Merge pull request #22 from GemeenteUtrecht/open-notificaties-enhance…

…ments

Open-Notificaties Enhancements

charts/open-notificaties/Chart.yaml

@@ -3,7 +3,7 @@ name: open-notificaties
 description: API voor het routeren van notificaties
 
 type: application
-version: 0.5.0
+version: 0.6.0
 appVersion: "1.2.3"
 
 dependencies:

charts/open-notificaties/README.md

@@ -46,17 +46,20 @@ table below describes the supported versions
 | `image.repository` | The repository of the Docker image | `openzaak/open-notificaties` |
 | `image.tag` | The tag of the Docker image | `""` (uses `.Chart.AppVersion` by default) |
 | `replicaCount` | The number of replicas | `1` |
+| `podLabels` | Additional labels to be set on the open-notification API pods | `{}` |
 | `ingress.enabled` | Expose the application through an ingress | `false` |
 | `ingress.annotations` | Additional annotations on the API ingress | `{}` |
 | `ingress.hosts` | Ingress hosts | `"{open-notificaties.gemeente.nl}"` |
 | `ingress.tls` | Ingress TLS settings | `"[]"` |
+| `existingSecret` | Refer to an existing secret to avoid managing secrets through Helm. See templates/secret.yaml for required contents of your existing secret. This secret is also used for the Worker and Flower components. | `null` |
 | `settings.allowedHosts` | A comma-separated list of hosts allowed by the application | `"open-notificaties.gemeente.nl"` |
 | `settings.secretKey` | The secret key of the application | `"SOME-RANDOM-SECRET"` |
 | `settings.database.host` | The hostname of PostgreSQL | `"open-notificaties-postgresql"` |
 | `settings.database.port` | The port of PostgreSQL | `5432` |
 | `settings.database.username` | The username of PostgreSQL | `"postgres"` |
 | `settings.database.password` | The password of PostgreSQL | `"SUPER-SECRET"` |
 | `settings.database.name` | The database name of PostgreSQL | `"open-notificaties"` |
+| `settings.database.sslmode` | The SSL-mode used by the postgres client. See [docs](https://www.postgresql.org/docs/current/libpq-ssl.html) for more info | `"prefer"` |
 | `settings.cache.default` | The Redis cache for the default cache | `"open-notificaties-redis-master:6379/0"` |
 | `settings.cache.axes` | The Redis cache for the axes cache | `"open-notificaties-redis-master:6379/0"` |
 | `settings.email.host` | The hostname of the SMTP server | `"localhost"` |
@@ -69,11 +72,23 @@ table below describes the supported versions
 | `settings.celery.resultBackend` | The URL to the Celery result backend | `"redis://open-notificaties-redis-master:6379/1"` |
 | `settings.isHttps` | Used to construct absolute URLs and controls a variety of security settings | `true` |
 | `settings.debug` | Only set this to True on a local development environment. Various other security settings are derived from this setting | `false` |
+| `settings.flower.urlPrefix` | If enabled, deploy Flower on a non-root URL | `""` |
+| `settings.flower.basicAuth` | Secure Flower with [Basic Authentication](https://flower.readthedocs.io/en/latest/config.html#basic-auth). This is a comma-separated list of `username:password`. You should configure this when `flower.ingress.enabled` is set to true. | `""` |
+| `worker.podLabels` | Additional labels to be set on the open-notification worker pods | `{}` |
 | `postgresql.persistence.enabled` | Enable PostgreSQL persistency | `false` |
 | `postgresql.persistence.size` | Configure PostgreSQL size | `"1Gi"` |
 | `postgresql.persistence.existingClaim` | Use an existing persistent volume claim | `null` |
 | `postgresql.postgresqlDatabase` | The PostgreSQL database name | `"open-notificaties"` |
 | `postgresql.postgresqlPassword` | The PostgreSQL administrative password | `"SUPER-SECRET"` |
+| `flower.enabled` | Whether or not to deploy the [Flower](https://flower.readthedocs.io/en/latest/) component, which is a monitoring tool for Celery | `false` |
+| `flower.replicaCount` | The number of replicas for Celery Flower | `1` | 
+| `flower.podLabels` | Additional labels to be set for Celery Flower | `{}` | 
+| `flower.extraEnvVars` | Configure Flower through additional environment variables. For a full list of possibilities, see [Flower config docs](https://flower.readthedocs.io/en/latest/config.html) | `{}` | 
+| `flower.extraEnvVarsSecret` | Configure Flower through additional environment variables. This property should contain secrets like basic-auth. For a full list of possibilities, see [Flower config docs](https://flower.readthedocs.io/en/latest/config.html) | `{}` |
+| `flower.ingress.enabled` | Use a dedicated Ingress for Flower, which can act as a Management Ingress. When `Values.ingress.enabled` is set to true and this parameter to false, then Flower will be exposed on the main Ingress. | `false` | 
+| `flower.ingress.annotations` | Additional annotations on the Flower Ingress | `{}` |
+| `flower.ingress.hosts` | Flower Ingress hosts | `"{open-notificaties-flower.gemeente.nl}"` |
+| `flower.ingress.tls` | Flower Ingress TLS settings | `"[]"` |
 | `redis.usePassword` | Use a Redis password | `false` |
 | `redis.cluster.enabled` | Enable Redis cluster | `false` |
 | `redis.persistence.existingClaim` | Use existing persistent volume claim for Redis | `""` |

charts/open-notificaties/templates/_helpers.tpl

@@ -99,3 +99,35 @@ Worker selector labels
 app.kubernetes.io/name: {{ include "open-notificaties.workerName" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
+
+{{/*
+Create a name for Flower
+We truncate at 56 chars in order to provide space for the "-flower" suffix
+*/}}
+{{- define "open-notificaties.flowerName" -}}
+{{ include "open-notificaties.name" . | trunc 56 | trimSuffix "-" }}-flower
+{{- end }}
+
+{{/*
+Create a default fully qualified name for Flower.
+We truncate at 56 chars in order to provide space for the "-flower" suffix
+*/}}
+{{- define "open-notificaties.flowerFullname" -}}
+{{ include "open-notificaties.fullname" . | trunc 56 | trimSuffix "-" }}-flower
+{{- end }}
+
+{{/*
+Flower labels
+*/}}
+{{- define "open-notificaties.flowerLabels" -}}
+{{ include "open-notificaties.commonLabels" . }}
+{{ include "open-notificaties.flowerSelectorLabels" . }}
+{{- end }}
+
+{{/*
+Flower selector labels
+*/}}
+{{- define "open-notificaties.flowerSelectorLabels" -}}
+app.kubernetes.io/name: {{ include "open-notificaties.flowerName" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

charts/open-notificaties/templates/configmap.yaml

@@ -12,6 +12,7 @@ data:
  DB_HOST: {{ .Values.settings.database.host | toString | quote }}
  DB_PORT: {{ .Values.settings.database.port | toString | quote }}
  DB_USER: {{ .Values.settings.database.username | toString | quote }}
+ PGSSLMODE: {{ .Values.settings.database.sslmode | toString | quote }}
  DEBUG: {{ if .Values.settings.debug }}"True"{{ else }}"False"{{ end }}
  EMAIL_HOST: {{ .Values.settings.email.host | toString | quote }}
  {{- if .Values.settings.email.username }}
@@ -21,4 +22,12 @@ data:
  EMAIL_USE_TLS: "True"
  {{- end }}
  IS_HTTPS: {{ if .Values.settings.isHttps }}"True"{{ else }}"False"{{ end }}
- RABBITMQ_HOST: {{ .Values.settings.messageBroker.host }}
+ RABBITMQ_HOST: {{ .Values.settings.messageBroker.host }}
+ {{- if .Values.settings.flower.urlPrefix }}
+ FLOWER_URL_PREFIX: {{ .Values.settings.flower.urlPrefix }}
+ {{- end }}
+ {{- if .Values.flower.enabled }}
+ {{- range $index, $index_value := .Values.flower.extraEnvVars }}
+ {{ $index }}: {{ $index_value | toString | quote }}
+ {{- end }}
+ {{- end }}

charts/open-notificaties/templates/deployment.yaml

@@ -21,6 +21,9 @@ spec:
  {{- end }}
  labels:
  {{- include "open-notificaties.selectorLabels" . | nindent 8 }}
+ {{- with .Values.podLabels }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
  spec:
  {{- with .Values.imagePullSecrets }}
  imagePullSecrets:
@@ -37,7 +40,7 @@ spec:
  imagePullPolicy: {{ .Values.image.pullPolicy }}
  envFrom:
  - secretRef:
- name: {{ include "open-notificaties.fullname" . }}
+ name: {{ .Values.existingSecret | default (include "open-notificaties.fullname" .) }}
  - configMapRef:
  name: {{ include "open-notificaties.fullname" . }}
  ports:
@@ -98,6 +101,9 @@ spec:
  {{- end }}
  labels:
  {{- include "open-notificaties.workerSelectorLabels" . | nindent 8 }}
+ {{- with .Values.worker.podLabels }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
  spec:
  {{- with .Values.imagePullSecrets }}
  imagePullSecrets:
@@ -114,7 +120,7 @@ spec:
  imagePullPolicy: {{ .Values.image.pullPolicy }}
  envFrom:
  - secretRef:
- name: {{ include "open-notificaties.fullname" . }}
+ name: {{ .Values.existingSecret | default (include "open-notificaties.fullname" .) }}
  - configMapRef:
  name: {{ include "open-notificaties.fullname" . }}
  resources:
@@ -133,5 +139,77 @@ spec:
  tolerations:
  {{- toYaml . | nindent 8 }}
  {{- end }}
-
-
+---
+{{- if .Values.flower.enabled -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{ include "open-notificaties.flowerFullname" . }}
+ labels:
+ {{- include "open-notificaties.flowerLabels" . | nindent 4 }}
+spec:
+ replicas: {{ .Values.flower.replicaCount }}
+ selector:
+ matchLabels:
+ {{- include "open-notificaties.flowerSelectorLabels" . | nindent 6 }}
+ template:
+ metadata:
+ annotations:
+ checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+ checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+ {{- with .Values.podAnnotations }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ labels:
+ {{- include "open-notificaties.flowerSelectorLabels" . | nindent 8 }}
+ {{- with .Values.flower.podLabels }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ spec:
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ serviceAccountName: {{ include "open-notificaties.serviceAccountName" . }}
+ securityContext:
+ {{- toYaml .Values.podSecurityContext | nindent 8 }}
+ containers:
+ - name: {{ .Chart.Name }}-flower
+ securityContext:
+ {{- toYaml .Values.securityContext | nindent 12 }}
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ envFrom:
+ - secretRef:
+ name: {{ .Values.existingSecret | default (include "open-notificaties.fullname" .) }}
+ - configMapRef:
+ name: {{ include "open-notificaties.fullname" . }}
+ ports:
+ - name: http
+ containerPort: 5555
+ protocol: TCP
+ livenessProbe:
+ tcpSocket:
+ port: 5555
+ {{- toYaml .Values.flower.livenessProbe | nindent 12 }}
+ readinessProbe:
+ tcpSocket:
+ port: 5555
+ {{- toYaml .Values.flower.readinessProbe | nindent 12 }}
+ resources:
+ {{- toYaml .Values.flower.resources | nindent 12 }}
+ command:
+ - /celery_flower.sh
+ {{- with .Values.nodeSelector }}
+ nodeSelector:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.affinity }}
+ affinity:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.tolerations }}
+ tolerations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+{{- end }}

charts/open-notificaties/templates/ingress.yaml

@@ -1,6 +1,11 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "open-notificaties.fullname" . -}}
 {{- $svcPort := .Values.service.port -}}
+{{- $flowerEnabled := .Values.flower.enabled }}
+{{- $flowerIngressEnabled := .Values.flower.ingress.enabled }}
+{{- $flowerFullName := include "open-notificaties.flowerFullname" . -}}
+{{- $flowerSvcPort := .Values.flower.service.port -}}
+{{- $flowerUrlPrefix := .Values.settings.flower.urlPrefix -}}
 {{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
 apiVersion: networking.k8s.io/v1beta1
 {{- else -}}
@@ -35,5 +40,53 @@ spec:
  backend:
  serviceName: {{ $fullName }}
  servicePort: {{ $svcPort }}
+ {{- if and ($flowerEnabled) (not $flowerIngressEnabled) }}
+ - path: /{{ $flowerUrlPrefix }}
+ backend:
+ serviceName: {{ $flowerFullName }}
+ servicePort: {{ $flowerSvcPort }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+---
+{{- if .Values.flower.ingress.enabled -}}
+{{- $fullName := include "open-notificaties.flowerFullname" . -}}
+{{- $svcPort := .Values.flower.service.port -}}
+{{- $flowerUrlPrefix := .Values.settings.flower.urlPrefix -}}
+{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+ name: {{ $fullName }}
+ labels:
+ {{- include "open-notificaties.labels" . | nindent 4 }}
+ {{- with .Values.flower.ingress.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+spec:
+ {{- if .Values.flower.ingress.tls }}
+ tls:
+ {{- range .Values.flower.ingress.tls }}
+ - hosts:
+ {{- range .hosts }}
+ - {{ . | quote }}
+ {{- end }}
+ secretName: {{ .secretName }}
+ {{- end }}
+ {{- end }}
+ rules:
+ {{- range .Values.flower.ingress.hosts }}
+ - host: {{ . | quote }}
+ http:
+ paths:
+ - path: /{{ $flowerUrlPrefix }}
+ backend:
+ serviceName: {{ $fullName }}
+ servicePort: {{ $svcPort }}
  {{- end }}
  {{- end }}

charts/open-notificaties/templates/secret.yaml

@@ -1,3 +1,4 @@
+{{- if not .Values.existingSecret }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -18,3 +19,10 @@ data:
  {{- if .Values.settings.sentry.dsn }}
  SENTRY_DSN: {{ .Values.settings.sentry.dsn | toString | b64enc | quote }}
  {{- end }}
+ {{- if .Values.flower.enabled }}
+ FLOWER_BASIC_AUTH: {{ .Values.settings.flower.basicAuth | toString | b64enc | quote }}
+ {{- range $index, $index_value := .Values.flower.extraEnvVarsSecret }}
+ {{ $index }}: {{ $index_value | toString | b64enc | quote }}
+ {{- end }}
+ {{- end }}
+{{- end }}

charts/open-notificaties/templates/service.yaml

@@ -13,3 +13,21 @@ spec:
  name: http
  selector:
  {{- include "open-notificaties.selectorLabels" . | nindent 4 }}
+---
+{{- if .Values.flower.enabled -}}
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ include "open-notificaties.flowerFullname" . }}
+ labels:
+ {{- include "open-notificaties.flowerLabels" . | nindent 4 }}
+spec:
+ type: {{ .Values.flower.service.type }}
+ ports:
+ - port: {{ .Values.flower.service.port }}
+ targetPort: 5555
+ protocol: TCP
+ name: http
+ selector:
+ {{- include "open-notificaties.flowerSelectorLabels" . | nindent 4 }}
+{{- end }}