diff --git a/.github/actions/deploy-to-environment/action.yaml b/.github/actions/deploy-to-environment/action.yaml index d014fa9..f1329bb 100644 --- a/.github/actions/deploy-to-environment/action.yaml +++ b/.github/actions/deploy-to-environment/action.yaml @@ -45,7 +45,7 @@ runs: run: >- helm upgrade --install --atomic ${{ inputs.job_name }} ${{ inputs.app_name }} --namespace ${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }} - --repo https://bcgov.github.io/common-object-management-service + --repo https://bcgov.github.io/common-document-generation-service --values ./.github/environments/values.${{ inputs.environment }}.yaml --set image.repository=ghcr.io/${{ github.repository_owner }} --set image.tag=sha-$(git rev-parse --short HEAD) diff --git a/.github/environments/values.dev.yaml b/.github/environments/values.dev.yaml index bca2beb..2f1b89a 100644 --- a/.github/environments/values.dev.yaml +++ b/.github/environments/values.dev.yaml @@ -12,10 +12,13 @@ config: SERVER_LOGLEVEL: http SERVER_PORT: "3000" - CACHE_DIR: "/tmp/carbone-files" + CACHE_DIR: "/var/lib/file-cache/data" CACHE_SIZE: 2GB CONVERTER_FACTORY_TIMEOUT: "60000" START_CARBONE: "true" UPLOAD_FIELD_NAME: template UPLOAD_FILE_COUNT: "1" UPLOAD_FILE_SIZE: 25MB + +fluentBit: + enabled: true diff --git a/.github/environments/values.pr.yaml b/.github/environments/values.pr.yaml index ed97d53..6d867e6 100644 --- a/.github/environments/values.pr.yaml +++ b/.github/environments/values.pr.yaml @@ -1 +1,6 @@ --- +persistentVolumeClaim: + enabled: false + +fluentBit: + enabled: false diff --git a/.github/environments/values.prod.yaml b/.github/environments/values.prod.yaml index f5870a0..5addcd4 100644 --- a/.github/environments/values.prod.yaml +++ b/.github/environments/values.prod.yaml @@ -3,7 +3,8 @@ config: enabled: true configMap: KC_ENABLED: "true" - KC_PUBLICKEY: ~ + KC_PUBLICKEY: >- + MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtq5+xTKB1FRCwufdluEx8mNIZU3eXpo91QUrqlpq226HcyF9WPihdpuZzdlS+kW6EC2prZfJpvDvzT/Og4fx9ZoQVKV0uYvWvEg5Sc3ikQMfO0ngqUC6FkxElj9LzpijpdEQd0JAmmem2329lITwWroX70imLhYu3aY+Q3hSY2lg5OJCBw0I2pulfQiMsGn3vgkwSvmIsDhOgSnwPJhPxD9TY6kjvTff6LB1bFSwlxh1l8dRBqRabDunoHn/uHfhVAHB/SgPkvP5Ybc5bP/idBNP0kiQcWiT02Z7aB1r7Fnd5YH9FEDhhF5OIYYBzHP4hPm6AgqG/IDhAuiqf/F9eQIDAQAB KC_REALM: comsvcauth KC_SERVERURL: "https://loginproxy.gov.bc.ca/auth" @@ -11,10 +12,13 @@ config: SERVER_LOGLEVEL: http SERVER_PORT: "3000" - CACHE_DIR: "/tmp/carbone-files" + CACHE_DIR: "/var/lib/file-cache/data" CACHE_SIZE: 2GB CONVERTER_FACTORY_TIMEOUT: "60000" START_CARBONE: "true" UPLOAD_FIELD_NAME: template UPLOAD_FILE_COUNT: "1" UPLOAD_FILE_SIZE: 25MB + +fluentBit: + enabled: true diff --git a/.github/environments/values.test.yaml b/.github/environments/values.test.yaml index d025d0b..395ea46 100644 --- a/.github/environments/values.test.yaml +++ b/.github/environments/values.test.yaml @@ -3,7 +3,8 @@ config: enabled: true configMap: KC_ENABLED: "true" - KC_PUBLICKEY: ~ + KC_PUBLICKEY: >- + MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1dLa3e2Q65cvzoKYdqSu/Qkoi5fbG9FF++u0TVm3461sS7uLo2aIviNXHrfzgu4RKnzoy51VXhAfeT58mGiAweJiRyILr0OtwbDEd/W9D4Y8FdWV37Ltmb4D1M0kCHPHo9wkl5aGZj0VFgExdFXenSDlNuglZpNuAVOwWTL7hX1Cc+5Z5hX8891fcxcdAF/GkDGcyIteHV04aeoCWEMak0gSpGsNUgEhn7FUHI6maqiaBdoyOWn0Jbw/JpqewcD9ZYFLzZTMuBssTXJt4ipTibeqbI/bAdCtxXLJgmpkyMSA/KQeHLmBPdq3ayctoDRpqVMHsnC31Hm7Fz8aDHKaDwIDAQAB KC_REALM: comsvcauth KC_SERVERURL: "https://test.loginproxy.gov.bc.ca/auth" @@ -11,10 +12,13 @@ config: SERVER_LOGLEVEL: http SERVER_PORT: "3000" - CACHE_DIR: "/tmp/carbone-files" + CACHE_DIR: "/var/lib/file-cache/data" CACHE_SIZE: 2GB CONVERTER_FACTORY_TIMEOUT: "60000" START_CARBONE: "true" UPLOAD_FIELD_NAME: template UPLOAD_FILE_COUNT: "1" UPLOAD_FILE_SIZE: 25MB + +fluentBit: + enabled: true diff --git a/.github/workflows/charts-release.yaml b/.github/workflows/charts-release.yaml new file mode 100644 index 0000000..62919f9 --- /dev/null +++ b/.github/workflows/charts-release.yaml @@ -0,0 +1,27 @@ +name: Release Charts + +on: + push: + paths: + - 'charts/**' + branches: + - master + +jobs: + release: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Configure Git + run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + + - name: Run chart-releaser + uses: helm/chart-releaser-action@v1.5.0 + env: + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" diff --git a/app/config/default.json b/app/config/default.json index ada1c44..e98d8da 100644 --- a/app/config/default.json +++ b/app/config/default.json @@ -9,7 +9,7 @@ "port": "3000" }, "carbone": { - "cacheDir": "/tmp/carbone-files", + "cacheDir": "/var/lib/file-cache/data", "cacheSize": "2GB", "converterFactoryTimeout": "60000", "formFieldName": "template", diff --git a/charts/cdogs/README.md b/charts/cdogs/README.md index 44103a5..933f587 100644 --- a/charts/cdogs/README.md +++ b/charts/cdogs/README.md @@ -29,40 +29,63 @@ Kubernetes: `>= 1.13.0` | autoscaling.maxReplicas | int | `16` | | | autoscaling.minReplicas | int | `2` | | | autoscaling.targetCPUUtilizationPercentage | int | `80` | | -| config.configMap | object | `{"CACHE_DIR":"/tmp/carbone-files","CACHE_SIZE":"2GB","CONVERTER_FACTORY_TIMEOUT":"60000","KC_PUBLICKEY":null,"KC_REALM":null,"KC_SERVERURL":null,"SERVER_BODYLIMIT":"100mb","SERVER_LOGLEVEL":"http","SERVER_PORT":"3000","START_CARBONE":"true","UPLOAD_FIELD_NAME":"template","UPLOAD_FILE_COUNT":"1","UPLOAD_FILE_SIZE":"25MB"}` | These values will be wholesale added to the configmap as is; refer to the cdogs documentation for what each of these values mean and whether you need them defined. Ensure that all values are represented explicitly as strings, as non-string values will not translate over as expected into container environment variables. For configuration keys named `*_ENABLED`, either leave them commented/undefined, or set them to string value "true". | +| awsSecretOverride.password | string | `nil` | AWS Kinesis password - used by fluent-bit | +| awsSecretOverride.username | string | `nil` | AWS Kinesis username - used by fluent-bit | +| config.configMap | object | `{"CACHE_DIR":"/var/lib/file-cache/data","CACHE_SIZE":"2GB","CONVERTER_FACTORY_TIMEOUT":"60000","KC_PUBLICKEY":null,"KC_REALM":null,"KC_SERVERURL":null,"SERVER_BODYLIMIT":"100mb","SERVER_LOGLEVEL":"http","SERVER_PORT":"3000","START_CARBONE":"true","UPLOAD_FIELD_NAME":"template","UPLOAD_FILE_COUNT":"1","UPLOAD_FILE_SIZE":"25MB"}` | These values will be wholesale added to the configmap as is; refer to the cdogs documentation for what each of these values mean and whether you need them defined. Ensure that all values are represented explicitly as strings, as non-string values will not translate over as expected into container environment variables. For configuration keys named `*_ENABLED`, either leave them commented/undefined, or set them to string value "true". | | config.enabled | bool | `false` | | | config.releaseScoped | bool | `false` | This should be set to true if and only if you require configmaps and secrets to be release scoped. In the event you want all instances in the same namespace to share a similar configuration, this should be set to false | | failurePolicy | string | `"Retry"` | | -| fluentBit.enabled | bool | `false` | | +| fluentBit.config.aws.defaultRegion | string | `"ca-central-1"` | AWS Kinesis default region | +| fluentBit.config.aws.kinesisStream | string | `"nress-prod-iit-logs"` | AWS Kinesis stream name | +| fluentBit.config.aws.roleArn | string | `nil` | AWS Kinesis role ARN | +| fluentBit.config.logHostname | string | `"fluentd-csst.apps.silver.devops.gov.bc.ca"` | Fluentd logging hostname endpoint | +| fluentBit.config.namespace | string | `nil` | The openshift/k8s namespace identifier | +| fluentBit.config.product | string | `"cdogs"` | The application/product name identifier | +| fluentBit.enabled | bool | `false` | Specifies whether the fluent-bit logging sidecar should be enabled | +| fluentBit.image.name | string | `"fluent-bit"` | Default image name | +| fluentBit.image.repository | string | `"docker.io/fluent"` | Default image repository | +| fluentBit.image.tag | string | `"2.1.10"` | Default image tag | +| fluentBit.resources.limits.cpu | string | `"100m"` | Limit Peak CPU (in millicores ex. 1000m) | +| fluentBit.resources.limits.memory | string | `"64Mi"` | Limit Peak Memory (in gigabytes Gi or megabytes Mi ex. 2Gi) | +| fluentBit.resources.requests.cpu | string | `"10m"` | Requested CPU (in millicores ex. 500m) | +| fluentBit.resources.requests.memory | string | `"16Mi"` | Requested Memory (in gigabytes Gi or megabytes Mi ex. 500Mi) | +| fluentBit.route.metrics.path | string | `"/"` | | +| fluentBit.service.httpPlugin.name | string | `"http-plugin"` | HTTP Plugin service name | +| fluentBit.service.httpPlugin.port | int | `80` | HTTP Plugin service port | +| fluentBit.service.metrics.name | string | `"metrics"` | Metrics service name | +| fluentBit.service.metrics.port | int | `2020` | Metrics service port | | fullnameOverride | string | `nil` | String to fully override fullname | -| image.pullPolicy | string | `"IfNotPresent"` | | -| image.repository | string | `"docker.io/bcgovimages"` | | -| image.tag | string | `nil` | | +| image.pullPolicy | string | `"IfNotPresent"` | Default image pull policy | +| image.repository | string | `"docker.io/bcgovimages"` | Default image repository | +| image.tag | string | `nil` | Overrides the image tag whose default is the chart appVersion. | | imagePullSecrets | list | `[]` | Specify docker-registry secret names as an array | -| keycloakSecretOverride.password | string | `nil` | | -| keycloakSecretOverride.username | string | `nil` | | +| keycloakSecretOverride.password | string | `nil` | Keycloak password | +| keycloakSecretOverride.username | string | `nil` | Keycloak username | | nameOverride | string | `nil` | String to partially override fullname | | networkPolicy.enabled | bool | `true` | Specifies whether a network policy should be created | +| persistentVolumeClaim.enabled | bool | `true` | Specifies whether a persistent volume claim should be created | +| persistentVolumeClaim.storageClassName | string | `"netapp-file-standard"` | Default storage class type | +| persistentVolumeClaim.storageSize | string | `"2G"` | PVC Storage size (use M or G, not Mi or Gi) | | podAnnotations | object | `{}` | Annotations for cdogs pods | -| podSecurityContext | object | `{}` | | +| podSecurityContext | object | `{}` | Privilege and access control settings | | replicaCount | int | `2` | | -| resources.limits.cpu | string | `"1000m"` | | -| resources.limits.memory | string | `"1Gi"` | | -| resources.requests.cpu | string | `"50m"` | | -| resources.requests.memory | string | `"256Mi"` | | -| route.annotations | object | `{}` | Annotations to add to the route | +| resources.limits.cpu | string | `"1000m"` | Limit Peak CPU (in millicores ex. 1000m) | +| resources.limits.memory | string | `"1Gi"` | Limit Peak Memory (in gigabytes Gi or megabytes Mi ex. 2Gi) | +| resources.requests.cpu | string | `"50m"` | Requested CPU (in millicores ex. 500m) | +| resources.requests.memory | string | `"256Mi"` | Requested Memory (in gigabytes Gi or megabytes Mi ex. 500Mi) | +| route.annotations | object | `{"haproxy.router.openshift.io/timeout":"60s"}` | Annotations to add to the route | | route.enabled | bool | `true` | Specifies whether a route should be created | | route.host | string | `"chart-example.local"` | | | route.tls.insecureEdgeTerminationPolicy | string | `"Redirect"` | | | route.tls.termination | string | `"edge"` | | | route.wildcardPolicy | string | `"None"` | | -| securityContext | object | `{}` | | -| service.port | int | `3000` | | -| service.portName | string | `"http"` | | -| service.type | string | `"ClusterIP"` | | +| securityContext | object | `{}` | Privilege and access control settings | +| service.port | int | `3000` | Service port | +| service.portName | string | `"http"` | Service port name | +| service.type | string | `"ClusterIP"` | Service type | | serviceAccount.annotations | object | `{}` | Annotations to add to the service account | | serviceAccount.enabled | bool | `false` | Specifies whether a service account should be created | | serviceAccount.name | string | `nil` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) +Autogenerated from chart metadata using [helm-docs v1.11.3](https://github.com/norwoodj/helm-docs/releases/v1.11.3) diff --git a/charts/cdogs/templates/NOTES.txt b/charts/cdogs/templates/NOTES.txt index 676ce90..073e165 100644 --- a/charts/cdogs/templates/NOTES.txt +++ b/charts/cdogs/templates/NOTES.txt @@ -1,5 +1,9 @@ {{- $configMapName := printf "%s-%s" (include "cdogs.configname" .) "config" }} {{- $configMap := (lookup "v1" "ConfigMap" .Release.Namespace $configMapName ) }} +{{- $awsSecretName := printf "%s-%s" (include "cdogs.configname" .) "aws" }} +{{- $awsSecret := (lookup "v1" "Secret" .Release.Namespace $awsSecretName ) }} +{{- $kcSecretName := printf "%s-%s" (include "cdogs.configname" .) "keycloak" }} +{{- $kcSecret := (lookup "v1" "Secret" .Release.Namespace $kcSecretName ) }} Get the application URL by running these commands: {{- if .Values.route.enabled }} http{{ if $.Values.route.tls }}s{{ end }}://{{ .Values.route.host }}{{ .Values.route.path }} @@ -22,3 +26,11 @@ Get the application URL by running these commands: Make sure that ConfigMap "{{ $configMapName }}" is defined in the namespace; the deployment will fail to run without it! {{- end }} +{{- if and (not $awsSecret) (.Values.fluentBit.enabled) }} + +Make sure that Secret "{{ $awsSecretName }}" is defined in the namespace; the deployment will fail to run without it! +{{- end }} +{{- if and (not $kcSecret) (.Values.config.configMap.KC_ENABLED) }} + +Make sure that Secret "{{ $kcSecretName }}" is defined in the namespace; the deployment will fail to run without it! +{{- end }} diff --git a/charts/cdogs/templates/configmap.yaml b/charts/cdogs/templates/configmap.yaml index 9f0d995..beb4839 100644 --- a/charts/cdogs/templates/configmap.yaml +++ b/charts/cdogs/templates/configmap.yaml @@ -12,3 +12,223 @@ metadata: name: {{ include "cdogs.configname" . }}-config data: {{ toYaml .Values.config.configMap | nindent 2 }} {{- end }} +{{- if .Values.fluentBit.enabled }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + {{- if not .Values.config.releaseScoped }} + annotations: + "helm.sh/resource-policy": keep + {{- else }} + labels: {{ include "cdogs.labels" . | nindent 4 }} + {{- end }} + name: {{ include "cdogs.configname" . }}-fluent-bit +data: + fluent-bit.conf: | + [SERVICE] + Flush 5 + Daemon Off + # define the log format (see additional config map key/value) + Parsers_File parsers.conf + Log_Level info + HTTP_Server On + HTTP_Listen 0.0.0.0 + HTTP_Port 2020 + + [INPUT] + # get logs from file written by node app (eg: CDOGS) + Name tail + Path /var/log/* + Tag app + Offset_Key logFileOffset + Path_Key logFilePath + + [FILTER] + # exclude kube probe logs from app logs + name grep + match app + Exclude agent kube* + + [FILTER] + name parser + match app + Key_Name log + Parser json + Reserve_Data On + Preserve_Key On + + [FILTER] + # modify log entry to include more key/value pairs + name record_modifier + match app + # add pod name + Record hostname ${HOSTNAME} + # add productname (eg: 'cdogs') + Record product {{ .Values.fluentBit.config.product }} + # add namespace + Record namespace {{ .Values.fluentBit.config.namespace }} + + [FILTER] + Name rewrite_tag + Match app + Rule $level ([a-zA-Z]*)$ $TAG.$level true + Emitter_Name re_emitted + + # for now just send out http level ('access') logs to AWS + [FILTER] + Name lua + Match app.* + script script.lua + time_as_table True + call ecsMap + + # Note: only currently sending 'access' (level: http) logs to AWS + # TODO: format 'metrics' logs to match a 'fingerprint' in Lambda + [OUTPUT] + Name kinesis_streams + Match app.http + region {{ .Values.fluentBit.config.aws.defaultRegion }} + stream {{ .Values.fluentBit.config.aws.kinesisStream }} + role_arn {{ .Values.fluentBit.config.aws.roleArn }} + time_key @timestamp + + [OUTPUT] + #### send logs to fluentd: + Name http + Match app + Host {{ .Values.fluentBit.config.logHostname }} + Port 80 + Format json + # the URI becomes the Tag available in fluentd + URI /app + # we can also send tag as a header + #header_tag app + json_date_key timestamp + + ### security: + #tls On + #tls.debug 4 + #tls.verify On + #tls.ca_file /fluent-bit/ssl/ca.crt.pem + #tls.crt_file /fluent-bit/ssl/client.crt.pem + #tls.key_file /fluent-bit/ssl/client.key.pem + + [OUTPUT] + Name stdout + Match * + Format json_lines + + parsers.conf: | + [PARSER] + Name json + Format json + Time_Key timestamp + Decode_Field_as escaped_utf8 log do_next + Decode_Field_as json log + + script.lua: | + -- add extra ECS fields + function ecsMap(tag, timestamp, record) + -- map existing fields to a new variable + new_record = {} + + -- derive full environment (stage) name from namespace + -- see: https://www.lua.org/pil/20.3.html + _, _, part1, environmentAbbreviation = string.find(record["namespace"], "([a-zA-Z0-9_+-]+)-([a-zA-Z0-9_+-]+)") + + environmentsArray = { + ["localhost"] = "development", + ["dev"] = "development", + ["test"] = "test", + ["prod"] = "production" + } + + -- get event.type from log.level + eventTypesArray = { + ["http"] = "access", + ["info"] = "info", + ["verbose"] = "metric" + } + + ---- for all logs + + new_record["ecs"] = { + ["version"] = "1.12" + } + + new_record["log"] = { + ["file"] = { + ["path"] = record["logFilePath"] + }, + ["level"] = record["level"] + } + + new_record["service"] = { + ["environment"] = environmentsArray[environmentAbbreviation], + ["name"] = record["product"], + ["type"] = "node" + } + + new_record["event"] = { + ["kind"] = "event", + ["category"] = "web", + ["original"] = record["message"], + ["duration"] = record["responseTime"], + ["sequence"] = record["logFileOffset"], + ["created"] = (os.date("!%Y-%m-%dT%H:%M:%S", timestamp["sec"]) .. '.' .. math.floor(timestamp["nsec"] / 1000000) .. 'Z') + } + + new_record["agent"] = { + ["type"] = "fluentbit", + ["version"] = "1.8" + } + + new_record["labels"] = { + ["project"] = record["product"] + } + + new_record["host"] = { + ["hostname"] = record["hostname"], + ["ip"] = record["ip"], + ["name"] = record["namespace"] + } + + new_record["user_agent"] = { + ["original"] = record["userAgent"] + } + + new_record["source.user.id"] = record["azp"] + + ---- access logs + + if record["level"] == "http" then + new_record["event"]["type"] = eventTypesArray[record["level"]] + new_record["event"]["dataset"] = "express." .. eventTypesArray[record["level"]] + new_record["http"] = { + ["request"] = { + ["body"] = { + ["bytes"] = record["contentLength"] + }, + ["method"] = record["method"], + ["referrer"] = record["path"] + }, + ["response"] = { + ["status_code"] = record["statusCode"] + }, + ["version"] = record["httpVersion"] + } + end + + ---- metrics logs + + -- if log contains a 'metrics' field + if record["metrics"] ~= nill then + new_record["metrics"] = record["metrics"] + new_record["event"]["type"] = eventTypesArray[record["level"]] + end + + -- return the transformed new record + return 2, timestamp, new_record + end +{{- end }} diff --git a/charts/cdogs/templates/deploymentconfig.yaml b/charts/cdogs/templates/deploymentconfig.yaml index fd2c713..3e3d679 100644 --- a/charts/cdogs/templates/deploymentconfig.yaml +++ b/charts/cdogs/templates/deploymentconfig.yaml @@ -71,15 +71,89 @@ spec: key: password name: {{ include "cdogs.configname" . }}-keycloak {{- end }} - {{- if and .Values.fluentBit.enabled }} + {{- if .Values.fluentBit.enabled }} - name: SERVER_LOGFILE - value: "/var/log/app.log" + value: /var/log/app.log {{- end }} envFrom: - configMapRef: name: {{ include "cdogs.configname" . }}-config + volumeMounts: + - name: file-cache-data + mountPath: /var/lib/file-cache/data + {{- if .Values.fluentBit.enabled }} + - name: log-storage + mountPath: /var/log + {{- end }} + {{- if .Values.fluentBit.enabled }} + - name: fluent-bit + {{- with .Values.securityContext }} + securityContext: {{ toYaml . | nindent 12 }} + {{- end }} + image: "{{ .Values.fluentBit.image.repository }}/{{ .Values.fluentBit.image.name }}:{{ .Values.fluentBit.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - containerPort: {{ .Values.fluentBit.service.metrics.port }} + name: {{ .Values.fluentBit.service.metrics.name }} + protocol: TCP + - containerPort: {{ .Values.fluentBit.service.httpPlugin.port }} + name: {{ .Values.fluentBit.service.httpPlugin.name }} + protocol: TCP + livenessProbe: + failureThreshold: 3 + httpGet: + path: {{ .Values.fluentBit.route.metrics.path }} + port: {{ .Values.fluentBit.service.metrics.port }} + scheme: HTTP + initialDelaySeconds: 10 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 3 + httpGet: + path: {{ .Values.fluentBit.route.metrics.path }} + port: {{ .Values.fluentBit.service.metrics.port }} + scheme: HTTP + initialDelaySeconds: 10 + timeoutSeconds: 1 + resources: {{ toYaml .Values.fluentBit.resources | nindent 12 }} + env: + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + key: username + name: {{ include "cdogs.configname" . }}-aws + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + key: password + name: {{ include "cdogs.configname" . }}-aws + {{- if .Values.fluentBit.enabled }} + - name: SERVER_LOGFILE + value: /var/log/app.log + {{- end }} + volumeMounts: + - name: fluent-bit-config + mountPath: /fluent-bit/etc/ + - name: log-storage + mountPath: /var/log + {{- end }} restartPolicy: Always terminationGracePeriodSeconds: 30 + volumes: + - name: file-cache-data + {{- if .Values.persistentVolumeClaim.enabled }} + persistentVolumeClaim: + claimName: {{ include "cdogs.configname" . }}-cache + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.fluentBit.enabled }} + - name: log-storage + emptyDir: {} + - name: fluent-bit-config + configMap: + name: {{ include "cdogs.configname" . }}-fluent-bit + {{- end }} test: false triggers: - type: ConfigChange diff --git a/charts/cdogs/templates/persistentvolumeclaim.yaml b/charts/cdogs/templates/persistentvolumeclaim.yaml new file mode 100644 index 0000000..3c7d930 --- /dev/null +++ b/charts/cdogs/templates/persistentvolumeclaim.yaml @@ -0,0 +1,23 @@ +{{- $pvcName := printf "%s-%s" (include "cdogs.configname" .) "cache" }} +{{- $pvc := (lookup "v1" "PersistentVolumeClaim" .Release.Namespace $pvcName ) }} + +{{- if and (not $pvc) (and .Values.persistentVolumeClaim.enabled) }} +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + {{- if not .Values.config.releaseScoped }} + annotations: + "helm.sh/resource-policy": keep + {{- else }} + labels: {{ include "cdogs.labels" . | nindent 4 }} + {{- end }} + name: {{ include "cdogs.configname" . }}-cache +spec: + accessModes: + - ReadWriteMany + storageClassName: {{ .Values.persistentVolumeClaim.storageClassName }} + resources: + requests: + storage: {{ .Values.persistentVolumeClaim.storageSize }} +{{- end }} diff --git a/charts/cdogs/templates/secret.yaml b/charts/cdogs/templates/secret.yaml index 050963e..b674b4a 100644 --- a/charts/cdogs/templates/secret.yaml +++ b/charts/cdogs/templates/secret.yaml @@ -1,5 +1,25 @@ +{{- $awsSecretName := printf "%s-%s" (include "cdogs.configname" .) "aws" }} +{{- $awsSecret := (lookup "v1" "Secret" .Release.Namespace $awsSecretName ) }} {{- $kcSecretName := printf "%s-%s" (include "cdogs.configname" .) "keycloak" }} {{- $kcSecret := (lookup "v1" "Secret" .Release.Namespace $kcSecretName ) }} + +{{- if and (not $awsSecret) (and .Values.awsSecretOverride.password .Values.awsSecretOverride.username) }} +--- +apiVersion: v1 +kind: Secret +metadata: + {{- if not .Values.config.releaseScoped }} + annotations: + "helm.sh/resource-policy": keep + {{- else }} + labels: {{ include "cdogs.labels" . | nindent 4 }} + {{- end }} + name: {{ $awsSecretName }} +type: kubernetes.io/basic-auth +data: + password: {{ .Values.awsSecretOverride.password | b64enc | quote }} + username: {{ .Values.awsSecretOverride.username | b64enc | quote }} +{{- end }} {{- if and (not $kcSecret) (and .Values.keycloakSecretOverride.password .Values.keycloakSecretOverride.username) }} --- apiVersion: v1 diff --git a/charts/cdogs/values.yaml b/charts/cdogs/values.yaml index 6fc0e6d..fe877ff 100644 --- a/charts/cdogs/values.yaml +++ b/charts/cdogs/values.yaml @@ -5,9 +5,11 @@ replicaCount: 2 image: + # -- Default image repository repository: docker.io/bcgovimages + # -- Default image pull policy pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. + # -- Overrides the image tag whose default is the chart appVersion. tag: ~ # -- Specify docker-registry secret names as an array @@ -23,10 +25,12 @@ failurePolicy: Retry # -- Annotations for cdogs pods podAnnotations: {} +# -- Privilege and access control settings podSecurityContext: {} # fsGroup: 2000 +# -- Privilege and access control settings securityContext: {} # capabilities: @@ -75,8 +79,11 @@ networkPolicy: enabled: true service: + # -- Service type type: ClusterIP + # -- Service port port: 3000 + # -- Service port name portName: http route: @@ -84,7 +91,7 @@ route: enabled: true # -- Annotations to add to the route annotations: - {} + haproxy.router.openshift.io/timeout: 60s # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" host: chart-example.local @@ -100,12 +107,24 @@ resources: # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits: + # -- Limit Peak CPU (in millicores ex. 1000m) cpu: 1000m + # -- Limit Peak Memory (in gigabytes Gi or megabytes Mi ex. 2Gi) memory: 1Gi requests: + # -- Requested CPU (in millicores ex. 500m) cpu: 50m + # -- Requested Memory (in gigabytes Gi or megabytes Mi ex. 500Mi) memory: 256Mi +persistentVolumeClaim: + # -- Specifies whether a persistent volume claim should be created + enabled: true + # -- Default storage class type + storageClassName: netapp-file-standard + # -- PVC Storage size (use M or G, not Mi or Gi) + storageSize: 2G + config: # Set to true if you want to let Helm manage and overwrite your configmaps. enabled: false @@ -131,7 +150,7 @@ config: SERVER_LOGLEVEL: http SERVER_PORT: "3000" - CACHE_DIR: "/tmp/carbone-files" + CACHE_DIR: /var/lib/file-cache/data CACHE_SIZE: 2GB CONVERTER_FACTORY_TIMEOUT: "60000" START_CARBONE: "true" @@ -140,6 +159,72 @@ config: UPLOAD_FILE_SIZE: 25MB # Modify the following variables if you need to acquire secret values from a custom-named resource +awsSecretOverride: + # -- AWS Kinesis username - used by fluent-bit + username: ~ + # -- AWS Kinesis password - used by fluent-bit + password: ~ keycloakSecretOverride: + # -- Keycloak username username: ~ + # -- Keycloak password password: ~ + +fluentBit: + # -- Specifies whether the fluent-bit logging sidecar should be enabled + enabled: false + + config: + aws: + # -- AWS Kinesis default region + defaultRegion: ca-central-1 + # -- AWS Kinesis stream name + kinesisStream: nress-prod-iit-logs + # -- AWS Kinesis role ARN + roleArn: ~ + # -- Fluentd logging hostname endpoint + logHostname: fluentd-csst.apps.silver.devops.gov.bc.ca + # -- The openshift/k8s namespace identifier + namespace: ~ + # -- The application/product name identifier + product: cdogs + + image: + # -- Default image name + name: fluent-bit + # -- Default image repository + repository: docker.io/fluent + # -- Default image tag + tag: "2.1.10" + + resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + limits: + # -- Limit Peak CPU (in millicores ex. 1000m) + cpu: 100m + # -- Limit Peak Memory (in gigabytes Gi or megabytes Mi ex. 2Gi) + memory: 64Mi + requests: + # -- Requested CPU (in millicores ex. 500m) + cpu: 10m + # -- Requested Memory (in gigabytes Gi or megabytes Mi ex. 500Mi) + memory: 16Mi + + route: + metrics: + path: / + + service: + httpPlugin: + # -- HTTP Plugin service name + name: http-plugin + # -- HTTP Plugin service port + port: 80 + metrics: + # -- Metrics service name + name: metrics + # -- Metrics service port + port: 2020