feat(dso-console): add new backend service that will replace server

Mostly based on current `server`. Since one is purposed to replace the
other, we want to be able to use the same overall configuration for
both.

Author: StephaneTrebel

charts/dso-console/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: cpn-console
 description: A Helm chart to deploy Cloud Pi Native Console
 type: application
-version: 2.2.19
+version: 2.3.0
 appVersion: 9.13.2
 keywords: []
 home: https://cloud-pi-native.fr
@@ -26,6 +26,9 @@ dependencies:
 deprecated: false
 annotations: {}
 maintainers:
-  - name: this-is-tobi
-    email: thibault.colin@interieur.gouv.fr
-    url: https://this-is-tobi.com
+  - name: omiladi
+    email: cloudpinative-relations@interieur.gouv.fr
+    url: https://www.interieur.gouv.fr/
+  - name: KepoParis
+    email: cloudpinative-relations@interieur.gouv.fr
+    url: https://www.interieur.gouv.fr/

charts/dso-console/README.md

@@ -25,6 +25,13 @@ Create the name of the service account to use
 {{- end }}
 {{- end }}
 
+{{- define "cpnConsole.backend.serviceAccountName" -}}
+{{- if .Values.backend.serviceAccount.create }}
+{{- default (include "cpnConsole.name" .) .Values.backend.serviceAccount.name }}
+{{- else }}
+{{- default "cpn-backend" .Values.backend.serviceAccount.name }}
+{{- end }}
+{{- end }}
 
 {{/*
 Create image pull secret
@@ -121,6 +128,11 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 
 
+{{- define "cpnConsole.backend.labels" -}}
+{{ include "cpnConsole.common.labels" . }}
+{{ include "cpnConsole.backend.selectorLabels" . }}
+{{- end }}
+
 {{/*
 Selector labels
 */}}
@@ -133,3 +145,8 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/name: {{ include "cpnConsole.name" . }}-server
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
+
+{{- define "cpnConsole.backend.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "cpnConsole.name" . }}-backend
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

charts/dso-console/templates/_helpers.tpl

@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "cpnConsole.fullname" . }}-backend
+  labels: {{- include "cpnConsole.backend.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - ""
+  - user.openshift.io
+  - rbac.authorization.k8s.io
+  - argoproj.io
+  {{- if .Values.features.vaultSecrets.enabled }}
+  - secrets.hashicorp.com
+  {{- end }}
+  resources:
+  - '*'
+  verbs:
+  - '*'

charts/dso-console/templates/backend/clusterrole.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "cpnConsole.fullname" . }}-backend
+  labels: {{- include "cpnConsole.backend.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "cpnConsole.fullname" . }}-backend
+subjects:
+- kind: ServiceAccount
+  name: {{ include "cpnConsole.backend.serviceAccountName" . }}
+  namespace: {{ $.Release.Namespace }}

charts/dso-console/templates/backend/clusterrolebinding.yaml

@@ -0,0 +1,27 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ include "cpnConsole.fullname" . }}-backend
+  labels: {{- include "cpnConsole.backend.labels" . | nindent 4 }}
+data:
+  SERVER_PORT: {{ .Values.backend.container.port | quote }}
+  KEYCLOAK_PROTOCOL: {{ .Values.global.keycloak.protocol.backend }}
+  KEYCLOAK_DOMAIN: {{ .Values.global.keycloak.domain.backend }}
+  KEYCLOAK_REALM: {{ .Values.global.keycloak.realm }}
+  KEYCLOAK_REDIRECT_URI: {{ .Values.global.keycloak.redirectUri }}
+  KEYCLOAK_CLIENT_ID: {{ .Values.global.keycloak.clientIds.backend }}
+  {{- if .Values.backend.extraCa.name }}
+  NODE_EXTRA_CA_CERTS: {{ printf "%s/%s" "/config" .Values.backend.extraCa.mountSubPath }}
+  {{- end }}
+  {{- if .Values.backend.disabledPlugins -}}
+  DISABLED_PLUGINS: {{ .Values.backend.disabledPlugins }}
+  {{- end }}
+  {{- if .Values.global.env -}}
+  {{- include "cpnConsole.env" .Values.global | indent 2 }}
+  {{- end -}}
+  {{- if .Values.backend.env -}}
+  {{- include "cpnConsole.env" .Values.backend | indent 2 }}
+  {{- end -}}
+  {{- if not .Values.features.vaultSecrets.enabled }}
+  VAULT__DISABLE_VAULT_SECRETS: "true"
+  {{- end }}

charts/dso-console/templates/backend/configmap.yaml

@@ -0,0 +1,211 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "cpnConsole.fullname" . }}-backend
+  labels:
+    {{- include "cpnConsole.backend.labels" . | nindent 4 }}
+spec:
+  {{- if not .Values.backend.autoscaling.enabled }}
+  replicas: {{ .Values.backend.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "cpnConsole.backend.selectorLabels" . | nindent 6 }}
+  strategy:
+    type: {{ .Values.backend.strategy.type }}
+  template:
+    metadata:
+      annotations:
+        {{- include "checksum" (list $ "/backend/configmap.yaml") | nindent 8 }}
+        {{- include "checksum" (list $ "/backend/secret.yaml") | nindent 8 }}
+        {{- include "checksum" (list $ "/backend/scripts.yaml") | nindent 8 }}
+        {{- if .Values.config.create }}
+        {{- include "checksum" (list $ "/config.yaml") | nindent 8 }}
+        {{- end }}
+        {{- with .Values.backend.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      labels:
+        {{- include "cpnConsole.backend.selectorLabels" . | nindent 8 }}
+        {{- with .Values.backend.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- if and .Values.imageCredentials.username .Values.imageCredentials.password }}
+      imagePullSecrets:
+      - name: {{ include "cpnConsole.name" . }}-pullsecret
+      {{- end }}
+      serviceAccountName: {{ include "cpnConsole.backend.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.backend.podSecurityContext | nindent 8 }}
+      {{- if or .Values.backend.plugins .Values.backend.initContainers }}
+      initContainers:
+      {{- if and .Values.backend.plugins (len .Values.backend.plugins) }}
+      - image: {{ .Values.backend.fetchContainer.image }}
+        name: fetch-plugins
+        imagePullPolicy: {{ .Values.backend.fetchContainer.pullPolicy }}
+        {{- if .Values.backend.proxy.enabled }}
+        env:
+          {{- toYaml .Values.backend.proxy.env | nindent 8 }}
+        {{- end }}
+        envFrom:
+        - configMapRef:
+            name: {{ include "cpnConsole.fullname" . }}-backend
+        - secretRef:
+            name: {{ include "cpnConsole.fullname" . }}-backend
+        {{- if .Values.backend.envFrom }}
+          {{- toYaml .Values.backend.envFrom | nindent 8 }}
+        {{- end }}
+        command:
+        - sh
+        - /script/fetch
+        volumeMounts:
+        - name: fetch-script
+          mountPath: /script
+        - name: plugins
+          mountPath: /plugins
+      {{- end }}
+      {{- if .Values.backend.initContainers }}
+        {{- tpl (toYaml .Values.backend.initContainers) . | nindent 8 }}
+      {{- end }}
+      {{- end }}
+      containers:
+      - name: backend
+        securityContext:
+          {{- toYaml .Values.backend.container.securityContext | nindent 12 }}
+        image: "{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag | default .Chart.AppVersion }}"
+        imagePullPolicy: {{ .Values.backend.image.pullPolicy }}
+        {{- if .Values.backend.container.command }}
+        command:
+        {{- range .Values.backend.container.command }}
+        - {{ . | quote }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.backend.container.args }}
+        args:
+        {{- range .Values.backend.container.args }}
+        - {{ . | quote }}
+        {{- end }}
+        {{- end }}
+        ports:
+          - containerPort: {{ .Values.backend.service.port }}
+            protocol: TCP
+        envFrom:
+        - configMapRef:
+            name: {{ include "cpnConsole.fullname" . }}-backend
+        - secretRef:
+            name: {{ include "cpnConsole.fullname" . }}-backend
+        {{- if .Values.backend.envFrom }}
+          {{- toYaml .Values.backend.envFrom | nindent 8 }}
+        {{- end }}
+        {{- if .Values.backend.startupProbe.enabled }}
+        {{- if .Values.global.postgresql.cnpgSecretName }}
+        env:
+        - name: DB_URL
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.global.postgresql.cnpgSecretName }}
+              key: uri
+        {{- end }}
+        startupProbe:
+          httpGet:
+            path: {{ .Values.backend.healthcheckPath }}
+            port: {{ .Values.backend.container.port }}
+          initialDelaySeconds: {{ .Values.backend.startupProbe.initialDelaySeconds }}
+          successThreshold: {{ .Values.backend.startupProbe.successThreshold }}
+          failureThreshold: {{ .Values.backend.startupProbe.failureThreshold }}
+          periodSeconds: {{ .Values.backend.startupProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.backend.startupProbe.timeoutSeconds }}
+        {{- end }}
+        {{- if .Values.backend.readinessProbe.enabled }}
+        readinessProbe:
+          httpGet:
+            path: {{ .Values.backend.healthcheckPath }}
+            port: {{ .Values.backend.container.port }}
+          initialDelaySeconds: {{ .Values.backend.readinessProbe.initialDelaySeconds }}
+          successThreshold: {{ .Values.backend.readinessProbe.successThreshold }}
+          failureThreshold: {{ .Values.backend.readinessProbe.failureThreshold }}
+          periodSeconds: {{ .Values.backend.readinessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.backend.readinessProbe.timeoutSeconds }}
+        {{- end }}
+        {{- if .Values.backend.livenessProbe.enabled }}
+        livenessProbe:
+          httpGet:
+            path: {{ .Values.backend.healthcheckPath }}
+            port: {{ .Values.backend.container.port }}
+          initialDelaySeconds: {{ .Values.backend.livenessProbe.initialDelaySeconds }}
+          successThreshold: {{ .Values.backend.livenessProbe.successThreshold }}
+          failureThreshold: {{ .Values.backend.livenessProbe.failureThreshold }}
+          periodSeconds: {{ .Values.backend.livenessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.backend.livenessProbe.timeoutSeconds }}
+        {{- end }}
+        {{- if .Values.backend.hostAliases }}
+        hostAliases:
+          {{- toYaml .Values.backend.hostAliases | nindent 8 }}
+        {{- end }}
+        resources:
+          {{- toYaml .Values.backend.resources | nindent 10 }}
+        volumeMounts:
+        - name: config
+          mountPath: /config
+        {{- if .Values.backend.dbDataCm }}
+        - name: imports
+          mountPath: /app/dist/init/db/imports
+        {{- end }}
+        {{- if and .Values.backend.plugins (len .Values.backend.plugins) }}
+        - name: plugins
+          mountPath: /plugins
+        {{- end }}
+        {{- range $volumeMount := .Values.backend.extraVolumeMounts }}
+        - name: {{ $volumeMount.name }}
+          mountPath: {{ $volumeMount.mountPath }}
+        {{- end }}
+      {{- if .Values.backend.extraContainers }}
+        {{- tpl (toYaml .Values.backend.extraContainers) . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.backend.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.backend.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.backend.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+      - name: config
+        {{- if .Values.backend.extraCa.name }}
+        projected:
+          sources:
+          - configMap:
+              name: {{ .Values.backend.extraCa.name }}
+              items:
+              - key: {{ .Values.backend.extraCa.key }}
+                path: {{ .Values.backend.extraCa.mountSubPath }}
+        {{- end }}
+      {{- if .Values.backend.dbDataCm }}
+      - name: imports
+        configMap:
+          name: {{ .Values.backend.dbDataCm }}
+      {{- end }}
+      {{- if and .Values.backend.plugins (len .Values.backend.plugins) }}
+      - name: plugins
+        emptyDir: {}
+      - name: fetch-script
+        configMap:
+          name: {{ include "cpnConsole.fullname" . }}-fetch-script
+      {{- end }}
+      {{- range $volume := .Values.backend.extraVolumes }}
+      - name: {{ $volume.name }}
+        {{- if eq $volume.type "hostPath" }}
+        hostPath:
+          path: {{ $volume.path }}
+        {{- end }}
+        {{- if eq $volume.type "configMap" }}
+        configMap:
+          name: {{ $volume.name }}
+        {{- end }}
+      {{- end }}

charts/dso-console/templates/backend/deployment.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.backend.autoscaling.enabled }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "cpnConsole.fullname" . }}-backend
+  labels:
+    {{- include "cpnConsole.backend.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "cpnConsole.fullname" . }}-backend
+  minReplicas: {{ .Values.backend.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.backend.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.backend.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.backend.autoscaling.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.backend.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.backend.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- end }}
+{{- end }}

charts/dso-console/templates/backend/hpa.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.backend.plugins }}
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ include "cpnConsole.fullname" . }}-fetch-script
+  labels: {{- include "cpnConsole.backend.labels" . | nindent 4 }}
+data:
+  fetch: |
+    #!/bin/bash
+    cd /tmp
+{{- range $i, $val := .Values.backend.plugins }}
+    wget {{ $val }} -O {{ $i }}.zip;
+    mkdir -p /plugins/{{ $i }}
+    unzip -o {{ $i }}.zip -d /plugins/{{ $i }}
+{{- end }}
+{{- end }}

charts/dso-console/templates/backend/scripts.yaml

@@ -0,0 +1,17 @@
+kind: Secret
+apiVersion: v1
+metadata:
+  name: {{ include "cpnConsole.fullname" . }}-backend
+  labels: {{- include "cpnConsole.backend.labels" . | nindent 4 }}
+data: 
+  SESSION_SECRET: {{ .Values.global.keycloak.sessionSecret | b64enc }}
+  KEYCLOAK_CLIENT_SECRET: {{ .Values.global.keycloak.clientSecrets.backend | b64enc }}
+  {{- if not .Values.global.postgresql.cnpgSecretName }}
+  DB_URL: {{ include "cpnConsole.dbUrlValue" . | b64enc }}
+  {{- end -}}
+  {{- if .Values.global.secrets -}}
+  {{- include "cpnConsole.secret" .Values.global | indent 2 }}
+  {{- end -}}
+  {{- if .Values.backend.secrets -}}
+  {{- include "cpnConsole.secret" .Values.backend | indent 2 }}
+  {{- end -}}