[DEVOPS-1713] - Allow use of existing PVCs (#101)

bitwarden · Jan 25, 2024 · c44a24a · c44a24a
1 parent 7f9400e
commit c44a24a
Show file tree

Hide file tree

Showing 20 changed files with 406 additions and 139 deletions.
diff --git a/charts/self-host/ci/test-values.yaml b/charts/self-host/ci/test-values.yaml
@@ -80,6 +80,10 @@ general:
   # values are only ReadWriteMany and ReadWriteOnce.  Please read https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes
   # to better understand these options before changing this value.
   volumeAccessMode: "ReadWriteOnce"
+  # Set to true to allow communication between your server and our cloud system. Doing so enables billing and license sync.  Please see: https://bitwarden.com/help/self-host-an-organization/#step-4-setup-billing-and-license-sync
+  enableCloudCommunication: false
+  # Cloud region for sync.  Please see: https://bitwarden.com/help/families-for-enterprise-self-hosted/#step-1-enable-cloud-communication
+  cloudRegion: US
 
 # Specify the name of the shared storage class
 # This storage class requires ReadWriteMany.  You will need to provide your own storage class.  Storage classes with automatic volume previsioners are recommended.
@@ -274,17 +278,60 @@ component:
     securityContext:
     # Run the pod under a service account you create.  This is especially useful for OpenShift deployments
     podServiceAccount:
+# Images used for jobs and init containers
+supportComponents:
+  dbMigrator:
+    image:
+      name: bitwarden/mssqlmigratorutility
+  certGenerator:
+    image:
+      name: docker.io/nginx
+      tag: 1.25.3
+  kubectl:
+    image:
+      name: bitnami/kubectl
+      tag: 1.21
 # Data volume sizes for shared PVCs
 volume:
   dataprotection:
+    # Use an existing PVC by specifying the name.
+    # existingClaim: claimName
+    # Override the accessMode specified in general.volumeAccessMode
+    # accessMode: ReadWriteOnce
+    # Override the storageClass specified in sharedStorageClassName
+    # storageClass: "shared-storage"
     size: "1Gi"
     labels: {}
   attachments:
+    # Use an existing PVC by specifying the name.
+    # existingClaim: claimName
+    # Override the accessMode specified in general.volumeAccessMode
+    # accessMode: ReadWriteOnce
+    # Override the storageClass specified in sharedStorageClassName
+    # storageClass: "shared-storage"
     size: 1Gi
     labels: {}
   licenses:
+    # Use an existing PVC by specifying the name.
+    # existingClaim: claimName
+    # Override the accessMode specified in general.volumeAccessMode
+    # accessMode: ReadWriteOnce
+    # Override the storageClass specified in sharedStorageClassName
+    # storageClass: "shared-storage"
     size: 1Gi
     labels: {}
+  logs:
+    # Logs are disabled by default
+    enabled: true
+    # Use an existing PVC by specifying the name.
+    # existingClaim: claimName
+    # Override the accessMode specified in general.volumeAccessMode
+    # accessMode: ReadWriteOnce
+    # Override the storageClass specified in sharedStorageClassName
+    # storageClass: "shared-storage"
+    size: 1Gi
+    labels: {}
+
 
 #
 # Configure service account for pre- and post-install hooks
@@ -320,14 +367,35 @@ database:
   # The MSSQL volumes for the PVCs
   volume:
     backups:
-      # Storage size
+      # Use an existing PVC by specifying the name.
+      # existingClaim: claimName
+      # Override the accessMode specified in general.volumeAccessMode
+      # accessMode: ReadWriteOnce
+      # Override the storageClass specified in sharedStorageClassName
+      # storageClass: "shared-storage"
       size: 1Gi
+      labels: {}
     data:
-      # Storage size
+      # Use an existing PVC by specifying the name.
+      # existingClaim: claimName
+      # Override the accessMode specified in general.volumeAccessMode
+      # accessMode: ReadWriteOnce
+      # Override the storageClass specified in sharedStorageClassName
+      # storageClass: "shared-storage"
       size: 10Gi
+      labels: {}
     log:
-      # Storage size
+      # Use an existing PVC by specifying the name.
+      # existingClaim: claimName
+      # Override the accessMode specified in general.volumeAccessMode
+      # accessMode: ReadWriteOnce
+      # Override the storageClass specified in sharedStorageClassName
+      # storageClass: "shared-storage"
       size: 10Gi
+      labels: {}
+  # Specifies the strategy used to replace old Pods by new ones. The value can be "OnDelete" or "RollingUpdate". "OnDelete" is the default value.
+  # When set to OnDelete, the SQL pod will not be recreated automatically on update.  It must be manually deleted to update.
+  updateStrategy: OnDelete
   # This will set the Kubernetes container security context
   securityContext:
   # Run the pod under a service account you create.  This is especially useful for OpenShift deployments

diff --git a/charts/self-host/templates/admin.yaml b/charts/self-host/templates/admin.yaml
@@ -14,7 +14,7 @@ metadata:
 spec:
   replicas: 1
   strategy:
-    type: "{{ .Values.component.admin.deploymentStrategy }}"
+    type: {{ .Values.component.admin.deploymentStrategy | quote }}
   selector:
     matchLabels:
       app: {{ template "bitwarden.admin" . }}
@@ -26,10 +26,10 @@ spec:
 {{ include "bitwarden.labels" . | indent 8 }}
     spec:
     {{- if .Values.component.admin.podServiceAccount }}
-      serviceAccount: "{{ .Values.component.admin.podServiceAccount }}"
-      serviceAccountName: "{{ .Values.component.admin.podServiceAccount }}"
+      serviceAccount: {{ .Values.component.admin.podServiceAccount | quote }}
+      serviceAccountName: {{ .Values.component.admin.podServiceAccount | quote }}
     {{- end }}
-    {{- if and .Values.volume.logs .Values.volume.logs.enabled }}
+    {{- if .Values.volume.logs.enabled }}
       initContainers:
       - name: create-mount-subdir
         command:
@@ -50,7 +50,7 @@ spec:
           - configMapRef:
               name: {{ .Release.Name }}-config-map
           - secretRef:
-              name: "{{ .Values.secrets.secretName }}"
+              name: {{ .Values.secrets.secretName | quote }}
           - secretRef:
               name: {{ template "bitwarden.keyssecret" . }}
           {{- if .Values.database.enabled }}
@@ -74,12 +74,12 @@ spec:
           mountPath: /etc/bitwarden/core/aspnet-dataprotection
         - name: licenses
           mountPath: /etc/bitwarden/core/licenses
-        {{- if and .Values.volume.logs .Values.volume.logs.enabled }}
+        {{- if .Values.volume.logs.enabled }}
         - name: applogs
           mountPath: /etc/bitwarden/logs
           subPath: admin
         {{- end }}
-        {{- if .Values.secrets.secretProviderClass}}
+        {{- if .Values.secrets.secretProviderClass }}
         - name: secrets-store-inline
           mountPath: "/mnt/secrets-store"
           readOnly: true
@@ -89,16 +89,16 @@ spec:
       volumes:
         - name: dataprotection
           persistentVolumeClaim:
-            claimName: {{ template "bitwarden.dataprotection" . }}
+            claimName: {{ default ( include "bitwarden.dataprotection" . ) .Values.volume.dataprotection.existingClaim }}
         - name: licenses
           persistentVolumeClaim:
-            claimName: {{ template "bitwarden.licenses" . }}
-        {{- if and .Values.volume.logs .Values.volume.logs.enabled }}
+            claimName: {{ default ( include "bitwarden.licenses" . ) .Values.volume.licenses.existingClaim }}
+        {{- if .Values.volume.logs.enabled }}
         - name: applogs
           persistentVolumeClaim:
-            claimName: {{ template "bitwarden.applogs" . }}
+            claimName: {{ default ( include "bitwarden.applogs" . ) .Values.volume.logs.existingClaim }}
         {{- end }}
-        {{- if .Values.secrets.secretProviderClass}}
+        {{- if .Values.secrets.secretProviderClass }}
         - name: secrets-store-inline
           csi:
             driver: secrets-store.csi.k8s.io

diff --git a/charts/self-host/templates/api.yaml b/charts/self-host/templates/api.yaml
@@ -14,7 +14,7 @@ metadata:
 spec:
   replicas: 1
   strategy:
-    type: "{{ .Values.component.api.deploymentStrategy }}"
+    type: {{ .Values.component.api.deploymentStrategy | quote }}
   selector:
     matchLabels:
       app: {{ template "bitwarden.api" . }}
@@ -26,10 +26,10 @@ spec:
 {{ include "bitwarden.labels" . | indent 8 }}
     spec:
     {{- if .Values.component.api.podServiceAccount }}
-      serviceAccount: "{{ .Values.component.api.podServiceAccount }}"
-      serviceAccountName: "{{ .Values.component.api.podServiceAccount }}"
+      serviceAccount: {{ .Values.component.api.podServiceAccount | quote }}
+      serviceAccountName: {{ .Values.component.api.podServiceAccount | quote }}
     {{- end }}
-    {{- if and .Values.volume.logs .Values.volume.logs.enabled }}
+    {{- if .Values.volume.logs.enabled }}
       initContainers:
       - name: create-mount-subdir
         command:
@@ -50,7 +50,7 @@ spec:
           - configMapRef:
               name: {{ .Release.Name }}-config-map
           - secretRef:
-              name: "{{ .Values.secrets.secretName }}"
+              name: {{ .Values.secrets.secretName | quote }}
           - secretRef:
               name: {{ template "bitwarden.keyssecret" . }}
           {{- if .Values.database.enabled }}
@@ -76,12 +76,12 @@ spec:
           mountPath: /etc/bitwarden/core/aspnet-dataprotection
         - name: licenses
           mountPath: /etc/bitwarden/core/licenses
-        {{- if and .Values.volume.logs .Values.volume.logs.enabled }}
+        {{- if .Values.volume.logs.enabled }}
         - name: applogs
           mountPath: /etc/bitwarden/logs
           subPath: api
         {{- end }}
-        {{- if .Values.secrets.secretProviderClass}}
+        {{- if .Values.secrets.secretProviderClass }}
         - name: secrets-store-inline
           mountPath: "/mnt/secrets-store"
           readOnly: true
@@ -91,19 +91,19 @@ spec:
       volumes:
         - name: dataprotection
           persistentVolumeClaim:
-            claimName: {{ template "bitwarden.dataprotection" . }}
+            claimName: {{ default ( include "bitwarden.dataprotection" . ) .Values.volume.dataprotection.existingClaim }}
         - name: attachments
           persistentVolumeClaim:
-            claimName: {{ template "bitwarden.attachments" . }}
+            claimName: {{ default ( include "bitwarden.attachments" . ) .Values.volume.attachments.existingClaim }}
         - name: licenses
           persistentVolumeClaim:
-            claimName: {{ template "bitwarden.licenses" . }}
-        {{- if and .Values.volume.logs .Values.volume.logs.enabled }}
+            claimName: {{ default ( include "bitwarden.licenses" . ) .Values.volume.licenses.existingClaim }}
+        {{- if .Values.volume.logs.enabled }}
         - name: applogs
           persistentVolumeClaim:
-            claimName: {{ template "bitwarden.applogs" . }}
+            claimName: {{ default ( include "bitwarden.applogs" . ) .Values.volume.logs.existingClaim }}
         {{- end }}
-        {{- if .Values.secrets.secretProviderClass}}
+        {{- if .Values.secrets.secretProviderClass }}
         - name: secrets-store-inline
           csi:
             driver: secrets-store.csi.k8s.io

diff --git a/charts/self-host/templates/attachments.yaml b/charts/self-host/templates/attachments.yaml
@@ -14,7 +14,7 @@ metadata:
 spec:
   replicas: 1
   strategy:
-    type: "{{ .Values.component.attachments.deploymentStrategy }}"
+    type: {{ .Values.component.attachments.deploymentStrategy | quote }}
   selector:
     matchLabels:
       app: {{ template "bitwarden.attachments" . }}
@@ -26,8 +26,8 @@ spec:
 {{ include "bitwarden.labels" . | indent 8 }}
     spec:
     {{- if .Values.component.attachments.podServiceAccount }}
-      serviceAccount: "{{ .Values.component.attachments.podServiceAccount }}"
-      serviceAccountName: "{{ .Values.component.attachments.podServiceAccount }}"
+      serviceAccount: {{ .Values.component.attachments.podServiceAccount | quote }}
+      serviceAccountName: {{ .Values.component.attachments.podServiceAccount | quote }}
     {{- end }}
       containers:
       - name: {{ template "bitwarden.attachments" . }}
@@ -36,7 +36,7 @@ spec:
           - configMapRef:
               name: {{ .Release.Name }}-config-map
           - secretRef:
-              name: "{{ .Values.secrets.secretName }}"
+              name: {{ .Values.secrets.secretName | quote }}
           - secretRef:
               name: {{ template "bitwarden.keyssecret" . }}
           {{- if .Values.database.enabled }}
@@ -58,7 +58,7 @@ spec:
         volumeMounts:
         - name: attachments
           mountPath: /etc/bitwarden/core/attachments
-        {{- if .Values.secrets.secretProviderClass}}
+        {{- if .Values.secrets.secretProviderClass }}
         - name: secrets-store-inline
           mountPath: "/mnt/secrets-store"
           readOnly: true
@@ -68,8 +68,8 @@ spec:
       volumes:
         - name: attachments
           persistentVolumeClaim:
-            claimName: {{ template "bitwarden.attachments" . }}
-        {{- if .Values.secrets.secretProviderClass}}
+            claimName: {{ default ( include "bitwarden.attachments" . ) .Values.volume.attachments.existingClaim }}
+        {{- if .Values.secrets.secretProviderClass }}
         - name: secrets-store-inline
           csi:
             driver: secrets-store.csi.k8s.io

diff --git a/charts/self-host/templates/events.yaml b/charts/self-host/templates/events.yaml
@@ -14,7 +14,7 @@ metadata:
 spec:
   replicas: 1
   strategy:
-    type: "{{ .Values.component.events.deploymentStrategy }}"
+    type: {{ .Values.component.events.deploymentStrategy | quote }}
   selector:
     matchLabels:
       app: {{ template "bitwarden.events" . }}
@@ -26,10 +26,10 @@ spec:
 {{ include "bitwarden.labels" . | indent 8 }}
     spec:
     {{- if .Values.component.events.podServiceAccount }}
-      serviceAccount: "{{ .Values.component.events.podServiceAccount }}"
-      serviceAccountName: "{{ .Values.component.events.podServiceAccount }}"
+      serviceAccount: {{ .Values.component.events.podServiceAccount | quote }}
+      serviceAccountName: {{ .Values.component.events.podServiceAccount | quote }}
     {{- end }}
-    {{- if and .Values.volume.logs .Values.volume.logs.enabled }}
+    {{- if .Values.volume.logs.enabled }}
       initContainers:
       - name: create-mount-subdir
         command:
@@ -50,7 +50,7 @@ spec:
           - configMapRef:
               name: {{ .Release.Name }}-config-map
           - secretRef:
-              name: "{{ .Values.secrets.secretName }}"
+              name: {{ .Values.secrets.secretName | quote }}
           - secretRef:
               name: {{ template "bitwarden.keyssecret" . }}
           {{- if .Values.database.enabled }}
@@ -70,31 +70,31 @@ spec:
         resources:
 {{ toYaml .Values.component.events.resources | indent 10 }}
         volumeMounts:
-        {{- if .Values.secrets.secretProviderClass}}
+        {{- if .Values.secrets.secretProviderClass }}
         - name: secrets-store-inline
           mountPath: "/mnt/secrets-store"
           readOnly: true
         {{- end }}
-        {{- if and .Values.volume.logs .Values.volume.logs.enabled }}
+        {{- if .Values.volume.logs.enabled }}
         - name: applogs
           mountPath: /etc/bitwarden/logs
           subPath: events
         {{- end }}
         securityContext:
 {{ toYaml .Values.component.events.securityContext | indent 10 }}
       volumes:
-        {{- if .Values.secrets.secretProviderClass}}
+        {{- if .Values.secrets.secretProviderClass }}
         - name: secrets-store-inline
           csi:
             driver: secrets-store.csi.k8s.io
             readOnly: true
             volumeAttributes:
               secretProviderClass: {{ .Values.secrets.secretProviderClass }}
         {{- end }}
-        {{- if and .Values.volume.logs .Values.volume.logs.enabled }}
+        {{- if .Values.volume.logs.enabled }}
         - name: applogs
           persistentVolumeClaim:
-            claimName: {{ template "bitwarden.applogs" . }}
+            claimName: {{ default ( include "bitwarden.applogs" . ) .Values.volume.logs.existingClaim }}
         {{- end }}
 
 ---