Feat/v0.7.0 (#53)

* feat: #51 initContainer SecurityContext

* feat: update to v5.1.0

Author: dsun0720

charts/featbit/Chart.yaml

@@ -15,13 +15,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.6.1
+version: 0.7.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "5.0.3"
+appVersion: "5.1.0"
 
 kubeVersion: ">=1.23-0"
 

charts/featbit/templates/_initContainers-wait-for-infrastructure-dependencies.tpl

@@ -1,40 +1,46 @@
 {{/* Common initContainers-wait-for-infrastructure-dependencies definition */}}
 {{- define "initContainers-wait-for-infrastructure-dependencies" }}
+{{- $ctx := .context }}
+{{- $component := .component }}
 - name: wait-for-infrastructure-dependencies
-  image: {{ include "featbit.init-container.busybox.image" . }}
-  imagePullPolicy: {{ .Values.busybox.image.pullPolicy }}
-  {{- if (include "featbit.isPro" .) }}
+  image: {{ include "featbit.init-container.busybox.image" $ctx }}
+  imagePullPolicy: {{ $ctx.Values.busybox.image.pullPolicy }}
+  {{- with (get $ctx.Values $component).securityContext }}
+  securityContext:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- if (include "featbit.isPro" $ctx) }}
   env:
-    {{- include "clickhouse-usr-pass" . | nindent 4 }}
+    {{- include "clickhouse-usr-pass" $ctx | nindent 4 }}
   {{- end }}
   command:
     - /bin/sh
     - -c
     - >
-        {{ if and .Values.postgresql.enabled (include "featbit.postgresql.used" .) }}
-        until (nc -vz -w 1 "{{ include "featbit.postgresql.host" . }}.$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace).svc.cluster.local" {{ include "featbit.postgresql.port" . }});
+        {{ if and $ctx.Values.postgresql.enabled (include "featbit.postgresql.used" $ctx) }}
+        until (nc -vz -w 1 "{{ include "featbit.postgresql.host" $ctx }}.$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace).svc.cluster.local" {{ include "featbit.postgresql.port" $ctx }});
         do
             echo "waiting for Postgresql"; sleep 1;
         done
         {{ end }}
 
-        {{ if and .Values.redis.enabled (include "featbit.redis.used" .) }}
-        until (nc -vz -w 1 "{{ include "featbit.redis.host" . }}.$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace).svc.cluster.local" {{ include "featbit.redis.port" . }});
+        {{ if and $ctx.Values.redis.enabled (include "featbit.redis.used" $ctx) }}
+        until (nc -vz -w 1 "{{ include "featbit.redis.host" $ctx }}.$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace).svc.cluster.local" {{ include "featbit.redis.port" $ctx }});
         do
             echo "waiting for Redis"; sleep 1;
         done
         {{ end }}
 
-        {{ if and .Values.mongodb.enabled (include "featbit.mongodb.used" .) }}
-        until (nc -vz -w 1 "{{ include "featbit.mongodb.host" . }}.$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace).svc.cluster.local" {{ include "featbit.mongodb.port" . }});
+        {{ if and $ctx.Values.mongodb.enabled (include "featbit.mongodb.used" $ctx) }}
+        until (nc -vz -w 1 "{{ include "featbit.mongodb.host" $ctx }}.$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace).svc.cluster.local" {{ include "featbit.mongodb.port" $ctx }});
         do
             echo "waiting for Mongodb"; sleep 1;
         done
         {{ end }}
 
-        {{ if and .Values.kafka.enabled (include "featbit.isPro" .) }}
+        {{ if and $ctx.Values.kafka.enabled (include "featbit.isPro" $ctx) }}
 
-        KAFKA_BROKERS="{{ include "featbit.kafka.consumer.brokers" . }}"
+        KAFKA_BROKERS="{{ include "featbit.kafka.consumer.brokers" $ctx }}"
 
         KAFKA_HOST=$(echo $KAFKA_BROKERS | cut -f1 -d:)
         KAFKA_PORT=$(echo $KAFKA_BROKERS | cut -f2 -d:)
@@ -45,13 +51,13 @@
         done
         {{ end }}
 
-        {{ if and .Values.clickhouse.enabled (include "featbit.isPro" .) }}
+        {{ if and $ctx.Values.clickhouse.enabled (include "featbit.isPro" $ctx) }}
         until (
             NODES_COUNT=$(wget -qO- \
-                "http://$CLICKHOUSE_USER:$CLICKHOUSE_PASSWORD@{{ include "featbit.clickhouse.host" . }}.$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace).svc.cluster.local:8123" \
+                "http://$CLICKHOUSE_USER:$CLICKHOUSE_PASSWORD@{{ include "featbit.clickhouse.host" $ctx }}.$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace).svc.cluster.local:8123" \
                 --post-data "SELECT count() FROM clusterAllReplicas('featbit_ch_cluster', system, one)"
             )
-            test ! -z $NODES_COUNT && test $NODES_COUNT -eq {{ mul .Values.clickhouse.shards .Values.clickhouse.replicaCount }}
+            test ! -z $NODES_COUNT && test $NODES_COUNT -eq {{ mul $ctx.Values.clickhouse.shards $ctx.Values.clickhouse.replicaCount }}
         );
         do
             echo "waiting for all ClickHouse nodes to be available"; sleep 1;

charts/featbit/templates/_initContainers-wait-for-other-components.tpl

@@ -1,28 +1,34 @@
 {{/* ui waits for other components */}}
 {{- define "initContainers-wait-for-other-components" }}
+{{- $ctx := .context }}
+{{- $component := .component }}
 - name: wait-for-other-components
-  image: {{ include "featbit.init-container.busybox.image" . }}
-  imagePullPolicy: {{ .Values.busybox.image.pullPolicy }}
+  image: {{ include "featbit.init-container.busybox.image" $ctx }}
+  imagePullPolicy: {{ $ctx.Values.busybox.image.pullPolicy }}
+  {{- with (get $ctx.Values $component).securityContext }}
+  securityContext:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
   command:
     - /bin/sh
     - -c
     - >
-        {{ if (include "api.svc.fqdn" .) }}
-        until (nc -vz -w 1 {{ include "api.svc.fqdn" . }} {{ include "api.svc.port" . }});
+        {{ if (include "api.svc.fqdn" $ctx) }}
+        until (nc -vz -w 1 {{ include "api.svc.fqdn" $ctx }} {{ include "api.svc.port" $ctx }});
         do
             echo "waiting for API"; sleep 1;
         done
         {{ end }}
 
-        {{ if (include "els.svc.fqdn" .) }}
-        until (nc -vz -w 1 {{ include "els.svc.fqdn" . }} {{ include "els.svc.port" . }});
+        {{ if (include "els.svc.fqdn" $ctx) }}
+        until (nc -vz -w 1 {{ include "els.svc.fqdn" $ctx }} {{ include "els.svc.port" $ctx }});
         do
             echo "waiting for Evaluation Server"; sleep 1;
         done
         {{ end }}
 
-        {{ if (include "das.svc.fqdn" .) }}
-        until (nc -vz -w 1 {{ include "das.svc.fqdn" . }} {{ include "das.svc.port" . }});
+        {{ if (include "das.svc.fqdn" $ctx) }}
+        until (nc -vz -w 1 {{ include "das.svc.fqdn" $ctx }} {{ include "das.svc.port" $ctx }});
         do
           echo "waiting for DA Server"; sleep 1;
         done

charts/featbit/templates/_mongodb-config.tpl

@@ -70,4 +70,14 @@ Return the Mongodb secret key
 {{- else -}}
 {{- printf "mongodb-conn-str" -}}
 {{- end -}}
+{{- end -}}
+
+{{- define "featbit.mongodb.db" -}}
+{{- $db := "featbit" -}}
+{{- if and .Values.mongodb.enabled .Values.mongodb.userDatabase.name -}}
+    {{- $db = .Values.mongodb.userDatabase.name -}}
+{{- else if .Values.externalMongodb.database -}}
+    {{- $db = .Values.externalMongodb.database -}}
+{{- end -}}
+{{- printf "%s" $db -}}
 {{- end -}}

charts/featbit/templates/_mongodb-env.tpl

@@ -7,7 +7,7 @@
       key: {{ include "featbit.mongodb.secretKey" . }}
 
 - name: MongoDb__Database
-  value: featbit
+  value: {{ include "featbit.mongodb.db" . }}
 
 - name: DbProvider
   value: MongoDb
@@ -20,7 +20,7 @@
       key: {{ include "featbit.mongodb.secretKey" . }}
 
 - name: MONGO_INITDB_DATABASE
-  value: featbit
+  value: {{ include "featbit.mongodb.db" . }}
 
 - name: DB_PROVIDER
   value: MongoDb

charts/featbit/templates/api-deployment.yaml

@@ -41,7 +41,7 @@ spec:
       securityContext:
         {{- toYaml .Values.api.podSecurityContext | nindent 8 }}
       initContainers:
-        {{- include "initContainers-wait-for-infrastructure-dependencies" . | indent 8 }}
+        {{- include "initContainers-wait-for-infrastructure-dependencies" (dict "context" . "component" "api") | indent 8 }}
       containers:
         - name: {{ .Chart.Name }}-api
           securityContext:

charts/featbit/templates/da-server-deployment.yaml

@@ -41,7 +41,7 @@ spec:
       securityContext:
         {{- toYaml .Values.das.podSecurityContext | nindent 8 }}
       initContainers:
-        {{- include "initContainers-wait-for-infrastructure-dependencies" . | indent 8 }}
+        {{- include "initContainers-wait-for-infrastructure-dependencies" (dict "context" . "component" "das") | indent 8 }}
       containers:
         - name: {{ .Chart.Name }}-das
           securityContext:

charts/featbit/templates/eval-server-deployment.yaml

@@ -41,7 +41,7 @@ spec:
       securityContext:
         {{- toYaml .Values.els.podSecurityContext | nindent 8 }}
       initContainers:
-        {{- include "initContainers-wait-for-infrastructure-dependencies" . | indent 8 }}
+        {{- include "initContainers-wait-for-infrastructure-dependencies" (dict "context" . "component" "els") | indent 8 }}
       containers:
         - name: {{ .Chart.Name }}-els
           securityContext:

charts/featbit/templates/mongodb-init-scripts-configmap.yaml

@@ -9,8 +9,9 @@ metadata:
   annotations:
     {{- include "featbit-metadata-annotations-common" . | nindent 4 }}
 data:
-  init.js: |-
-    const dbName = "featbit";
+  {{- $db := (include "featbit.mongodb.db" .) }}
+  01_init.js: |-
+    const dbName = "{{ $db }}";
     print('use', dbName, 'database')
     db = db.getSiblingDB(dbName)
 
@@ -266,16 +267,112 @@ data:
 
     // add indexes
     print('add indexes...')
-    db.AuditLogs.createIndex({ createdAt: 1 });
-    db.EndUsers.createIndex({ updatedAt: 1 });
-    db.ExperimentMetrics.createIndex({ updatedAt: 1 });
-    db.FeatureFlags.createIndex({ updatedAt: 1 });
-    db.Segments.createIndex({ updatedAt: 1 });
-    db.AccessTokens.createIndex({ createdAt: 1 });
-    db.Policies.createIndex({ createdAt: 1 });
-    db.Projects.createIndex({ createdAt: 1 });
-    db.RelayProxies.createIndex({ createdAt: 1 });
-    db.Webhooks.createIndex({ createdAt: 1 });
-    db.Webhooks.createIndex({ startedAt: 1 });
+    db.AuditLogs.createIndex({createdAt: 1});
+
+    db.EndUsers.createIndex({envId: 1, keyId: 1});
+    db.EndUsers.createIndex({updatedAt: 1});
+
+    db.ExperimentMetrics.createIndex({updatedAt: 1});
+    db.FeatureFlags.createIndex({updatedAt: 1});
+    db.Segments.createIndex({updatedAt: 1});
+    db.AccessTokens.createIndex({createdAt: 1});
+    db.Policies.createIndex({createdAt: 1});
+    db.Projects.createIndex({createdAt: 1});
+    db.RelayProxies.createIndex({createdAt: 1});
+    db.Webhooks.createIndex({createdAt: 1});
+    db.Webhooks.createIndex({startedAt: 1});
     print('indexes added')
+  02_update_admin_policies_workspace_perm.js: |-
+    const dbName = "{{ $db }}";
+    print('use', dbName, 'database')
+    db = db.getSiblingDB(dbName)
+
+    db.Policies.updateOne(
+      {
+          _id: UUID("3e961f0f-6fd4-4cf4-910f-52d356f8cc08"),
+          "statements.resourceType": { $ne: "workspace" }
+      },
+      {
+        $push: {
+          statements: {
+            _id: "7a910fbd-9463-4563-af72-fa977d34fdb2",
+            resourceType: "workspace",
+            effect: "allow",
+            actions: [
+              "UpdateWorkspaceGeneralSettings",
+              "UpdateWorkspaceLicense",
+              "UpdateWorkspaceSSOSettings"
+            ],
+            resources: ["workspace/*"]
+          }
+        }
+      }
+    );
+  03_update_admin_policies_new_CreateOrg_perm.js: |-
+    const dbName = "{{ $db }}";
+    print('use', dbName, 'database')
+    db = db.getSiblingDB(dbName)
+
+    const administratorPolicyId = UUID("3e961f0f-6fd4-4cf4-910f-52d356f8cc08")
+
+    function getUUIDString() {
+      return UUID().toString().split('"')[1];
+    }
+
+    const newStatement = {
+      _id: getUUIDString(),
+      resourceType: "organization",
+      effect: "allow",
+      actions: [
+        "UpdateOrgName",
+        "UpdateOrgDefaultUserPermissions",
+        "CreateOrg"
+      ],
+      resources: ["organization/*"]
+    };
+
+    db.Policies.updateOne(
+      { _id: administratorPolicyId },
+      { $pull: { statements: { resourceType: "organization" } } }
+    );
+
+    db.Policies.updateOne(
+      { _id: administratorPolicyId },
+      { $push: { statements: newStatement } }
+    );
+  04_update_proxy_policies_auto_agents.js: |-
+    const dbName = "{{ $db }}";
+    print('use', dbName, 'database')
+    db = db.getSiblingDB(dbName)
+
+    db.RelayProxies.updateMany(
+        {},
+        { $set: { autoAgents: [] } }
+    );
+
+    const bulkOps = [];
+
+    const relayProxies = db.RelayProxies.find(
+      { scopes: { $exists: true, $ne: null } },
+      { _id: 1, scopes: 1 }
+    ).toArray();
+
+    relayProxies.forEach(proxy => {
+        if (proxy.scopes && Array.isArray(proxy.scopes)) {
+            const flattenedEnvIds = proxy.scopes.flatMap(scope =>
+                scope && scope.envIds ? scope.envIds.map(envId => envId.toString()) : []
+            );
+
+            bulkOps.push({
+              updateOne: {
+                filter: { _id: proxy._id },
+                update: { $set: { scopes: flattenedEnvIds } }
+              }
+            });
+        }
+    });
+
+    if (bulkOps.length > 0) {
+        db.RelayProxies.bulkWrite(bulkOps, { ordered: false });
+    }
     {{- end -}}