🔧(helm) rework chart based on jenny helm chart

Rework Warren Helm chart based on the work done on Jenny Helm chart in PR
openfun/charts#5
Changes done in this commit:
- Jobs for database migration or static collection are abstracted into a single
  job template
- Env variables are now processed in the helper template
- Removed unused HorizontalPodAutoscaler
- Add startup probes for migration checks
- Migration jobs are now executed post helm installation/upgrade
- Removed unnecessary security context variables
- Add a nginx container alongside warren-app to serve static files
- Rework postgresql values to have a functional Helm chart on a local cluster
- Update Helm chart README.md

Author: wilbrdt

src/helm/README.md

@@ -102,63 +102,30 @@ Our Elasticsearch cluster is all set. In the next section, we will now deploy
 
 ### Deploy the LRS: Ralph
 
-Ralph is also distributed as a Helm chart that can be deployed with a single
-line of code:
+Ralph is also distributed as a Helm chart. Check out the [Ralph Helm chart README](https://github.com/openfun/ralph/blob/main/src/helm/README.md) to deploy it!
 
-```bash
-helm install \
-    --values charts/ralph/values.yaml \
-    --set envSecrets.RALPH_BACKENDS__DATABASE__ES__HOSTS=https://elastic:"${ELASTIC_PASSWORD}"@data-lake-es-http:9200 \
-    lrs oci://registry-1.docker.io/openfuncharts/ralph
-```
-
-One can check if the server is running by opening a network tunnel to the
-service using the `port-forward` sub-command:
-
-
-```bash
-kubectl port-forward svc/lrs-ralph 8080:8080
-```
-
-And then send a request to the server using this tunnel:
-
-```bash
-curl --user admin:password localhost:8080/whoami
-```
-
-We expect a valid JSON response stating about the user you are using for this
-request.
-
-If everything went well, we can send 22k xAPI statements to the LRS using:
+### Deploy the dashboard suite: Warren
 
+Let's create secrets needed for Warren deployment with:
 ```bash
-gunzip -c ../../data/statements.jsonl.gz | \
-  sed "s/@timestamp/timestamp/g" | \
-  jq -s . | \
-  curl -Lk \
-    --user admin:password \
-    -X POST \
-    -H "Content-Type: application/json" \
-    http://localhost:8080/xAPI/statements/ -d @-
+kubectl create secret generic warren-api-secrets --from-env-file=warren/charts/api/.secret
+kubectl create secret generic warren-app-secrets --from-env-file=warren/charts/app/.secret
 ```
 
-### Deploy the dashboard suite: Warren
-
-Now that the LRS is running, we can deploy warren along with its dependencies
+We can now deploy Warren along with its dependencies
 using:
 
 ```bash
 # Fetch dependencies
-cd warren && helm dependency build
+helm dependency build ./warren
 
-# Deploy postgresql for Warren `app` service (Django)
+# Install Warren
 helm install warren ./warren --values development.yaml --debug --atomic
 ```
 
 If you want to upgrade your deployment (after a change in a template or a
 value), you can upgrade deployed version using:
 
 ```bash
-# Deploy postgresql for Warren `app` service (Django)
 helm upgrade --install warren ./warren --values development.yaml --debug --atomic
 ```

src/helm/charts/ralph/values.yaml

@@ -1,15 +1,5 @@
-envSecrets:
-  RALPH_BACKENDS__DATABASE__ES__INDEX: statements
-  RALPH_BACKENDS__DATABASE__ES__CLIENT_OPTIONS__ca_certs: "/usr/local/share/ca-certificates/ca.crt"
-  RALPH_BACKENDS__DATABASE__ES__CLIENT_OPTIONS__verify_certs: "true"
-
-lrs:
-  auth:
-    - username: "admin"
-      hash: "$2b$12$JFK.YCdbUWD2rS94fT4.m.KC/fIMzUMPMtjaD4t3t1iAfqki3ZPOq"
-      scopes: ["example_scope"]
-
-elastic:
-  enabled: true
-  mountCACert: true
-  caSecretName: "data-lake-es-http-certs-public"
+database:
+  tls:
+    enabled: true
+    certificatesSecret: "data-lake-es-http-certs-public"
+    certificatesMountPath: "/usr/local/share/ca-certificates/"

src/helm/development.yaml

@@ -3,9 +3,10 @@
 # -- Warren - app service --
 app:
   enabled: true
-  allowedHosts:
-    - "localhost"
-  djangoConfiguration: Development
+  django:
+    allowedHosts:
+      - "localhost"
+    configuration: "Development"
   image:
     pullPolicy: Always
   persistence:
@@ -14,7 +15,8 @@ app:
 # -- Warren - api service --
 api:
   enabled: true
-  allowedHosts:
+  fastapi:
+    allowedHosts: 
     - "http://localhost:8080"
   image:
     pullPolicy: Always
@@ -24,10 +26,13 @@ postgresql:
   enabled: true
   image:
     tag: 12.17.0-debian-11-r12
-
-global:
-  postgresql:
-    auth:
-      username: fun
-      password: pass
-      database: warren-api
+  auth:
+    username: fun
+    password: pass
+    database: warren-api
+  primary:
+    initdb:
+      scripts:
+        init.sql: |
+          CREATE DATABASE "warren-app";
+          GRANT ALL PRIVILEGES ON DATABASE "warren-app" TO fun;

src/helm/manifests/warren-secrets.yaml

@@ -0,0 +1,3 @@
+WARREN_API_DB_PASSWORD=pass
+WARREN_LRS_AUTH_BASIC_PASSWORD=password
+WARREN_APP_SIGNING_KEY=change_me

src/helm/warren/charts/api/.secret

@@ -51,8 +51,62 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
 {{/*
-Allowed hosts string (environment variable value)
+Environment variables
 */}}
-{{- define "api.allowedHosts" -}}
-{{- printf "%q" .Values.allowedHosts | replace " " "," | quote -}}
+{{- define "api.envs" -}}
+- name: "WARREN_API_SERVER_PORT"
+  value: "{{ .Values.service.port }}"
+- name: "WARREN_API_DB_NAME"
+  value: "{{ .Values.fastapi.db.name }}"
+- name: "WARREN_API_DB_USER"
+  value: "{{ .Values.fastapi.db.user }}"
+- name: "WARREN_API_DB_PASSWORD"
+  valueFrom:
+    secretKeyRef:
+      name: warren-api-secrets
+      key: WARREN_API_DB_PASSWORD
+- name: "WARREN_API_DB_ENGINE"
+  value: "{{ .Values.fastapi.db.engine }}"
+- name: "WARREN_API_DB_HOST"
+  value: "{{ .Values.fastapi.db.host }}"
+- name: "WARREN_API_DB_PORT"
+  value: "{{ .Values.fastapi.db.port }}"
+- name: "WARREN_ALLOWED_HOSTS"
+  value: {{ printf "%q" .Values.fastapi.allowedHosts | replace " " "," | quote }}
+- name: "WARREN_LRS_HOSTS"
+  value: "{{ .Values.fastapi.lrs.hosts }}"
+- name: "WARREN_LRS_AUTH_BASIC_USERNAME"
+  value: "{{ .Values.fastapi.lrs.username }}"
+- name: "WARREN_LRS_AUTH_BASIC_PASSWORD"
+  valueFrom:
+    secretKeyRef:
+      name: warren-api-secrets
+      key: WARREN_LRS_AUTH_BASIC_PASSWORD
+- name: "WARREN_APP_SIGNING_ALGORITHM"
+  value: "{{ .Values.fastapi.signingAlgorithm }}"
+- name: "WARREN_APP_SIGNING_KEY"
+  valueFrom:
+    secretKeyRef:
+      name: warren-api-secrets
+      key: WARREN_APP_SIGNING_KEY
+{{- range $key, $val := .Values.env.secret }}
+- name: {{ $val.envName }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $val.secretName }}
+      key: {{ $val.keyName }}
+{{- end }}
+{{- end }}
+
+{{/*
+ImagePullSecrets
+*/}}
+{{- define "fastapi.imagePullSecrets" -}}
+{{- $pullSecrets := .Values.imagePullSecrets }}
+{{- if (not (empty $pullSecrets)) }}
+imagePullSecrets:
+{{- range $pullSecrets }}
+- name: {{ . }}
+{{ end }}
+{{- end -}}
 {{- end }}

src/helm/warren/charts/api/templates/_helpers.tpl

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: "{{ .Values.loggingConfigConfigMap }}"
+  name: "{{ template "api.fullname" . }}-logging-config"
   labels:
     {{- include "api.labels" . | nindent 4 }}
 data:

…ren/charts/api/templates/cm_logging.yaml …rren/charts/api/templates/configmap.yamlsrc/helm/warren/charts/api/templates/cm_logging.yaml renamed to src/helm/warren/charts/api/templates/configmap.yaml src/helm/warren/charts/api/templates/cm_logging.yaml renamed to src/helm/warren/charts/api/templates/configmap.yaml

@@ -2,15 +2,16 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "api.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
   labels:
     {{- include "api.labels" . | nindent 4 }}
 spec:
-  {{- if not .Values.autoscaling.enabled }}
-  replicas: {{ .Values.replicaCount }}
-  {{- end }}
   selector:
     matchLabels:
       {{- include "api.selectorLabels" . | nindent 6 }}
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
   template:
     metadata:
       {{- with .Values.podAnnotations }}
@@ -19,72 +20,48 @@ spec:
       {{- end }}
       labels:
         {{- include "api.labels" . | nindent 8 }}
-        {{- with .Values.podLabels }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
     spec:
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- include "fastapi.imagePullSecrets" . | nindent 6 }}
       containers:
-        - name: {{ .Chart.Name }}
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+        - name: "{{ .Chart.Name }}-fastapi"
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          ports:
-            - name: http
-              containerPort: {{ .Values.service.port }}
-              protocol: TCP
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
           livenessProbe:
             httpGet:
               path: /__heartbeat__
               port: http
-              httpHeaders:
-                - name: Host
-                  value: '{{ first .Values.allowedHosts | trimPrefix "https://" }}'
             initialDelaySeconds: 15
             periodSeconds: 30
           readinessProbe:
             httpGet:
               path: /__lbheartbeat__
               port: http
-              httpHeaders:
-                - name: Host
-                  value: '{{ first .Values.allowedHosts | trimPrefix "https://" }}'
             initialDelaySeconds: 5
             periodSeconds: 5
+          startupProbe:
+            exec:
+              command:
+                - "bash" 
+                - "-c"
+                - "warren migration check"
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            timeoutSeconds: 120
           env:
-            - name: WARREN_API_SERVER_PORT
-              value: "{{ .Values.service.port }}"
-            - name: WARREN_API_DB_ENGINE
-              value: {{ .Values.database.engine }}
-            - name: WARREN_API_DB_PORT
-              value: {{ .Values.database.port | quote }}
-            - name: WARREN_APP_SIGNING_ALGORITHM
-              value: {{ .Values.signingAlgorithm }}
-            - name: WARREN_ALLOWED_HOSTS
-              value: {{ include "api.allowedHosts" . }}
-          envFrom:
-            - secretRef:
-                name: {{ .Values.envVarsSecret | quote }}
-          {{ with .Values.podCommand }}
+            {{- include "api.envs" . | nindent 12 }}
+          {{ with .Values.fastapi.command }}
           command:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          resources:
-            {{- toYaml .Values.resources | nindent 12 }}
-          {{- with .Values.volumeMounts }}
           volumeMounts:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-      {{- with .Values.volumes }}
+            - name: logging-config
+              mountPath: "/etc/warren/api"
       volumes:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
+        - name: logging-config
+          configMap:
+            name: "warren-api-logging-config"
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}