}-{{ template "database_name" . }}"
+            - name: DATABASE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "database_name" . }}-db-password-secret
+                  key: DATABASE_PASSWORD
+                  optional: true
           resources: {}
           securityContext:
             capabilities:

diff --git a/helm/templates/shared.yaml b/helm/templates/shared.yaml
diff --git a/helm/templates/www.yaml b/helm/templates/www.yaml
@@ -29,8 +29,6 @@ spec:
           envFrom:
             - configMapRef:
                 name: {{ .Release.Name }}-{{ template "www_name" . }}-env
-            - configMapRef:
-                name: {{ .Release.Name }}-shared-env
           env:
             - name: API_SERVER_HOST
               value: "{{ .Release.Name }}-{{ template "api_server_name" . }}"
@@ -43,6 +41,9 @@ spec:
             capabilities:
               add:
                 - CHOWN
+                - SETGID
+                - SETUID
+                - NET_BIND_SERVICE
               drop:
                 - ALL
       restartPolicy: Always
@@ -63,7 +64,7 @@ spec:
     app.kubernetes.io/component: {{ template "www_name" . }}
   ports:
     - protocol: TCP
-      port: 80
+      port: 8080
       targetPort: 80
   sessionAffinity: None
 ---
@@ -90,12 +91,14 @@ spec:
               service:
                 name: {{ .Release.Name }}-{{ template "www_name" . }}
                 port:
-                  number: 80
+                  number: 8080
             path: /
             pathType: ImplementationSpecific
+{{- if .Values.www.ingress.tls }}
   tls:
 {{ toYaml .Values.www.ingress.tls | indent 4 }}
 {{- end }}
+{{- end }}
 ---
 apiVersion: v1
 kind: ConfigMap

diff --git a/helm/values.yaml b/helm/values.yaml
@@ -2,6 +2,12 @@
 api_server:
   image:
     repository: "ictu/quality-time_api_server"
+  env:
+    LDAP_URL: "ldap://host.docker.internal:389"
+    LDAP_ROOT_DN: "dc=example,dc=org"
+    LDAP_LOOKUP_USER_DN: "cn=admin,dc=example,dc=org"
+    LDAP_LOOKUP_USER_PASSWORD: "admin"
+    LDAP_SEARCH_FILTER: "(|(uid=$$username)(cn=$$username))"
 
 collector:
   image:
@@ -23,12 +29,6 @@ renderer:
   image:
     repository: "ictu/quality-time_renderer"
 
-shared:
-  env:
-    API_SERVER_PORT: "5001"
-    FRONTEND_PORT: "5000"
-    PROXY_PORT: "80"
-
 www:
   image:
     repository: "ictu/quality-time_proxy"