From 1a4b4ca18364cc8e10cb50501d1ea0ebaf7fb4cf Mon Sep 17 00:00:00 2001 From: Sjoerd Schipper Date: Fri, 9 Aug 2024 13:09:35 +0200 Subject: [PATCH 1/2] :bookmark: Openinwoner helm release 1.5.0 / appversion 1.19.0 --- charts/openinwoner/Chart.yaml | 4 +- charts/openinwoner/README.md | 48 ++++- charts/openinwoner/templates/_helpers.tpl | 28 +-- charts/openinwoner/templates/configmap.yaml | 9 +- charts/openinwoner/templates/deployment.yaml | 185 ++++++++++++++++++- charts/openinwoner/templates/secret.yaml | 3 + charts/openinwoner/values.yaml | 48 +++-- 7 files changed, 271 insertions(+), 54 deletions(-) diff --git a/charts/openinwoner/Chart.yaml b/charts/openinwoner/Chart.yaml index b2dfba7..338e781 100644 --- a/charts/openinwoner/Chart.yaml +++ b/charts/openinwoner/Chart.yaml @@ -3,8 +3,8 @@ name: openinwoner description: Platform voor gemeenten en overheden om producten inzichtelijker en toegankelijker te maken voor inwoners. type: application -version: 1.4.0 -appVersion: "1.17.2" +version: 1.5.0 +appVersion: "1.19.0" dependencies: - name: redis diff --git a/charts/openinwoner/README.md b/charts/openinwoner/README.md index 0417d41..4f1cfce 100644 --- a/charts/openinwoner/README.md +++ b/charts/openinwoner/README.md @@ -1,6 +1,6 @@ # openinwoner -![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.3](https://img.shields.io/badge/AppVersion-1.8.3-informational?style=flat-square) +![Version: 1.5.0](https://img.shields.io/badge/Version-1.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.19.0](https://img.shields.io/badge/AppVersion-1.19.0-informational?style=flat-square) Platform voor gemeenten en overheden om producten inzichtelijker en toegankelijker te maken voor inwoners. @@ -28,6 +28,16 @@ helm install my-release my-repo/openinwoner | autoscaling.minReplicas | int | `1` | | | autoscaling.targetCPUUtilizationPercentage | int | `80` | | | autoscaling.targetMemoryUtilizationPercentage | int | `80` | | +| azureVaultSecret.contentType | string | `""` | | +| azureVaultSecret.objectName | string | `""` | | +| azureVaultSecret.secretName | string | `"{{ .Values.existingSecret }}"` | | +| azureVaultSecret.vaultName | string | `nil` | | +| beat.podLabels | object | `{}` | | +| beat.replicaCount | int | `1` | | +| beat.resources | object | `{}` | | +| celeryMonitor.podLabels | object | `{}` | | +| celeryMonitor.replicaCount | int | `1` | | +| celeryMonitor.resources | object | `{}` | | | elasticsearch.coordinating.replicaCount | int | `1` | | | elasticsearch.data.persistence.enabled | bool | `false` | | | elasticsearch.data.persistence.size | string | `"8Gi"` | | @@ -41,7 +51,7 @@ helm install my-release my-repo/openinwoner | elasticsearch.master.resources.requests.cpu | string | `"25m"` | | | elasticsearch.master.resources.requests.memory | string | `"256Mi"` | | | existingSecret | string | `nil` | | -| extraDeploy | list | `[]` | Optionally specify additional resources to deploy | +| extraDeploy | list | `[]` | Extra objects to deploy (value evaluated as a template) | | extraEnvVars | list | `[]` | Array with extra environment variables to add | | extraIngress | list | `[]` | | | extraVolumeMounts | list | `[]` | Optionally specify extra list of additional volumeMounts | @@ -84,9 +94,9 @@ helm install my-release my-repo/openinwoner | nginx.securityContext.readOnlyRootFilesystem | bool | `false` | | | nginx.securityContext.runAsNonRoot | bool | `true` | | | nginx.securityContext.runAsUser | int | `101` | | -| nginx.service.annotations | object | `{}` | Optionally specify extra annotations | -| nginx.service.port | int | `80` | | -| nginx.service.type | string | `"ClusterIP"` | | +| nginx.service.annotations | object | `{}` | | +| nginx.service.port | int | `80` | | +| nginx.service.type | string | `"ClusterIP"` | | | nodeSelector | object | `{}` | | | pdb.create | bool | `false` | | | pdb.maxUnavailable | string | `""` | | @@ -123,8 +133,12 @@ helm install my-release my-repo/openinwoner | serviceAccount.create | bool | `true` | | | serviceAccount.name | string | `""` | | | settings.allowedHosts | string | `""` | | +| settings.brpVersion | string | `""` | | | settings.cache.axes | string | `""` | Sets 'CACHE_AXES' var, only required when tags.redis is false | | settings.cache.default | string | `""` | Sets 'CACHE_DEFAULT' var, only required when tags.redis is false | +| settings.celery.brokerUrl | string | `""` | | +| settings.celery.logLevel | string | `"debug"` | | +| settings.celery.resultBackend | string | `""` | | | settings.database.host | string | `""` | | | settings.database.name | string | `""` | | | settings.database.password | string | `""` | | @@ -132,7 +146,9 @@ helm install my-release my-repo/openinwoner | settings.database.sslmode | string | `"prefer"` | | | settings.database.username | string | `""` | | | settings.debug | bool | `false` | | +| settings.digidMock | string | `""` | | | settings.djangoSettingsModule | string | `"open_inwoner.conf.docker"` | | +| settings.eherkenningMock | string | `""` | | | settings.elasticSearchHost | string | `""` | Elasticsearch hostname, only required when tags.elasticsearch is false | | settings.elasticapm.token | string | `""` | | | settings.elasticapm.url | string | `""` | | @@ -147,9 +163,8 @@ helm install my-release my-repo/openinwoner | settings.loadFixtures | bool | `false` | Will load all fixtures in /app/src/open_inwoner/conf/fixtures/*.json | | settings.secretKey | string | `""` | Generate secret key at https://djecrety.ir/ | | settings.sentry.dsn | string | `""` | | -| settings.twoFactorAuthentication.forceOtpAdmin | bool | `true` | Enforce 2 Factor Authentication in the admin or not. Default True. You'll probably want to disable this when using OIDC. | -| settings.twoFactorAuthentication.patchAdmin | bool | `true` | Whether to use the 2 Factor Authentication login flow for the admin or not. Default True. You'll probably want to disable this when using OIDC. | -| settings.useXForwardedHost | bool | `true` | | +| settings.smsgateway.apikey | string | `""` | | +| settings.smsgateway.backend | string | `""` | For example "open_inwoner.accounts.gateways.MessageBird" | | settings.uwsgi.harakiri | string | `""` | | | settings.uwsgi.master | bool | `false` | | | settings.uwsgi.maxRequests | string | `""` | | @@ -158,4 +173,21 @@ helm install my-release my-repo/openinwoner | tags.elasticsearch | bool | `true` | | | tags.redis | bool | `true` | | | tolerations | list | `[]` | | +| worker.autoscaling.enabled | bool | `false` | | +| worker.autoscaling.maxReplicas | int | `100` | | +| worker.autoscaling.minReplicas | int | `1` | | +| worker.autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| worker.autoscaling.targetMemoryUtilizationPercentage | int | `80` | | +| worker.concurrency | int | `4` | | +| worker.livenessProbe.exec.command[0] | string | `"python"` | | +| worker.livenessProbe.exec.command[1] | string | `"/app/bin/check_celery_worker_liveness.py"` | | +| worker.livenessProbe.failureThreshold | int | `3` | | +| worker.livenessProbe.initialDelaySeconds | int | `60` | | +| worker.livenessProbe.periodSeconds | int | `10` | | +| worker.livenessProbe.successThreshold | int | `1` | | +| worker.livenessProbe.timeoutSeconds | int | `5` | | +| worker.maxWorkerLivenessDelta | string | `""` | | +| worker.podLabels | object | `{}` | | +| worker.replicaCount | int | `1` | | +| worker.resources | object | `{}` | | diff --git a/charts/openinwoner/templates/_helpers.tpl b/charts/openinwoner/templates/_helpers.tpl index 32e26bd..2605188 100644 --- a/charts/openinwoner/templates/_helpers.tpl +++ b/charts/openinwoner/templates/_helpers.tpl @@ -161,34 +161,34 @@ app.kubernetes.io/name: {{ include "openinwoner.beatName" . }} {{- end }} {{/* -Create a name for Flower -We truncate at 56 chars in order to provide space for the "-flower" suffix +Create a name for Celery Monitor +We truncate at 56 chars in order to provide space for the "-celery-monitor" suffix */}} -{{- define "openinwoner.flowerName" -}} -{{ include "openinwoner.name" . | trunc 56 | trimSuffix "-" }}-flower +{{- define "openinwoner.celeryMonitorName" -}} +{{ include "openinwoner.name" . | trunc 56 | trimSuffix "-" }}-celery-monitor {{- end }} {{/* -Create a default fully qualified name for Flower. -We truncate at 56 chars in order to provide space for the "-flower" suffix +Create a default fully qualified name for celeryMonitor. +We truncate at 56 chars in order to provide space for the "-celeryMonitor" suffix */}} -{{- define "openinwoner.flowerFullname" -}} -{{ include "openinwoner.fullname" . | trunc 56 | trimSuffix "-" }}-flower +{{- define "openinwoner.celeryMonitorFullname" -}} +{{ include "openinwoner.fullname" . | trunc 56 | trimSuffix "-" }}-celery-monitor {{- end }} {{/* -Flower labels +celeryMonitor labels */}} -{{- define "openinwoner.flowerLabels" -}} +{{- define "openinwoner.celeryMonitorLabels" -}} {{ include "openinwoner.commonLabels" . }} -{{ include "openinwoner.flowerSelectorLabels" . }} +{{ include "openinwoner.celeryMonitorSelectorLabels" . }} {{- end }} {{/* -Flower selector labels +celeryMonitor selector labels */}} -{{- define "openinwoner.flowerSelectorLabels" -}} -app.kubernetes.io/name: {{ include "openinwoner.flowerName" . }} +{{- define "openinwoner.celeryMonitorSelectorLabels" -}} +app.kubernetes.io/name: {{ include "openinwoner.celeryMonitorName" . }} {{- end }} {{/* diff --git a/charts/openinwoner/templates/configmap.yaml b/charts/openinwoner/templates/configmap.yaml index 2a651cc..69ebcfc 100644 --- a/charts/openinwoner/templates/configmap.yaml +++ b/charts/openinwoner/templates/configmap.yaml @@ -28,6 +28,13 @@ data: {{- end }} CELERY_LOGLEVEL: {{ .Values.settings.celery.logLevel | upper | toString | quote }} DIGID_MOCK: {{ .Values.settings.digidMock | toString | quote }} + EHERKENNING_MOCK: {{ .Values.settings.eherkenningdMock | toString | quote }} + {{- if .Values.settings.smsgateway.backend }} + ACCOUNTS_SMS_GATEWAY_BACKEND: {{ .Values.settings.smsgateway.backend | toString | quote }} + {{- end }} + {{- if .Values.settings.brpVersion }} + BRP_VERSION: {{ .Values.settings.brpVersion | toString | quote }} + {{- end }} DB_NAME: {{ .Values.settings.database.name | toString | quote }} DB_HOST: {{ .Values.settings.database.host | toString | quote }} DB_USER: {{ .Values.settings.database.username | toString | quote }} @@ -49,8 +56,6 @@ data: {{- if .Values.settings.elasticapm.url }} ELASTIC_APM_SERVICE_NAME: {{ .Values.settings.elasticapm.serviceName | toString | quote }} {{- end }} - TWO_FACTOR_FORCE_OTP_ADMIN: {{ if .Values.settings.twoFactorAuthentication.forceOtpAdmin }}"True"{{ else }}"False"{{ end }} - TWO_FACTOR_PATCH_ADMIN: {{ if .Values.settings.twoFactorAuthentication.patchAdmin }}"True"{{ else }}"False"{{ end }} {{- if .Values.settings.uwsgi.master }} UWSGI_MASTER: {{ if .Values.settings.uwsgi.master }}"1"{{ else }}"0"{{ end }} {{- end }} diff --git a/charts/openinwoner/templates/deployment.yaml b/charts/openinwoner/templates/deployment.yaml index 9323009..d655de2 100644 --- a/charts/openinwoner/templates/deployment.yaml +++ b/charts/openinwoner/templates/deployment.yaml @@ -51,15 +51,6 @@ spec: - name: http containerPort: 8000 protocol: TCP - {{- if .Values.settings.loadFixtures }} - lifecycle: - postStart: - exec: - command: - - "/bin/bash" - - "-c" - - /app/src/manage.py loaddata /app/src/open_inwoner/conf/fixtures/*.json - {{- end }} livenessProbe: httpGet: path: /admin/ @@ -114,6 +105,180 @@ spec: --- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "openinwoner.beatFullname" . }} + labels: + {{- include "openinwoner.beatLabels" . | nindent 4 }} +spec: + replicas: {{ .Values.beat.replicaCount }} + selector: + matchLabels: + {{- include "openinwoner.beatSelectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "openinwoner.beatSelectorLabels" . | nindent 8 }} + {{- with .Values.beat.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "openinwoner.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ include "openinwoner.beatFullname" . }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + {{- if .Values.extraEnvVars }} + {{- include "openinwoner.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + envFrom: + - secretRef: + name: {{ .Values.existingSecret | default (include "openinwoner.fullname" .) }} + - configMapRef: + name: {{ include "openinwoner.fullname" . }} + resources: + {{- toYaml .Values.beat.resources | nindent 12 }} + command: + - /celery_beat.sh + volumeMounts: + - name: media + mountPath: /app/private_media + subPath: {{ .Values.persistence.privateMediaMountSubpath | default "openinwoner/private_media" }} + - name: media + mountPath: /app/media + subPath: {{ .Values.persistence.mediaMountSubpath | default "openinwoner/media" }} + {{- if .Values.extraVolumeMounts }} + {{- include "openinwoner.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + volumes: + - name: media + persistentVolumeClaim: + {{- if .Values.persistence.enabled }} + claimName: {{ if .Values.persistence.existingClaim }}{{ .Values.persistence.existingClaim }}{{- else }}{{ include "openinwoner.fullname" . }}{{- end }} + {{- else }} + emptyDir: { } + {{- end }} + {{- if .Values.extraVolumes }} + {{- include "openinwoner.tplvalues.render" ( dict "value" .Values.extraVolumes "context" $ ) | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "openinwoner.celeryMonitorFullname" . }} + labels: + {{- include "openinwoner.celeryMonitorLabels" . | nindent 4 }} +spec: + replicas: {{ .Values.celeryMonitor.replicaCount }} + selector: + matchLabels: + {{- include "openinwoner.celeryMonitorSelectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "openinwoner.celeryMonitorSelectorLabels" . | nindent 8 }} + {{- with .Values.celeryMonitor.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "openinwoner.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ include "openinwoner.celeryMonitorFullname" . }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + {{- if .Values.extraEnvVars }} + {{- include "openinwoner.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + envFrom: + - secretRef: + name: {{ .Values.existingSecret | default (include "openinwoner.fullname" .) }} + - configMapRef: + name: {{ include "openinwoner.fullname" . }} + resources: + {{- toYaml .Values.celeryMonitor.resources | nindent 12 }} + command: + - /celery_monitor.sh + volumeMounts: + - name: media + mountPath: /app/private_media + subPath: {{ .Values.persistence.privateMediaMountSubpath | default "openinwoner/private_media" }} + - name: media + mountPath: /app/media + subPath: {{ .Values.persistence.mediaMountSubpath | default "openinwoner/media" }} + {{- if .Values.extraVolumeMounts }} + {{- include "openinwoner.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + volumes: + - name: media + persistentVolumeClaim: + {{- if .Values.persistence.enabled }} + claimName: {{ if .Values.persistence.existingClaim }}{{ .Values.persistence.existingClaim }}{{- else }}{{ include "openinwoner.fullname" . }}{{- end }} + {{- else }} + emptyDir: { } + {{- end }} + {{- if .Values.extraVolumes }} + {{- include "openinwoner.tplvalues.render" ( dict "value" .Values.extraVolumes "context" $ ) | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + +--- + apiVersion: apps/v1 kind: Deployment metadata: @@ -205,7 +370,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} ---- +--- apiVersion: apps/v1 kind: Deployment diff --git a/charts/openinwoner/templates/secret.yaml b/charts/openinwoner/templates/secret.yaml index f3f1f0e..d2f15dc 100644 --- a/charts/openinwoner/templates/secret.yaml +++ b/charts/openinwoner/templates/secret.yaml @@ -18,4 +18,7 @@ stringData: {{- if .Values.settings.email.password }} EMAIL_HOST_PASSWORD: {{ .Values.settings.email.password | toString | quote }} {{- end }} + {{- if .Values.settings.smsgateway.backend }} + ACCOUNTS_SMS_GATEWAY_API_KEY: {{ .Values.settings.smsgateway.apikey | toString | quote }} + {{- end }} {{- end }} diff --git a/charts/openinwoner/values.yaml b/charts/openinwoner/values.yaml index 4415010..47ad04e 100644 --- a/charts/openinwoner/values.yaml +++ b/charts/openinwoner/values.yaml @@ -165,7 +165,7 @@ extraVolumeMounts: [] # - name: verify-certs # mountPath: /etc/ssl/certs/extra-certs/ -# Extra objects to deploy (value evaluated as a template) +# -- Extra objects to deploy (value evaluated as a template) extraDeploy: [] settings: @@ -203,7 +203,15 @@ settings: url: "" token: "" + smsgateway: + # -- For example "open_inwoner.accounts.gateways.MessageBird" + backend: "" + apikey: "" + + brpVersion: "" + digidMock: "" + eherkenningMock: "" sentry: dsn: "" @@ -230,12 +238,6 @@ settings: debug: false - twoFactorAuthentication: - # -- Enforce 2 Factor Authentication in the admin or not. Default True. You'll probably want to disable this when using OIDC. - forceOtpAdmin: true - # -- Whether to use the 2 Factor Authentication login flow for the admin or not. Default True. You'll probably want to disable this when using OIDC. - patchAdmin: true - uwsgi: master: false threads: "" @@ -250,17 +252,17 @@ worker: resources: {} # Defaults to 60s maxWorkerLivenessDelta: "" - # livenessProbe: - # exec: - # command: - # - python - # - /app/bin/check_celery_worker_liveness.py - # initialDelaySeconds: 60 - # # Periodeseconds should not exceed maxWorkerLivenessDelta - # periodSeconds: 10 - # timeoutSeconds: 5 - # failureThreshold: 3 - # successThreshold: 1 + livenessProbe: + exec: + command: + - python + - /app/bin/check_celery_worker_liveness.py + initialDelaySeconds: 60 + # Periodeseconds should not exceed maxWorkerLivenessDelta + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 + successThreshold: 1 autoscaling: enabled: false minReplicas: 1 @@ -268,6 +270,16 @@ worker: targetCPUUtilizationPercentage: 80 targetMemoryUtilizationPercentage: 80 +beat: + replicaCount: 1 + podLabels: {} + resources: {} + +celeryMonitor: + replicaCount: 1 + podLabels: {} + resources: {} + nginx: image: repository: nginxinc/nginx-unprivileged From 30a35543e526982127a4250707b6562966c371bb Mon Sep 17 00:00:00 2001 From: Sjoerd Schipper Date: Fri, 9 Aug 2024 13:17:37 +0200 Subject: [PATCH 2/2] :pencil: typo eherkenningMock --- charts/openinwoner/templates/configmap.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/openinwoner/templates/configmap.yaml b/charts/openinwoner/templates/configmap.yaml index 69ebcfc..185b978 100644 --- a/charts/openinwoner/templates/configmap.yaml +++ b/charts/openinwoner/templates/configmap.yaml @@ -28,7 +28,7 @@ data: {{- end }} CELERY_LOGLEVEL: {{ .Values.settings.celery.logLevel | upper | toString | quote }} DIGID_MOCK: {{ .Values.settings.digidMock | toString | quote }} - EHERKENNING_MOCK: {{ .Values.settings.eherkenningdMock | toString | quote }} + EHERKENNING_MOCK: {{ .Values.settings.eherkenningMock | toString | quote }} {{- if .Values.settings.smsgateway.backend }} ACCOUNTS_SMS_GATEWAY_BACKEND: {{ .Values.settings.smsgateway.backend | toString | quote }} {{- end }}