diff --git a/applications/gafaelfawr/README.md b/applications/gafaelfawr/README.md index 8d3490131a..ae4eb82caf 100644 --- a/applications/gafaelfawr/README.md +++ b/applications/gafaelfawr/README.md @@ -104,7 +104,7 @@ Authentication and identity system | podAnnotations | object | `{}` | Annotations for the Gafaelfawr frontend pod | | redis.affinity | object | `{}` | Affinity rules for the Redis pod | | redis.config.secretKey | string | `"redis-password"` | Key inside secret from which to get the Redis password (do not change) | -| redis.config.secretName | string | `"gafaelfawr-secret"` | Name of secret containing Redis password (may require changing if fullnameOverride is set) | +| redis.config.secretName | string | `"gafaelfawr"` | Name of secret containing Redis password (do not change) | | redis.nodeSelector | object | `{}` | Node selection rules for the Redis pod | | redis.persistence.accessMode | string | `"ReadWriteOnce"` | Access mode of storage to request | | redis.persistence.enabled | bool | `true` | Whether to persist Redis storage and thus tokens. Setting this to false will use `emptyDir` and reset all tokens on every restart. Only use this for a test deployment. | diff --git a/applications/gafaelfawr/templates/_helpers.tpl b/applications/gafaelfawr/templates/_helpers.tpl index 812a70b587..eb32f96cd7 100644 --- a/applications/gafaelfawr/templates/_helpers.tpl +++ b/applications/gafaelfawr/templates/_helpers.tpl @@ -43,19 +43,19 @@ Common environment variables - name: "GAFAELFAWR_BOOTSTRAP_TOKEN" valueFrom: secretKeyRef: - name: {{ .secretName | quote }} + name: "gafaelfawr" key: "bootstrap-token" {{- if .Values.config.cilogon.clientId }} - name: "GAFAELFAWR_CILOGON_CLIENT_SECRET" valueFrom: secretKeyRef: - name: {{ .secretName | quote }} + name: "gafaelfawr" key: "cilogon-client-secret" {{- end }} - name: "GAFAELFAWR_DATABASE_PASSWORD" valueFrom: secretKeyRef: - name: {{ .secretName | quote }} + name: "gafaelfawr" key: "database-password" {{- if (or .Values.cloudsql.enabled .Values.config.internalDatabase) }} - name: "GAFAELFAWR_DATABASE_URL" @@ -71,28 +71,28 @@ Common environment variables - name: "GAFAELFAWR_GITHUB_CLIENT_SECRET" valueFrom: secretKeyRef: - name: {{ .secretName | quote }} + name: "gafaelfawr" key: "github-client-secret" {{- end }} {{- if .Values.config.ldap.userDn }} - name: "GAFAELFAWR_LDAP_PASSWORD" valueFrom: secretKeyRef: - name: {{ .secretName | quote }} + name: "gafaelfawr" key: "ldap-password" {{- end }} {{- if .Values.config.oidc.clientId }} - name: "GAFAELFAWR_OIDC_CLIENT_SECRET" valueFrom: secretKeyRef: - name: {{ .secretName | quote }} + name: "gafaelfawr" key: "oidc-client-secret" {{- end }} {{- if .Values.config.oidcServer.enabled }} - name: "GAFAELFAWR_OIDC_SERVER_CLIENTS" valueFrom: secretKeyRef: - name: {{ .secretName | quote }} + name: "gafaelfawr" key: "oidc-server-secrets" {{- if (not .Values.config.oidcServer.issuer) }} - name: "GAFAELFAWR_OIDC_SERVER_ISSUER" @@ -101,7 +101,7 @@ Common environment variables - name: "GAFAELFAWR_OIDC_SERVER_KEY" valueFrom: secretKeyRef: - name: {{ .secretName | quote }} + name: "gafaelfawr" key: "signing-key" {{- end }} {{- if (not .Values.config.realm) }} @@ -113,20 +113,20 @@ Common environment variables - name: "GAFAELFAWR_REDIS_PASSWORD" valueFrom: secretKeyRef: - name: {{ .secretName | quote }} + name: "gafaelfawr" key: "redis-password" - name: "GAFAELFAWR_REDIS_URL" value: "redis://gafaelfawr-redis.{{ .Release.Namespace }}:6379/0" - name: "GAFAELFAWR_SESSION_SECRET" valueFrom: secretKeyRef: - name: {{ .secretName | quote }} + name: "gafaelfawr" key: "session-secret" {{- if .Values.config.slackAlerts }} - name: "GAFAELFAWR_SLACK_WEBHOOK" valueFrom: secretKeyRef: - name: {{ .secretName | quote }} + name: "gafaelfawr" key: "slack-webhook" {{- end }} {{- if .Values.config.metrics.enabled }} diff --git a/applications/gafaelfawr/templates/configmap-kerberos.yaml b/applications/gafaelfawr/templates/configmap-kerberos.yaml index d21ed51b45..ab7b960106 100644 --- a/applications/gafaelfawr/templates/configmap-kerberos.yaml +++ b/applications/gafaelfawr/templates/configmap-kerberos.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: "gafaelfawr-config-kerberos" + name: "gafaelfawr-kerberos" labels: {{- include "gafaelfawr.labels" . | nindent 4 }} data: diff --git a/applications/gafaelfawr/templates/configmap.yaml b/applications/gafaelfawr/templates/configmap.yaml index 86b72672ba..b9e0efe1ba 100644 --- a/applications/gafaelfawr/templates/configmap.yaml +++ b/applications/gafaelfawr/templates/configmap.yaml @@ -1,27 +1,15 @@ apiVersion: v1 kind: ConfigMap metadata: - name: "gafaelfawr-config" + name: "gafaelfawr" labels: {{- include "gafaelfawr.labels" . | nindent 4 }} -data: - gafaelfawr.yaml: | - {{- toYaml .Values.config | nindent 4 }} -{{- if .Values.config.updateSchema }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: "gafaelfawr-config-schema-update" {{- if .Values.config.updateSchema }} annotations: helm.sh/hook: "pre-install,pre-upgrade" - helm.sh/hook-delete-policy: "hook-succeeded" + helm.sh/hook-delete-policy: "before-hook-creation" helm.sh/hook-weight: "0" {{- end }} - labels: - {{- include "gafaelfawr.labels" . | nindent 4 }} data: gafaelfawr.yaml: | {{- toYaml .Values.config | nindent 4 }} -{{- end }} diff --git a/applications/gafaelfawr/templates/cronjob-audit.yaml b/applications/gafaelfawr/templates/cronjob-audit.yaml index 0013a16262..df5bbd3453 100644 --- a/applications/gafaelfawr/templates/cronjob-audit.yaml +++ b/applications/gafaelfawr/templates/cronjob-audit.yaml @@ -37,7 +37,7 @@ spec: - "gafaelfawr" - "audit" env: - {{- include "gafaelfawr.envVars" (dict "Release" .Release "Values" .Values "secretName" "gafaelfawr-secret") | nindent 16 }} + {{- include "gafaelfawr.envVars" (dict "Release" .Release "Values" .Values) | nindent 16 }} {{- if .Values.config.metrics.enabled }} - name: "KAFKA_CLIENT_CERT_PATH" value: "/etc/gafaelfawr-kafka/user.crt" @@ -95,7 +95,7 @@ spec: volumes: - name: "config" configMap: - name: "gafaelfawr-config" + name: "gafaelfawr" {{- if .Values.config.metrics.enabled }} - name: "kafka" secret: @@ -107,7 +107,7 @@ spec: secretName: "gafaelfawr-keytab" - name: "kerberos-config" configMap: - name: "gafaelfawr-config-kerberos" + name: "gafaelfawr-kerberos" - name: "tmp" emptyDir: {} {{- end }} diff --git a/applications/gafaelfawr/templates/cronjob-maintenance.yaml b/applications/gafaelfawr/templates/cronjob-maintenance.yaml index bbefece8bd..7108a75266 100644 --- a/applications/gafaelfawr/templates/cronjob-maintenance.yaml +++ b/applications/gafaelfawr/templates/cronjob-maintenance.yaml @@ -36,7 +36,7 @@ spec: - "gafaelfawr" - "maintenance" env: - {{- include "gafaelfawr.envVars" (dict "Release" .Release "Values" .Values "secretName" "gafaelfawr-secret") | nindent 16 }} + {{- include "gafaelfawr.envVars" (dict "Release" .Release "Values" .Values) | nindent 16 }} {{- if .Values.config.metrics.enabled }} - name: "KAFKA_CLIENT_CERT_PATH" value: "/etc/gafaelfawr-kafka/user.crt" @@ -94,7 +94,7 @@ spec: volumes: - name: "config" configMap: - name: "gafaelfawr-config" + name: "gafaelfawr" {{- if .Values.config.metrics.enabled }} - name: "kafka" secret: @@ -106,7 +106,7 @@ spec: secretName: "gafaelfawr-keytab" - name: "kerberos-config" configMap: - name: "gafaelfawr-config-kerberos" + name: "gafaelfawr-kerberos" - name: "tmp" emptyDir: {} {{- end }} diff --git a/applications/gafaelfawr/templates/deployment-operator.yaml b/applications/gafaelfawr/templates/deployment-operator.yaml index 323a25bce6..821ca0fabc 100644 --- a/applications/gafaelfawr/templates/deployment-operator.yaml +++ b/applications/gafaelfawr/templates/deployment-operator.yaml @@ -42,7 +42,7 @@ spec: - "-m" - "gafaelfawr.operator" env: - {{- include "gafaelfawr.envVars" (dict "Release" .Release "Values" .Values "secretName" "gafaelfawr-secret") | nindent 12 }} + {{- include "gafaelfawr.envVars" (dict "Release" .Release "Values" .Values) | nindent 12 }} {{- if .Values.config.metrics.enabled }} - name: "KAFKA_CLIENT_CERT_PATH" value: "/etc/gafaelfawr-kafka/user.crt" @@ -112,7 +112,7 @@ spec: volumes: - name: "config" configMap: - name: "gafaelfawr-config" + name: "gafaelfawr" {{- if .Values.config.metrics.enabled }} - name: "kafka" secret: @@ -124,7 +124,7 @@ spec: secretName: "gafaelfawr-keytab" - name: "kerberos-config" configMap: - name: "gafaelfawr-config-kerberos" + name: "gafaelfawr-kerberos" - name: "tmp" emptyDir: {} {{- end }} diff --git a/applications/gafaelfawr/templates/deployment.yaml b/applications/gafaelfawr/templates/deployment.yaml index fed652313f..22dc810318 100644 --- a/applications/gafaelfawr/templates/deployment.yaml +++ b/applications/gafaelfawr/templates/deployment.yaml @@ -54,7 +54,7 @@ spec: {{- end }} - name: "gafaelfawr" env: - {{- include "gafaelfawr.envVars" (dict "Release" .Release "Values" .Values "secretName" "gafaelfawr-secret" "sidecar" true) | nindent 12 }} + {{- include "gafaelfawr.envVars" (dict "Release" .Release "Values" .Values "sidecar" true) | nindent 12 }} {{- if .Values.config.metrics.enabled }} - name: "KAFKA_CLIENT_CERT_PATH" value: "/etc/gafaelfawr-kafka/user.crt" @@ -135,7 +135,7 @@ spec: volumes: - name: "config" configMap: - name: "gafaelfawr-config" + name: "gafaelfawr" {{- if .Values.config.metrics.enabled }} - name: "kafka" secret: @@ -147,7 +147,7 @@ spec: secretName: "gafaelfawr-keytab" - name: "kerberos-config" configMap: - name: "gafaelfawr-config-kerberos" + name: "gafaelfawr-kerberos" - name: "tmp" emptyDir: {} {{- end }} diff --git a/applications/gafaelfawr/templates/job-schema-update.yaml b/applications/gafaelfawr/templates/job-schema-update.yaml index 87cc71815a..65bc2b52a0 100644 --- a/applications/gafaelfawr/templates/job-schema-update.yaml +++ b/applications/gafaelfawr/templates/job-schema-update.yaml @@ -23,7 +23,7 @@ spec: gafaelfawr-redis-client: "true" spec: {{- if .Values.cloudsql.enabled }} - serviceAccountName: "gafaelfawr-schema-update" + serviceAccountName: "gafaelfawr" {{- else }} automountServiceAccountToken: false {{- end }} @@ -79,7 +79,7 @@ spec: gafaelfawr update-schema touch /lifecycle/main-terminated env: - {{- include "gafaelfawr.envVars" (dict "Release" .Release "Values" .Values "secretName" "gafaelfawr-secret-schema-update" "sidecar" true) | nindent 12 }} + {{- include "gafaelfawr.envVars" (dict "Release" .Release "Values" .Values "sidecar" true) | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- with .Values.resources }} @@ -106,7 +106,7 @@ spec: volumes: - name: "config" configMap: - name: "gafaelfawr-config-schema-update" + name: "gafaelfawr" - name: "lifecycle" emptyDir: {} {{- with .Values.nodeSelector }} diff --git a/applications/gafaelfawr/templates/serviceaccount.yaml b/applications/gafaelfawr/templates/serviceaccount.yaml index acf07b2ed2..42aea8bf2e 100644 --- a/applications/gafaelfawr/templates/serviceaccount.yaml +++ b/applications/gafaelfawr/templates/serviceaccount.yaml @@ -6,19 +6,10 @@ metadata: labels: {{- include "gafaelfawr.labels" . | nindent 4 }} annotations: - iam.gke.io/gcp-service-account: {{ required "cloudsql.serviceAccount must be set to a valid Google service account" .Values.cloudsql.serviceAccount | quote }} -{{- if .Values.config.updateSchema }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: "gafaelfawr-schema-update" - labels: - {{- include "gafaelfawr.labels" . | nindent 4 }} - annotations: + {{- if .Values.config.updateSchema }} helm.sh/hook: "pre-install,pre-upgrade" - helm.sh/hook-delete-policy: "hook-succeeded" + helm.sh/hook-delete-policy: "before-hook-creation" helm.sh/hook-weight: "0" + {{- end }} iam.gke.io/gcp-service-account: {{ required "cloudsql.serviceAccount must be set to a valid Google service account" .Values.cloudsql.serviceAccount | quote }} {{- end }} -{{- end }} diff --git a/applications/gafaelfawr/templates/vault-secrets.yaml b/applications/gafaelfawr/templates/vault-secrets.yaml index 558598febe..29563d2ebd 100644 --- a/applications/gafaelfawr/templates/vault-secrets.yaml +++ b/applications/gafaelfawr/templates/vault-secrets.yaml @@ -1,29 +1,20 @@ apiVersion: ricoberger.de/v1alpha1 kind: VaultSecret metadata: - name: "gafaelfawr-secret" + name: "gafaelfawr" labels: {{- include "gafaelfawr.labels" . | nindent 4 }} -spec: - path: "{{ .Values.global.vaultSecretsPath }}/gafaelfawr" - type: Opaque -{{- if .Values.config.updateSchema }} ---- -apiVersion: ricoberger.de/v1alpha1 -kind: VaultSecret -metadata: - name: "gafaelfawr-secret-schema-update" + {{- if .Values.config.updateSchema }} annotations: helm.sh/hook: "pre-install,pre-upgrade" + helm.sh/hook-delete-policy: "before-hook-creation" helm.sh/hook-weight: "0" - labels: - {{- include "gafaelfawr.labels" . | nindent 4 }} + {{- end }} spec: path: "{{ .Values.global.vaultSecretsPath }}/gafaelfawr" type: Opaque -{{- end }} ---- {{- if .Values.config.ldap.kerberosConfig }} +--- apiVersion: ricoberger.de/v1alpha1 kind: VaultSecret metadata: diff --git a/applications/gafaelfawr/values-ccin2p3.yaml b/applications/gafaelfawr/values-ccin2p3.yaml index 7d59a28426..3d99fada3c 100644 --- a/applications/gafaelfawr/values-ccin2p3.yaml +++ b/applications/gafaelfawr/values-ccin2p3.yaml @@ -6,7 +6,6 @@ redis: config: logLevel: "DEBUG" internalDatabase: true - updateSchema: False # Session length and token expiration (in minutes). #issuer: diff --git a/applications/gafaelfawr/values.yaml b/applications/gafaelfawr/values.yaml index 034c692cb6..687c900024 100644 --- a/applications/gafaelfawr/values.yaml +++ b/applications/gafaelfawr/values.yaml @@ -415,9 +415,8 @@ operator: redis: config: - # -- Name of secret containing Redis password (may require changing if - # fullnameOverride is set) - secretName: "gafaelfawr-secret" + # -- Name of secret containing Redis password (do not change) + secretName: "gafaelfawr" # -- Key inside secret from which to get the Redis password (do not # change)