diff --git a/README.md b/README.md index 23f1907..e5f2dd6 100644 --- a/README.md +++ b/README.md @@ -29,54 +29,62 @@ helm install my-pbuf-registry pbuf/pbuf-registry ## Configuration The following table lists the configurable parameters of the `pbuf-registry` chart and their default values. -| Parameter | Description | Default | -|---------------------------------------------|------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| `replicaCount` | Number of replicas | `2` | -| `image.repository` | The image repository to pull from | `ghcr.io/pbufio/registry` | -| `image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `image.tag` | Overrides the image tag whose default is the chart `appVersion`. | `""` | -| `imagePullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `nameOverride` | Override the app name | `""` | -| `fullnameOverride` | Override the fullname of the chart | `""` | -| `serviceAccount.create` | Specifies whether a service account should be created | `true` | -| `serviceAccount.automount` | Automatically mount a ServiceAccount's API credentials? | `true` | -| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | -| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | `""` | -| `podAnnotations` | Annotations to add to the pod | `{}` | -| `podLabels` | Labels to add to the pod | `{}` | -| `podSecurityContext` | Security context for the pod | `{}` | -| `securityContext` | Security context for the container | `{}` | -| `service.type` | Type of service to create | `ClusterIP` | -| `service.http.port` | Service HTTP port | `8080` | -| `service.http.auth.enabled` | Service HTTP authentication enabled | `false` | -| `service.http.auth.type` | Service HTTP authentication type ("", static-token) | `""` | -| `service.grpc.port` | Service GRPC port | `6777` | -| `service.grpc.tls.enabled` | Service GRPC TLS enabled | `false` | -| `service.grpc.auth.enabled` | Service GRPC authentication enabled | `false` | -| `service.grpc.auth.type` | Service GRPC authentication type ("", static-token) | `""` | -| `service.debug.port` | Service debug port | `8082` | -| `secrets.create` | Specifies whether to create a secret | `true` | -| `secrets.databaseDSN` | The DSN for the database | `""` | -| `secrets.staticToken` | Static Token for `static-token` auth type | `""` | -| `secrets.grpcTlsCert` | TLS certificate for GRPC transport | `""` | -| `secrets.grpcTlsKey` | TLS private key for GRPC transport | `""` | -| `secrets.eso.create` | Specifies whether to create resources for external secrets operator | `false` | -| `secrets.eso.secretStoreRefName` | The name reference to the secret store for ESO | `""` | -| `secrets.eso.remoteRefKey` | The key reference in the remote store for ESO | `""` | -| `secrets.eso.databaseDSNProperty` | The property name for the DSN in the ESO | `""` | -| `secrets.eso.serverStaticTokenProperty` | The property name for the static token | `""` | -| `secrets.eso.serverGrpcTlsCertFileProperty` | The property name for the TLS certificate | `""` | -| `secrets.eso.serverGrpcTlsKeyFileProperty` | The property name for the TLS private key | `""` | -| `ingress.enabled` | Enable ingress controller resource | `false` | -| `ingress.className` | Ingress class name | `""` | -| `ingress.annotations` | Ingress annotations | `{}` | -| `ingress.hosts` | Ingress accepted hostnames | `[{"host": "chart-example.local", "paths": [{"path": "/", "pathType": "ImplementationSpecific"}]}]` | -| `ingress.tls` | Ingress TLS settings | `[]` | -| `resources` | CPU/Memory resource requests/limits | `{}` | -| `nodeSelector` | Node labels for pod assignment | `{}` | -| `tolerations` | Tolerations for pod assignment | `[]` | -| `affinity` | Map of node/pod affinities | `{}` | -| `customSidecarContainers` | List of custom sidecar containers | `[]` | +| Parameter | Description | Default | +|---------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| `replicaCount` | Number of replicas | `2` | +| `image.repository` | The image repository to pull from | `ghcr.io/pbufio/registry` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `image.tag` | Overrides the image tag whose default is the chart `appVersion`. | `""` | +| `imagePullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `nameOverride` | Override the app name | `""` | +| `fullnameOverride` | Override the fullname of the chart | `""` | +| `serviceAccount.create` | Specifies whether a service account should be created | `true` | +| `serviceAccount.automount` | Automatically mount a ServiceAccount's API credentials? | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | +| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | `""` | +| `podAnnotations` | Annotations to add to the pod | `{}` | +| `podLabels` | Labels to add to the pod | `{}` | +| `podSecurityContext` | Security context for the pod | `{}` | +| `securityContext` | Security context for the container | `{}` | +| `service.type` | Type of service to create | `ClusterIP` | +| `service.http.port` | Service HTTP port | `8080` | +| `service.http.auth.enabled` | Service HTTP authentication enabled | `false` | +| `service.http.auth.type` | Service HTTP authentication type ("", static-token) | `""` | +| `service.grpc.port` | Service GRPC port | `6777` | +| `service.grpc.tls.enabled` | Service GRPC TLS enabled | `false` | +| `service.grpc.auth.enabled` | Service GRPC authentication enabled | `false` | +| `service.grpc.auth.type` | Service GRPC authentication type ("", static-token) | `""` | +| `service.debug.port` | Service debug port | `8082` | +| `secrets.create` | Specifies whether to create a secret | `true` | +| `secrets.databaseDSN` | The DSN for the database | `""` | +| `secrets.staticToken` | Static Token for `static-token` auth type | `""` | +| `secrets.grpcTlsCert` | TLS certificate for GRPC transport | `""` | +| `secrets.grpcTlsKey` | TLS private key for GRPC transport | `""` | +| `secrets.eso.create` | Specifies whether to create resources for external secrets operator | `false` | +| `secrets.eso.secretStoreRefName` | The name reference to the secret store for ESO | `""` | +| `secrets.eso.remoteRefKey` | The key reference in the remote store for ESO | `""` | +| `secrets.eso.databaseDSNProperty` | The property name for the DSN in the ESO | `""` | +| `secrets.eso.serverStaticTokenProperty` | The property name for the static token | `""` | +| `secrets.eso.serverGrpcTlsCertFileProperty` | The property name for the TLS certificate | `""` | +| `secrets.eso.serverGrpcTlsKeyFileProperty` | The property name for the TLS private key | `""` | +| `ingress.enabled` | Enable ingress controller resource | `false` | +| `ingress.className` | Ingress class name | `""` | +| `ingress.annotations` | Ingress annotations | `{}` | +| `ingress.hosts` | Ingress accepted hostnames | `[{"host": "chart-example.local", "paths": [{"path": "/", "pathType": "ImplementationSpecific"}]}]` | +| `ingress.tls` | Ingress TLS settings | `[]` | +| `resources` | CPU/Memory resource requests/limits | `{}` | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `tolerations` | Tolerations for pod assignment | `[]` | +| `affinity` | Map of node/pod affinities | `{}` | +| `customSidecarContainers` | List of custom sidecar containers | `[]` | +| `background.compaction.enabled` | Enable background compaction | `true` | +| `background.compaction.resources` | CPU/Memory resource requests/limits for background compaction | `{}` | +| `background.compaction.command` | Command to run for background compaction | `/app/pbuf-registry` | +| `background.compaction.args` | Arguments to pass to the background compaction command | `["compaction"]` | +| `background.protoparser.enabled` | Enable background proto parsing | `true` | +| `background.protoparser.resources` | CPU/Memory resource requests/limits for background proto parsing | `{}` | +| `background.protoparser.command` | Command to run for background proto parsing | `/app/pbuf-registry` | +| `background.protoparser.args` | Arguments to pass to the background proto parsing command | `["proto-parsing"]` | ## Uninstalling the Chart To uninstall/delete the my-pbuf-registry deployment: diff --git a/pbuf-registry/Chart.yaml b/pbuf-registry/Chart.yaml index be50085..bb85578 100644 --- a/pbuf-registry/Chart.yaml +++ b/pbuf-registry/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: pbuf-registry description: A Helm chart for PBUF Registry type: application -version: 0.3.0 -appVersion: "v0.3.0" +version: 0.4.0-rc.1 +appVersion: "v0.4.0-rc.1" maintainers: - name: aatarasoff diff --git a/pbuf-registry/templates/_helpers.tpl b/pbuf-registry/templates/_helpers.tpl index 829ea20..27a9b22 100644 --- a/pbuf-registry/templates/_helpers.tpl +++ b/pbuf-registry/templates/_helpers.tpl @@ -60,3 +60,48 @@ Create the name of the service account to use {{- default "default" .Values.serviceAccount.name }} {{- end }} {{- end }} + + +{{/* +Environment variables helper +*/}} +{{- define "pbuf-registry.env" -}} +- name: DATA_DATABASE_DSN + valueFrom: + secretKeyRef: + name: {{ include "pbuf-registry.fullname" . }} + key: DATA_DATABASE_DSN +- name: SERVER_STATIC_TOKEN + valueFrom: + secretKeyRef: + name: {{ include "pbuf-registry.fullname" . }} + key: SERVER_STATIC_TOKEN +- name: SERVER_GRPC_TLS_ENABLED + value: "{{ .Values.service.grpc.tls.enabled }}" +- name: SERVER_GRPC_TLS_CERTFILE + value: /app/certs/server-cert.pem +- name: SERVER_GRPC_TLS_KEYFILE + value: /app/certs/server-key.pem +- name: SERVER_GRPC_AUTH_ENABLED + value: "{{ .Values.service.grpc.auth.enabled }}" +- name: SERVER_GRPC_AUTH_TYPE + value: "{{ .Values.service.grpc.auth.type }}" +- name: SERVER_HTTP_AUTH_ENABLED + value: "{{ .Values.service.http.auth.enabled }}" +- name: SERVER_HTTP_AUTH_TYPE + value: "{{ .Values.service.http.auth.type }}" +{{- end }} + +{{/* +Volume mounts +*/}} +{{- define "pbuf-registry.volumeMounts" -}} +- mountPath: /app/certs/server-cert.pem + name: secret + readOnly: true + subPath: server-cert.pem +- mountPath: /app/certs/server-key.pem + name: secret + readOnly: true + subPath: server-key.pem +{{- end }} \ No newline at end of file diff --git a/pbuf-registry/templates/background.yaml b/pbuf-registry/templates/background.yaml new file mode 100644 index 0000000..4d247dc --- /dev/null +++ b/pbuf-registry/templates/background.yaml @@ -0,0 +1,93 @@ +# Create background deployments helm template with 1 replica +{{- range $name, $spec := $.Values.background }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "pbuf-registry.fullname" $ }}-{{ $name }} + labels: + helm.sh/chart: {{ include "pbuf-registry.chart" $ }} + {{- if $.Chart.AppVersion }} + app.kubernetes.io/version: {{ $.Chart.AppVersion | quote }} + {{- end }} + app.kubernetes.io/managed-by: {{ $.Release.Service }} + app.kubernetes.io/name: {{ include "pbuf-registry.name" $ }}-{{ $name }} + app.kubernetes.io/instance: {{ $.Release.Name }} +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: {{ include "pbuf-registry.name" $ }}-{{ $name }} + app.kubernetes.io/instance: {{ $.Release.Name }} + template: + metadata: + {{- with $.Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + helm.sh/chart: {{ include "pbuf-registry.chart" $ }} + {{- if $.Chart.AppVersion }} + app.kubernetes.io/version: {{ $.Chart.AppVersion | quote }} + {{- end }} + app.kubernetes.io/managed-by: {{ $.Release.Service }} + app.kubernetes.io/name: {{ include "pbuf-registry.name" $ }}-{{ $name }} + app.kubernetes.io/instance: {{ $.Release.Name }} + {{- with $.Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + date: "{{ now | unixEpoch }}" + spec: + {{- with $.Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "pbuf-registry.serviceAccountName" $ }} + securityContext: + {{- toYaml $.Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ $.Chart.Name }} + securityContext: + {{- toYaml $.Values.securityContext | nindent 12 }} + image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag | default $.Chart.AppVersion }}" + imagePullPolicy: {{ $.Values.image.pullPolicy }} + command: {{ $spec.command }} + args: {{ $spec.args }} + env: + {{- include "pbuf-registry.env" $ | nindent 12 }} + ports: + - name: debug + containerPort: 8082 + protocol: TCP + livenessProbe: + httpGet: + path: /healthz + port: debug + readinessProbe: + httpGet: + path: /healthz + port: debug + resources: + {{- toYaml $spec.resources | nindent 12 }} + volumeMounts: + {{- include "pbuf-registry.volumeMounts" $ | nindent 12 }} + {{- with $.Values.customSidecarContainers }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $.Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $.Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $.Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: secret + secret: + secretName: {{ include "pbuf-registry.fullname" $ }} + {{- end }} \ No newline at end of file diff --git a/pbuf-registry/templates/deployment.yaml b/pbuf-registry/templates/deployment.yaml index 4d10394..4fd93e2 100644 --- a/pbuf-registry/templates/deployment.yaml +++ b/pbuf-registry/templates/deployment.yaml @@ -41,30 +41,7 @@ spec: - -c - /app/pbuf-migrations && /app/pbuf-registry env: - - name: DATA_DATABASE_DSN - valueFrom: - secretKeyRef: - name: {{ include "pbuf-registry.fullname" . }} - key: DATA_DATABASE_DSN - - name: SERVER_STATIC_TOKEN - valueFrom: - secretKeyRef: - name: {{ include "pbuf-registry.fullname" . }} - key: SERVER_STATIC_TOKEN - - name: SERVER_GRPC_TLS_ENABLED - value: "{{ .Values.service.grpc.tls.enabled }}" - - name: SERVER_GRPC_TLS_CERTFILE - value: /app/certs/server-cert.pem - - name: SERVER_GRPC_TLS_KEYFILE - value: /app/certs/server-key.pem - - name: SERVER_GRPC_AUTH_ENABLED - value: "{{ .Values.service.grpc.auth.enabled }}" - - name: SERVER_GRPC_AUTH_TYPE - value: "{{ .Values.service.grpc.auth.type }}" - - name: SERVER_HTTP_AUTH_ENABLED - value: "{{ .Values.service.http.auth.enabled }}" - - name: SERVER_HTTP_AUTH_TYPE - value: "{{ .Values.service.http.auth.type }}" + {{- include "pbuf-registry.env" . | nindent 12 }} ports: - name: http containerPort: 8080 @@ -86,14 +63,7 @@ spec: resources: {{- toYaml .Values.resources | nindent 12 }} volumeMounts: - - mountPath: /app/certs/server-cert.pem - name: secret - readOnly: true - subPath: server-cert.pem - - mountPath: /app/certs/server-key.pem - name: secret - readOnly: true - subPath: server-key.pem + {{- include "pbuf-registry.volumeMounts" . | nindent 12 }} {{- with .Values.customSidecarContainers }} {{- toYaml . | nindent 8 }} {{- end }} diff --git a/pbuf-registry/values.yaml b/pbuf-registry/values.yaml index 509a2a1..0787732 100644 --- a/pbuf-registry/values.yaml +++ b/pbuf-registry/values.yaml @@ -100,3 +100,29 @@ tolerations: [] affinity: {} customSidecarContainers: [] + +background: + compaction: + enabled: true + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + command: /app/pbuf-registry + args: + - compaction + protoparser: + enabled: true + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + command: /app/pbuf-registry + args: + - proto-parsing