add database changes to chart and support migrations

Signed-off-by: Mike Mason <[email protected]>
infratographer · Dec 1, 2023 · d9d8992 · d9d8992
1 parent e17ab27
commit d9d8992
Show file tree

Hide file tree

Showing 7 changed files with 163 additions and 2 deletions.
diff --git a/chart/permissions-api/templates/_helpers.tpl b/chart/permissions-api/templates/_helpers.tpl
@@ -13,6 +13,11 @@
   secret:
     secretName: {{ . }}
 {{- end }}
+{{- with .Values.config.crdb.caSecretName }}
+- name: crdb-ca
+  secret:
+    secretName: {{ . }}
+{{- end }}
 {{- with .Values.config.spicedb.policyConfigMapName }}
 - name: policy-file
   configMap:
@@ -27,6 +32,10 @@
 - name: spicedb-ca
   mountPath: /etc/ssl/spicedb/
 {{- end }}
+{{- if .Values.config.crdb.caSecretName }}
+- name: crdb-ca
+  mountPath: {{ .Values.config.crdb.caMountPath }}
+{{- end }}
 {{- if .Values.config.spicedb.policyConfigMapName }}
 - name: policy-file
   mountPath: /policy
@@ -42,6 +51,11 @@
   secret:
     secretName: {{ . }}
 {{- end }}
+{{- with .Values.config.crdb.caSecretName }}
+- name: crdb-ca
+  secret:
+    secretName: {{ . }}
+{{- end }}
 {{- with .Values.config.events.nats.credsSecretName }}
 - name: nats-creds
   secret:
@@ -61,6 +75,10 @@
 - name: spicedb-ca
   mountPath: /etc/ssl/spicedb/
 {{- end }}
+{{- if .Values.config.crdb.caSecretName }}
+- name: crdb-ca
+  mountPath: {{ .Values.config.crdb.caMountPath }}
+{{- end }}
 {{- if .Values.config.events.nats.credsSecretName }}
 - name: nats-creds
   mountPath: /nats

diff --git a/chart/permissions-api/templates/config-server.yaml b/chart/permissions-api/templates/config-server.yaml
@@ -10,4 +10,4 @@ metadata:
     service: server
 data:
   config.yaml: |
-    {{- pick .Values.config "server" "oidc" "spicedb" "tracing" | toYaml | nindent 4 }}
+    {{- pick .Values.config "server" "oidc" "crdb" "spicedb" "tracing" | toYaml | nindent 4 }}
diff --git a/chart/permissions-api/templates/config-worker.yaml b/chart/permissions-api/templates/config-worker.yaml
@@ -10,4 +10,4 @@ metadata:
     service: worker
 data:
   config.yaml: |
-    {{- pick .Values.config "server" "events" "oidc" "spicedb" "tracing" | toYaml | nindent 4 }}
+    {{- pick .Values.config "server" "events" "oidc" "crdb" "spicedb" "tracing" | toYaml | nindent 4 }}
diff --git a/chart/permissions-api/templates/deployment-server.yaml b/chart/permissions-api/templates/deployment-server.yaml
@@ -11,6 +11,7 @@ metadata:
     {{- end }}
   {{- with .Values.deployment.annotations }}
   annotations:
+    checksum/config: {{ include (print $.Template.BasePath "/config-server.yaml") . | sha256sum }}
     {{ toYaml . | nindent 4 }}
   {{- end }}
 spec:
@@ -43,6 +44,30 @@ spec:
       securityContext:
         {{- toYaml .Values.deployment.podSecurityContext | nindent 8 }}
       {{- end }}
+      {{- if eq .Values.config.crdb.migrateHook "init" }}
+      initContainers:
+        - name: {{ include "common.names.name" . }}-migrate-database-init
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          args:
+            - migrate
+            - up
+            - --config
+            - /config/config.yaml
+          {{- with .Values.config.crdb.uriSecretName }}
+          env:
+            - name: PERMISSIONSAPI_CRDB_URI
+              valueFrom:
+                secretKeyRef:
+                  name: {{ . }}
+                  key: uri
+          {{- end }}
+          {{- with .Values.deployment.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          volumeMounts: {{ include "permapi.server.volumeMounts" . | nindent 12 }}
+      {{- end }}
       containers:
         - name: {{ include "common.names.name" . }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
@@ -54,6 +79,13 @@ spec:
           env:
             - name: PERMISSIONSAPI_SERVER_LISTEN
               value: ":{{ include "permapi.listenPort" . }}"
+          {{- with .Values.config.crdb.uriSecretName }}
+            - name: PERMISSIONSAPI_CRDB_URI
+              valueFrom:
+                secretKeyRef:
+                  name: {{ . }}
+                  key: uri
+          {{- end }}
           {{- if .Values.config.spicedb.policyConfigMapName }}
             - name: PERMISSIONSAPI_SPICEDB_POLICYFILE
               value: /policy/policy.yaml

diff --git a/chart/permissions-api/templates/deployment-worker.yaml b/chart/permissions-api/templates/deployment-worker.yaml
@@ -11,6 +11,7 @@ metadata:
     {{- end }}
   {{- with .Values.deployment.annotations }}
   annotations:
+    checksum/config: {{ include (print $.Template.BasePath "/config-worker.yaml") . | sha256sum }}
     {{ toYaml . | nindent 4 }}
   {{- end }}
 spec:
@@ -54,6 +55,13 @@ spec:
           env:
             - name: PERMISSIONSAPI_SERVER_LISTEN
               value: ":{{ include "permapi.listenPort" . }}"
+          {{- with .Values.config.crdb.uriSecretName }}
+            - name: PERMISSIONSAPI_CRDB_URI
+              valueFrom:
+                secretKeyRef:
+                  name: {{ . }}
+                  key: uri
+          {{- end }}
           {{- if .Values.config.events.nats.tokenSecretName }}
             - name: PERMISSIONSAPI_EVENTS_NATS_TOKEN
               valueFrom:

diff --git a/chart/permissions-api/templates/job-migrate-database.yaml b/chart/permissions-api/templates/job-migrate-database.yaml
@@ -0,0 +1,70 @@
+{{- if has .Values.config.crdb.migrateHook (list "pre-sync" "manual") }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  {{- if eq .Values.config.crdb.migrateHook "manual" }}
+  name: {{ include "common.names.name" . }}-migrate-database
+  {{- else }}
+  generateName: migrate-database-
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+  {{- end }}
+spec:
+  revisionHistoryLimit: 3
+  selector:
+    matchLabels:
+      service: migrate-database
+      {{- include "common.labels.matchLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        service: migrate-database
+        {{- include "common.labels.standard" . | nindent 8 }}
+    spec:
+      restartPolicy: OnFailure
+      terminationGracePeriodSeconds: 30
+      {{- with .Values.deployment.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.deployment.podSecurityContext }}
+      securityContext:
+        {{- toYaml .Values.deployment.podSecurityContext | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: {{ include "common.names.name" . }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          args:
+            - migrate
+            - up
+            - --config
+            - /config/config.yaml
+          {{- with .Values.config.crdb.uriSecretName }}
+          env:
+            - name: PERMISSIONSAPI_CRDB_URI
+              valueFrom:
+                secretKeyRef:
+                  name: {{ . }}
+                  key: uri
+          {{- end }}
+          {{- with .Values.deployment.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          volumeMounts: {{ include "permapi.server.volumeMounts" . | nindent 12 }}
+      {{- with .Values.deployment.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.deployment.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.deployment.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes: {{ include "permapi.server.volumes" . | nindent 8 }}
+{{- end }}
diff --git a/chart/permissions-api/values.yaml b/chart/permissions-api/values.yaml
@@ -46,6 +46,39 @@ config:
     # policyConfigMapName is the name of the Config Map containing the policy file configuration
     policyConfigMapName: ""
 
+  crdb:
+    # migrateHook sets when to run database migrations. one of: pre-sync, init, manual
+    #  - pre-sync: hook runs as a job before any other changes are synced.
+    #  - init: is run as an init container to the server deployment and may run multiple times if replica count is high.
+    #  - manual: a migrate-database job will be available to triggered manually
+    migrateHook: "init"
+    # name is the database name
+    name: ""
+    # host is the database host
+    host: ""
+    # user is the auth username to the database
+    user: ""
+    # password is the auth password to the database
+    password: ""
+    # params is the connection parameters to the database
+    params: ""
+    # uri is the raw uri connection string
+    uri: ""
+    # uriSecretName if set retrieves the `uri` from the provided secret name
+    uriSecretName: ""
+    # caSecretName if defined mounts database certificates from the provided secret
+    # secrets are mounted at `caMountPath`
+    caSecretName: ""
+    # caMountPath is the path the caSecretName is mounted at
+    caMountPath: /etc/ssl/crdb/
+    connections:
+      # max_open is the maximum number of open connections to the database
+      max_open: 0
+      # max_idle is the maximum number of connections in the idle connection
+      max_idle: 0
+      # max_lifetime is the maximum amount of time a connection may be idle
+      max_lifetime: 0
+
   events:
     # topics are the list of topics to subscribe to
     topics: []