feat!: Upgrade Helm to Mender Server v4.0

BREAKING CHANGE: See CHANGELOG.md Signed-off-by: Alf-Rune Siqveland <[email protected]>
mendersoftware · Sep 17, 2024 · 7ff27b7 · 7ff27b7
1 parent bced4ee
commit 7ff27b7
Show file tree

Hide file tree

Showing 16 changed files with 665 additions and 570 deletions.
diff --git a/mender/CHANGELOG.md b/mender/CHANGELOG.md
@@ -1,5 +1,50 @@
 # Mender Helm chart
 
+## Version 6.0.0
+BREAKING CHANGES:
+* New image defaults:
+  * All overrides in default values have been removed
+  * Registry default changed:
+    - `registry.mender.io` if `mender.enterprise`
+    - `docker.io` otherwise
+  * Repository default changed:
+    - `mender-server-enterprise` if `mender.enterprise`
+    - `mendersoftware` otherwise.
+  * Default tag updated to follow AppVersion in Chart.yaml
+  * `username`/`password` is removed to discourage bad security practices
+    * Use `imagePullSecrets` instead
+* Rename options:
+  * `global.image` -> `default.image`
+    * `global.image.imagePullPolicy` -> `default.image.pullPolicy`
+  * `global.mongodb` -> `default.mongodb`
+  * `global.nats` -> `default.nats`
+  * `global.redis` -> `default.redis`
+  * `global.storage` -> `storage.type`
+  * `global.s3` -> `storage.s3`
+  * `global.azure` -> `storage.azure`
+  * `global.url` -> `menderUrl`
+  * `global.smtp` -> `smtp`
+* Removed options:
+  - `global.image.username`
+  - `global.image.password`
+  - `global.auditlogs`: Replaced by `auditlogs.enabled`
+  - `global.hosted`
+  - `global.s3.AWS_TAG_ARTIFACT`
+  - `global.s3.AWS_SERVICE_ACCOUNT_NAME`: superseded by `mender.serviceAccount.name`
+  - `global.redis.username`: Replaced by URL (connection string)
+  - `global.redis.password`: Replaced by URL (connection string)
+  - `test.enabled`
+* MongoDB URL configuration
+  * Simplified values interface
+  * Added `mender.mongodb.existingSecretKey` to select an alternative key inside the secret for the connection string value.
+  * When using mongodb as a dependency, the connection string must be specified.
+* NATS URL configuration
+  * Same logic as for MongoDB
+* Redis URL configuration
+  * Same logic as for MongoDB
+  * Using the value from secret will use `REDIS_CONNECTION_STRING` key by default.
+* `automigrate` options are disabled by default
+
 ## Version 5.10.1
 * Fix invalid regexp in default storage proxy rule.
 

diff --git a/mender/Chart.yaml b/mender/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: "3.7.7"
+appVersion: "v4.0.0"
 description: Mender is a robust and secure way to update all your software and deploy your IoT devices at scale with support for customization
 name: mender
 version: 5.10.1

diff --git a/mender/templates/_container.yaml b/mender/templates/_container.yaml
@@ -0,0 +1,77 @@
+{{- define "mender.container.resources" -}}
+{{- if .override.resources }}
+{{- .override.resources | toYaml }}
+{{- else if .dot.Values.default.resources }}
+{{- .dot.Values.default.resources | toYaml }}
+{{- end }}
+{{- end -}}
+
+{{- define "mender.container.securityContext" -}}
+{{- if .override.containerSecurityContext }}
+{{- /* NOTE: respect falsy override.containerSecurityContext.enabled */ -}}
+{{- if .override.containerSecurityContext.enabled }}
+{{- omit .override.containerSecurityContext "enabled" | toYaml }}
+{{- else }}
+{{- printf "{}" }}
+{{- end }}
+{{- else if and .dot.Values.default.containerSecurityContext
+                .dot.Values.default.containerSecurityContext.enabled }}
+{{- omit .dot.Values.default.containerSecurityContext "enabled" | toYaml }}
+{{- else }}
+{{- printf "{}" }}
+{{- end }}
+{{- end -}}
+
+{{- /* Synopsis
+    {{ include "mender.container" (dict
+        "dot" .
+        "component" "<serviceName>"
+        "override" .Values.<serviceName>
+        "readinessPath": "optional|/api/internal/v1/.component/health"
+        "livenessPath": "optional|/api/internal/v1/.component/alive")
+    }}
+    Bolierplate Mender service ContainerSpec
+*/ -}}
+{{- define "mender.container" -}}
+image: {{ include "mender.image" . }}
+imagePullPolicy: {{ include "mender.imagePullPolicy" . }}
+{{- if .args }}
+args: {{ splitList " " .args | toYaml | nindent 2 }}
+{{- else if and .override.automigrate }}
+args: ["server", "--automigrate"]
+{{- else }}
+args: ["server"]
+{{- end }}
+{{- if (not .migration) }}
+# Readiness/liveness probes
+readinessProbe:
+  httpGet:
+    path: {{ coalesce .readinessPath (printf "/api/internal/v1/%s/health" .component) }}
+    port: 8080
+  {{- coalesce .override.readinessProbe .dot.Values.default.readinessProbe |
+      toYaml |
+      nindent 2 }}
+livenessProbe:
+  httpGet:
+    path: {{ coalesce .livenessPath (printf "/api/internal/v1/%s/alive" .component) }}
+    port: 8080
+  {{- coalesce .override.livenessProbe .dot.Values.default.livenessProbe |
+      toYaml |
+      nindent 2 }}
+startupProbe:
+  httpGet:
+    path: {{ coalesce .livenessPath (printf "/api/internal/v1/%s/alive" .component) }}
+    port: 8080
+  {{- coalesce .override.startupProbe .dot.Values.default.startupProbe |
+      toYaml |
+      nindent 2 }}
+{{- end }}
+{{- if .resources }}
+resources: {{- nindent 2 .resources }}
+{{- else }}
+{{- with include "mender.container.resources" . }}
+resources: {{- nindent 2 . }}
+{{- end }}
+{{- end }}
+securityContext: {{ include "mender.container.securityContext" . }}
+{{- end -}}
diff --git a/mender/templates/_helpers.tpl b/mender/templates/_helpers.tpl
@@ -86,7 +86,7 @@ Redis connection string
 MongoDB URI
 */}}
 {{- define "mongodb_uri" }}
-  {{- if and .Values.mongodb.enabled ( not .Values.global.mongodb.URL ) }}
+  {{- if and .Values.mongodb.enabled }}
     {{- if and (eq .Values.mongodb.architecture "replicaset") .Values.mongodb.externalAccess.enabled (eq .Values.mongodb.externalAccess.service.type "ClusterIP") }}
       {{- if and .Values.mongodb.auth.enabled .Values.mongodb.auth.rootPassword }}
         {{- printf "mongodb://root:%s@%s-0" .Values.mongodb.auth.rootPassword ( include "mongodb.fullname" .Subcharts.mongodb ) | b64enc | quote -}}
@@ -113,6 +113,99 @@ MongoDB URI
   {{- end }}
 {{- end }}
 
+{{- define "mender.mongoUrl" -}}
+{{- if and .override.mongodb .override.mongodb.existingSecret -}}
+valueFrom:
+    secretKeyRef:
+      name: {{ .override.mongodb.existingSecret }}
+      key: "MONGO_URL"
+{{- else if and .override.mongodb .override.mongodb.URL -}}
+value: {{ quote .override.mongodb.URL }}
+{{- else if and .dot.Values.global
+                .dot.Values.global.mongodb
+                .dot.Values.global.mongodb.existingSecret -}}
+{{- /* NOTE: For backward compatibility */ -}}
+valueFrom:
+    secretKeyRef:
+      name: {{ .dot.Values.global.mongodb.existingSecret }}
+      key: "MONGO_URL"
+{{- else if and .dot.Values.global
+                .dot.Values.global.mongodb
+                .dot.Values.global.mongodb.URL -}}
+{{- /* NOTE: For backward compatibility */ -}}
+value: {{ quote .dot.Values.global.mongodb.URL }}
+{{- else if .dot.Values.default.mongodb.existingSecret -}}
+valueFrom:
+    secretKeyRef:
+      name: {{ .dot.Values.default.mongodb.existingSecret }}
+      key: "MONGO_URL"
+{{- else -}}
+value: {{ quote .dot.Values.default.mongodb.URL }}
+{{- end -}}
+{{- end -}}
+
+{{- define "mender.natsUrl" -}}
+{{- if and .override.nats .override.nats.existingSecret -}}
+valueFrom:
+    secretKeyRef:
+      name: {{ .override.nats.existingSecret }}
+      key: "REDIS_CONNECTION_STRING"
+{{- else if and .override.nats .override.nats.URL -}}
+value: {{ quote .override.nats.URL }}
+{{- else if and .dot.Values.global
+                .dot.Values.global.nats
+                .dot.Values.global.nats.existingSecret -}}
+{{- /* NOTE: For backward compatibility */ -}}
+valueFrom:
+    secretKeyRef:
+      name: {{ .dot.Values.global.nats.existingSecret }}
+      key: "REDIS_CONNECTION_STRING"
+{{- else if and .dot.Values.global
+                .dot.Values.global.nats
+                .dot.Values.global.nats.URL -}}
+{{- /* NOTE: For backward compatibility */ -}}
+value: {{ quote .dot.Values.global.nats.URL }}
+{{- else if .dot.Values.default.nats.existingSecret -}}
+valueFrom:
+    secretKeyRef:
+      name: {{ .dot.Values.default.nats.existingSecret }}
+      key: "REDIS_CONNECTION_STRING"
+{{- else -}}
+value: {{ quote .dot.Values.default.nats.URL }}
+{{- end -}}
+{{- end -}}
+
+{{- define "mender.redisUrl" -}}
+{{- if and .override.redis .override.redis.existingSecret -}}
+valueFrom:
+    secretKeyRef:
+      name: {{ .override.redis.existingSecret }}
+      key: "REDIS_CONNECTION_STRING"
+{{- else if and .override.redis .override.redis.URL -}}
+value: {{ quote .override.redis.URL }}
+{{- else if and .dot.Values.global
+                .dot.Values.global.redis
+                .dot.Values.global.redis.existingSecret -}}
+{{- /* NOTE: For backward compatibility */ -}}
+valueFrom:
+    secretKeyRef:
+      name: {{ .dot.Values.global.redis.existingSecret }}
+      key: "REDIS_CONNECTION_STRING"
+{{- else if and .dot.Values.global
+                .dot.Values.global.redis
+                .dot.Values.global.redis.URL -}}
+{{- /* NOTE: For backward compatibility */ -}}
+value: {{ quote .dot.Values.global.redis.URL }}
+{{- else if .dot.Values.default.redis.existingSecret -}}
+valueFrom:
+    secretKeyRef:
+      name: {{ .dot.Values.default.redis.existingSecret }}
+      key: "REDIS_CONNECTION_STRING"
+{{- else -}}
+value: {{ quote .dot.Values.default.redis.URL }}
+{{- end -}}
+{{- end -}}
+
 {{/*
 nats_uri
 */}}
@@ -233,6 +326,85 @@ spec:
 {{- printf "%s-%s" ( include "mender.fullname" .dot ) .component }}
 {{- end }}
 
+{{/* Helper for "mender.image" */}}
+{{- define "mender.image.registry" }}
+{{- if and .override.image .override.image.registry }}
+{{- print .override.image.registry -}}
+{{- else if and .dot.Values.global .dot.Values.global.image .dot.Values.global.image.registry}}
+{{- print .dot.Values.global.image.registry -}}
+{{- else if and .dot.Values.default.image .dot.Values.default.image.registry}}
+{{- print .dot.Values.default.image.registry -}}
+{{- else if .dot.Values.enterprise }}
+{{- print "registry.mender.io" -}}
+{{- else }}
+{{- print "docker.io" -}}
+{{- end }}
+{{- end }}
+
+{{/* Helper for "mender.image" */}}
+{{- define "mender.image.repository" }}
+{{- if and .override.image .override.image.repository }}
+{{- print .override.image.repository -}}
+{{- else if and .dot.Values.global
+    .dot.Values.global.image
+    .dot.Values.global.image.repository }}
+{{- print .dot.Values.global.image.repository }}
+{{- else if and .dot.Values.default.image .dot.Values.default.image.repository}}
+{{- print .dot.Values.default.image.repository -}}
+{{- else if .dot.Values.enterprise }}
+{{- print "mender-server-enterprise" -}}
+{{- else }}
+{{- print "mendersoftware" -}}
+{{- end }}
+{{- end }}
+
+{{/* Helper for "mender.image" */}}
+{{- define "mender.image.tag" }}
+{{- if and .override.image .override.image.tag }}
+{{- print .override.image.tag -}}
+{{- else if and .dot.Values.global
+                .dot.Values.global.image
+                .dot.Values.global.image.tag }}
+{{- print .dot.Values.global.image.tag -}}
+{{- else if and .dot.Values.default.image .dot.Values.default.image.tag}}
+{{- print .dot.Values.default.image.tag -}}
+{{- else }}
+{{- print .dot.Chart.AppVersion -}}
+{{- end }}
+{{- end }}
+
+{{/*
+Synopsis:
+image: {{ include "mender.image" (dict
+  "dot" .
+  "component" "<service>"
+  "override" .Values.<service> }}
+*/}}
+{{- define "mender.image" }}
+{{- printf "%s/%s/%s:%s"
+  (include "mender.image.registry" .)
+  (include "mender.image.repository" .)
+  .component
+  (include "mender.image.tag" .) }}
+{{- end }}
+
+{{/*
+Synopsis:
+imagePullPolicy: {{ include "mender.imagePullPolicy" (dict
+  "dot" .
+  "component" "<service>"
+  "override" .Values.<service> }}
+*/}}
+{{- define "mender.imagePullPolicy" }}
+{{- if and .override.image .override.image.pullPolicy }}
+{{ .override.image.pullPolicy }}
+{{- else if and .dot.Values.default.image .dot.Values.default.image.pullPolicy }}
+{{- .dot.Values.default.image.pullPolicy }}
+{{- else }}
+{{- "IfNotPresent" }}
+{{- end }}
+{{- end }}
+
 {{- define "mender.resources" -}}
 {{- $resources := dict }}
 {{- range . }}{{- if . }}

diff --git a/mender/templates/_podspec.yaml b/mender/templates/_podspec.yaml
@@ -0,0 +1,46 @@
+{{- define "mender.podSecurityContext" -}}
+{{- if .override.containerSecurityContext }}
+{{- /* NOTE: respect falsy override.containerSecurityContext.enabled */ -}}
+{{- if .override.containerSecurityContext.enabled }}
+{{- omit .override.containerSecurityContext "enabled" | toYaml }}
+{{- else }}
+{{- printf "{}" }}
+{{- end }}
+{{- else if and .dot.Values.default.containerSecurityContext
+                .dot.Values.default.containerSecurityContext.enabled }}
+{{- omit .dot.Values.default.containerSecurityContext "enabled" | toYaml }}
+{{- else }}
+{{- printf "{}" }}
+{{- end }}
+{{- end -}}
+
+{{- /* Synopsis:
+  {{ include "mender.podSpec" (dict
+    "dot" .
+    "component" "<serviceName>"
+    "override" .Values.<serviceName>
+  }}
+  Generates shared boilerplate PodSpec
+*/ -}}
+{{- define "mender.podSpec" -}}
+serviceAccountName: {{ include "mender.serviceAccountName" . }}
+{{- with (coalesce .override.affinity .dot.Values.default.affinity) }}
+affinity: {{ toYaml . | nindent 4 }}
+{{- end }}
+{{- with (coalesce .override.tolerations .dot.Values.default.tolerations) }}
+tolerations: {{ toYaml . | nindent 4 }}
+{{- end }}
+securityContext: {{ include "mender.podSecurityContext" . | nindent 2}}
+{{- with .restartPolicy }}
+restartPolicy: {{ quote . }}
+{{- end }}
+{{- with coalesce .override.imagePullSecrets .dot.Values.default.imagePullSecrets }}
+imagePullSecrets: {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- with (coalesce .override.priorityClassName .dot.Values.default.PriorityClassName) }}
+priorityClassName: {{ quote . }}
+{{- end }}
+{{- with (coalesce .override.nodeSelector .dot.Values.default.nodeSelector) }}
+nodeSelector: {{ toYaml . | nindent 4 }}
+{{- end }}
+{{- end -}}