From e677876e8df96c113d84ae71c801335a01338932 Mon Sep 17 00:00:00 2001 From: Walter Moar Date: Mon, 16 Dec 2024 08:29:14 -0800 Subject: [PATCH 1/5] fix: FORMS-1587 set up default crunchydb (#1536) * fix: set up crunchydb for fider We need to do database upgrades, and part of that is to replace the standalone PostgreSQL pod with a CrunchyDB cluster. * feat: copy crunchy-postgres helm charts We copy over the Helm charts so that our deployments are consistent and don't change due to changes in the external repo. * docs: updated the crunchydb readme * docs: fixed a wording issue * docs: wording tweaks * refactor: renamed fider directory to crunchydb * docs: fixed a typo * docs: fixed a typo --- openshift/crunchydb/README.md | 19 + .../charts/crunchy-postgres/.helmignore | 23 + .../charts/crunchy-postgres/Chart.yaml | 26 + .../charts/crunchy-postgres/README.md | 131 +++++ .../templates/PostgresCluster.yaml | 217 ++++++++ .../crunchy-postgres/templates/_helpers.tpl | 62 +++ .../charts/crunchy-postgres/templates/_s3.tpl | 18 + .../crunchy-postgres/templates/s3Secret.yaml | 11 + .../charts/crunchy-postgres/values.yaml | 136 +++++ openshift/crunchydb/charts/tools/.helmignore | 23 + openshift/crunchydb/charts/tools/Chart.yaml | 24 + openshift/crunchydb/charts/tools/README.md | 80 +++ .../charts/tools/templates/_helpers.tpl | 62 +++ .../templates/deployer/deployerRole.yaml | 217 ++++++++ .../deployer/deployerRoleBinding.yaml | 18 + .../deployer/deployerServiceAccount.yaml | 11 + .../tools/templates/linter/linterRole.yaml | 497 ++++++++++++++++++ .../templates/linter/linterRoleBinding.yaml | 17 + .../linter/linterServiceAccount.yaml | 10 + .../templates/networking/networkPolicy.yaml | 23 + .../networking/podNetworkPolicy.yaml | 16 + .../tools/templates/networking/route.yaml | 21 + .../provisioner/provisionerRole.yaml | 237 +++++++++ .../provisioner/provisionerRoleBinding.yaml | 19 + .../provisionerServiceAccount.yaml | 11 + openshift/crunchydb/charts/tools/values.yaml | 31 ++ 26 files changed, 1960 insertions(+) create mode 100644 openshift/crunchydb/README.md create mode 100644 openshift/crunchydb/charts/crunchy-postgres/.helmignore create mode 100644 openshift/crunchydb/charts/crunchy-postgres/Chart.yaml create mode 100644 openshift/crunchydb/charts/crunchy-postgres/README.md create mode 100644 openshift/crunchydb/charts/crunchy-postgres/templates/PostgresCluster.yaml create mode 100644 openshift/crunchydb/charts/crunchy-postgres/templates/_helpers.tpl create mode 100644 openshift/crunchydb/charts/crunchy-postgres/templates/_s3.tpl create mode 100644 openshift/crunchydb/charts/crunchy-postgres/templates/s3Secret.yaml create mode 100644 openshift/crunchydb/charts/crunchy-postgres/values.yaml create mode 100644 openshift/crunchydb/charts/tools/.helmignore create mode 100644 openshift/crunchydb/charts/tools/Chart.yaml create mode 100644 openshift/crunchydb/charts/tools/README.md create mode 100644 openshift/crunchydb/charts/tools/templates/_helpers.tpl create mode 100644 openshift/crunchydb/charts/tools/templates/deployer/deployerRole.yaml create mode 100644 openshift/crunchydb/charts/tools/templates/deployer/deployerRoleBinding.yaml create mode 100644 openshift/crunchydb/charts/tools/templates/deployer/deployerServiceAccount.yaml create mode 100644 openshift/crunchydb/charts/tools/templates/linter/linterRole.yaml create mode 100644 openshift/crunchydb/charts/tools/templates/linter/linterRoleBinding.yaml create mode 100644 openshift/crunchydb/charts/tools/templates/linter/linterServiceAccount.yaml create mode 100644 openshift/crunchydb/charts/tools/templates/networking/networkPolicy.yaml create mode 100644 openshift/crunchydb/charts/tools/templates/networking/podNetworkPolicy.yaml create mode 100644 openshift/crunchydb/charts/tools/templates/networking/route.yaml create mode 100644 openshift/crunchydb/charts/tools/templates/provisioner/provisionerRole.yaml create mode 100644 openshift/crunchydb/charts/tools/templates/provisioner/provisionerRoleBinding.yaml create mode 100644 openshift/crunchydb/charts/tools/templates/provisioner/provisionerServiceAccount.yaml create mode 100644 openshift/crunchydb/charts/tools/values.yaml diff --git a/openshift/crunchydb/README.md b/openshift/crunchydb/README.md new file mode 100644 index 000000000..1859551ca --- /dev/null +++ b/openshift/crunchydb/README.md @@ -0,0 +1,19 @@ +# CrunchyDB + +CHEFS uses CrunchyDB for all of its highly available databases. CrunchyDB uses +Patroni for replication and failovers, and Patroni uses PostgreSQL as the +underlying database. + +## Installation + +The CrunchyDB installations use the +[Helm charts](https://github.com/bcgov/crunchy-postgres) provided by the fine +folks over at platform services. Huge thanks go to that team for doing the hard +work of figuring out the CrunchyDB setup and making it easier for the community +to use CrunchyDB. + +The `charts` directory has been copied here so that changes to the upstream repo +don't unexpectedly change our deployments. This stability and consistency comes +at the cost of added maintenance effort to stay in sync. + +This code is current to commit `91d32cb` in December 2024. diff --git a/openshift/crunchydb/charts/crunchy-postgres/.helmignore b/openshift/crunchydb/charts/crunchy-postgres/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/openshift/crunchydb/charts/crunchy-postgres/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/openshift/crunchydb/charts/crunchy-postgres/Chart.yaml b/openshift/crunchydb/charts/crunchy-postgres/Chart.yaml new file mode 100644 index 000000000..80c889da4 --- /dev/null +++ b/openshift/crunchydb/charts/crunchy-postgres/Chart.yaml @@ -0,0 +1,26 @@ +apiVersion: v2 +name: crunchy-postgres +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.6.3 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. + +# Crunchy Postgres Operator version +appVersion: "5.0.4" diff --git a/openshift/crunchydb/charts/crunchy-postgres/README.md b/openshift/crunchydb/charts/crunchy-postgres/README.md new file mode 100644 index 000000000..aee58b659 --- /dev/null +++ b/openshift/crunchydb/charts/crunchy-postgres/README.md @@ -0,0 +1,131 @@ +# Crunchy Postgres chart + +A chart to provision a [Crunchy Postgres](https://www.crunchydata.com/) cluster. + +## Configuration + +### Crunchy Options + +| Parameter | Description | Default | +| ------------------ | ---------------------- | ------------------ | +| `fullnameOverride` | Override release name | `crunchy-postgres` | +| `crunchyImage` | Crunchy Postgres image | | +| `postgresVersion` | Postgres version | `14` | + +--- + +### Instances + +| Parameter | Description | Default | +| ------------------------------------------- | ------------------------------ | ------------------------ | +| `instances.name` | Instance name | `ha` (high availability) | +| `instances.replicas` | Number of replicas | `2` | +| `instances.dataVolumeClaimSpec.storage` | Amount of storage for each PVC | `480Mi` | +| `instances.requests.cpu` | CPU requests | `1m` | +| `instances.requests.memory` | Memory requests | `256Mi` | +| `instances.limits.cpu` | CPU limits | `100m` | +| `instances.limits.memory` | Memory limits | `512Mi` | +| `instances.replicaCertCopy.requests.cpu` | replicaCertCopy CPU requests | `1m` | +| `instances.replicaCertCopy.requests.memory` | replicaCertCopyMemory requests | `32Mi` | +| `instances.replicaCertCopy.limits.cpu` | replicaCertCopyCPU limits | `50m` | +| `instances.replicaCertCopy.limits.memory` | replicaCertCopy Memory limits | `64Mi` | + +--- + +### pgBackRest - Reliable PostgreSQL Backup & Restore + +[pgBackRest site](https://pgbackrest.org/) +[Crunchy pgBackRest docs](https://access.crunchydata.com/documentation/pgbackrest/latest/) + +| Parameter | Description | Default | +| ---------------------------------------------------- | ------------------------------------------------------------- | ---------------------- | +| `pgBackRest.image` | Crunchy pgBackRest | | +| `pgBackRest.retention` | Number of backups/days to keep depending on retentionFullType | `2` | +| `pgBackRest.retentionFullType` | Either 'count' or 'time' | `count` | +| `pgBackRest.repos.schedules.full` | Full backup schedule | `0 8 * * *` | +| `pgBackRest.repos.schedules.incremental` | Incremental backup schedule | `0 0,4,12,16,20 * * *` | +| `pgBackRest.repos.schedules.volume.addessModes` | Access modes | `ReadWriteOnce` | +| `pgBackRest.repos.schedules.volume.storage` | Access modes | `64Mi` | +| `pgBackRest.repos.schedules.volume.storageClassName` | Storage class name modes | `netapp-file-backup` | +| `pgBackRest.repoHost.requests.cpu` | CPU requests | `1m` | +| `pgBackRest.repoHost.requests.memory` | Memory requests | `64Mi` | +| `pgBackRest.repoHost.limits.cpu` | CPU limits | `50m` | +| `pgBackRest.repoHost.limits.memory` | Memory limits | `128Mi` | +| `pgBackRest.sidecars.requests.cpu` | sidecars CPU requests | `1m` | +| `pgBackRest.sidecars.requests.memory` | sidecars Memory requests | `64Mi` | +| `pgBackRest.sidecars.limits.cpu` | sidecars CPU limits | `50m` | +| `pgBackRest.sidecars.limits.memory` | sidecars Memory limits | `128Mi` | +| `pgBackRest.s3.enabled` | Enables the s3 repo backups | `false` | +| `pgBackRest.s3.createS3Secret` | Creates the s3 secret based on key and keySecret | `true` | +| `pgBackRest.s3.s3Secret` | The secret name to be created or read from | `s3-pgbackrest` | +| `pgBackRest.s3.s3Path` | The path inside the bucket where the backups will be saved to, set it to `/` to use the root of the bucket. | `/dbbackup` | +| `pgBackRest.s3.s3UriStyle` | Style of URL to use for S3 communication. [More Info](https://pgbackrest.org/configuration.html#section-repository/option-repo-s3-uri-style) | `path` | +| `pgBackRest.s3.bucket` | The bucket to use for backups | `bucketName` | +| `pgBackRest.s3.endpoint` | The endpoint to use, for example s3.ca-central-1.amazonaws.com | `endpointName` | +| `pgBackRest.s3.region` | The region to use, not necessary if your S3 system does not specify one | `ca-central-1` | +| `pgBackRest.s3.key` | The key to use to access the bucket. MUST BE KEPT SECRET | `s3KeyValue` | +| `pgBackRest.s3.keySecret` | The key secret for the key set above. MUST BE KEPT SECRET | `s3SecretValue` | +--- + +### Patroni + +[Patroni docs](https://patroni.readthedocs.io/en/latest/) +[Crunchy Patroni docs](https://access.crunchydata.com/documentation/patroni/latest/) + +| Parameter | Description | Default | +| ------------------------------------------- | ------------------------------------------------------------------- | --------------------------------- | +| `patroni.postgresql.pg_hba` | pg_hba permissions | `"host all all 0.0.0.0/0 md5"` | +| `crunchyImage` | Crunchy Postgres image | `...crunchy-postgres:ubi8-14.7-0` | +| `patroni.parameters.shared_buffers` | The number of shared memory buffers used by the server | `16MB` | +| `patroni.parameters.wal_buffers` | The number of disk-page buffers in shared memory for WAL | `64KB` | +| `patroni.parameters.min_wal_size` | The minimum size to shrink the WAL to | `32MB` | +| `patroni.parameters.max_wal_size` | Sets the WAL size that triggers a checkpoint | `64MB` | +| `patroni.parameters.max_slot_wal_keep_size` | Sets the maximum WAL size that can be reserved by replication slots | `128MB` | + +--- + +### pgBouncer + +A lightweight connection pooler for PostgreSQL + +[pgBouncer site](https://www.pgbouncer.org/) +[Crunchy Postgres pgBouncer docs](https://access.crunchydata.com/documentation/pgbouncer/latest/) + +| Parameter | Description | Default | +| --------------------------------- | ----------------------- | ------- | +| `proxy.pgBouncer.image` | Crunchy pgBouncer image | | +| `proxy.pgBouncer.replicas` | Number of replicas | `2` | +| `proxy.pgBouncer.requests.cpu` | CPU requests | `1m` | +| `proxy.pgBouncer.requests.memory` | Memory requests | `64Mi` | +| `proxy.pgBouncer.limits.cpu` | CPU limits | `50m` | +| `proxy.pgBouncer.limits.memory` | Memory limits | `128Mi` | + +--- + +## PG Monitor + +[Crunchy Postgres PG Monitor docs](https://access.crunchydata.com/documentation/pgmonitor/latest/) + +| Parameter | Description | Default | +| ------------------------------------ | ---------------------------------------------- | ------- | +| `pgmonitor.enabled` | Enable PG Monitor (currently only PG exporter) | `false` | +| `pgmonitor.exporter.requests.cpu` | PG Monitor CPU requests | `1m` | +| `pgmonitor.exporter.requests.memory` | PG Monitor Memory requests | `64Mi` | +| `pgmonitor.exporter.limits.cpu` | PG Monitor CPU limits | `50m` | +| `pgmonitor.exporter.limits.memory` | PG Monitor Memory limits | `128Mi` | + +#### Postgres Exporter + +A [Prometheus](https://prometheus.io/) exporter for PostgreSQL + +[Postgres Exporter](https://github.com/prometheus-community/postgres_exporter) + +| Parameter | Description | Default | +| ------------------------------------ | ------------------------- | ------- | +| `pgmonitor.exporter.image` | Crunchy PG Exporter image | | +| `pgmonitor.exporter.requests.cpu` | CPU requests | `1m` | +| `pgmonitor.exporter.requests.memory` | Memory requests | `64Mi` | +| `pgmonitor.exporter.limits.cpu` | CPU limits | `50m` | +| `pgmonitor.exporterr.limits.memory` | Memory limits | `128Mi` | + +--- diff --git a/openshift/crunchydb/charts/crunchy-postgres/templates/PostgresCluster.yaml b/openshift/crunchydb/charts/crunchy-postgres/templates/PostgresCluster.yaml new file mode 100644 index 000000000..e2b31d172 --- /dev/null +++ b/openshift/crunchydb/charts/crunchy-postgres/templates/PostgresCluster.yaml @@ -0,0 +1,217 @@ +apiVersion: postgres-operator.crunchydata.com/v1beta1 +kind: PostgresCluster +metadata: + name: {{ template "crunchy-postgres.fullname" . }} + labels: {{ include "crunchy-postgres.labels" . | nindent 4 }} +spec: + metadata: + labels: {{ include "crunchy-postgres.labels" . | nindent 6 }} + {{ if .Values.crunchyImage }} + image: {{ .Values.crunchyImage }} + {{ end }} + imagePullPolicy: {{.Values.imagePullPolicy}} + postgresVersion: {{ .Values.postgresVersion }} + {{ if .Values.postGISVersion }} + postGISVersion: {{ .Values.postGISVersion | quote }} + {{ end }} + postgresVersion: {{ .Values.postgresVersion }} + + {{ if .Values.pgmonitor.enabled }} + + monitoring: + pgmonitor: + # this stuff is for the "exporter" container in the "postgres-cluster-ha" set of pods + exporter: + {{ if .Values.pgmonitor.exporter.image}} + image: {{ .Values.pgmonitor.exporter.image}} + {{ end }} + resources: + requests: + cpu: {{ .Values.pgmonitor.exporter.requests.cpu }} + memory: {{ .Values.pgmonitor.exporter.requests.memory }} + limits: + cpu: {{ .Values.pgmonitor.exporter.limits.cpu }} + memory: {{ .Values.pgmonitor.exporter.limits.memory }} + + {{ end }} + + instances: + - name: {{ .Values.instances.name }} + replicas: {{ .Values.instances.replicas }} + resources: + requests: + cpu: {{ .Values.instances.requests.cpu }} + memory: {{ .Values.instances.requests.memory }} + limits: + cpu: {{ .Values.instances.limits.cpu }} + memory: {{ .Values.instances.limits.memory }} + sidecars: + replicaCertCopy: + resources: + requests: + cpu: {{ .Values.instances.replicaCertCopy.requests.cpu }} + memory: {{ .Values.instances.replicaCertCopy.requests.memory }} + limits: + cpu: {{ .Values.instances.replicaCertCopy.limits.cpu }} + memory: {{ .Values.instances.replicaCertCopy.limits.memory }} + dataVolumeClaimSpec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: {{ .Values.instances.dataVolumeClaimSpec.storage }} + storageClassName: {{ .Values.instances.dataVolumeClaimSpec.storageClassName }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: topology.kubernetes.io/zone + labelSelector: + matchLabels: + postgres-operator.crunchydata.com/cluster: + {{ template "crunchy-postgres.fullname" . }} + postgres-operator.crunchydata.com/instance-set: {{ .Values.instances.name }}-ha + + users: + - name: {{ template "crunchy-postgres.fullname" . }} + databases: + - {{ template "crunchy-postgres.fullname" . }} + options: "CREATEROLE" + - name: postgres + databases: + - {{ template "crunchy-postgres.fullname" . }} + + {{ if .Values.dataSource.enabled }} + dataSource: + pgbackrest: + configuration: + - secret: + name: {{ .Values.dataSource.secretName }} + global: + repo2-path: {{ .Values.dataSource.repo.path }} + repo: + name: {{ .Values.dataSource.repo.name }} + s3: + bucket: {{ .Values.dataSource.repo.s3.bucket }} + endpoint: {{ .Values.dataSource.repo.s3.endpoint }} + region: {{ .Values.dataSource.repo.s3.region }} + stanza: {{ .Values.dataSource.stanza }} + {{ end }} + + backups: + pgbackrest: + {{ if .Values.pgBackRest.image }} + image: {{ .Values.pgBackRest.image }} + {{ end }} + {{- if .Values.pgBackRest.s3.enabled }} + configuration: + - secret: + name: {{ .Values.pgBackRest.s3.s3Secret }} + {{- end }} + global: + # Support both PVC and s3 backups + repo1-retention-full: {{ .Values.pgBackRest.retention | quote }} + repo1-retention-full-type: {{ .Values.pgBackRest.retentionFullType }} + {{- if .Values.pgBackRest.s3.enabled }} + repo2-retention-full: {{ .Values.pgBackRest.retention | quote }} + repo2-retention-full-type: {{ .Values.pgBackRest.retentionFullType }} + repo2-path: {{ .Values.pgBackRest.s3.s3Path }} + repo2-s3-uri-style: {{ .Values.pgBackRest.s3.s3UriStyle }} + {{- end }} + repos: + # hardcoding repo1 until we solution allowing multiple repos + - name: repo1 + schedules: + full: {{ .Values.pgBackRest.repos.schedules.full }} + incremental: {{ .Values.pgBackRest.repos.schedules.incremental }} + volume: + volumeClaimSpec: + accessModes: + - {{ .Values.pgBackRest.repos.volume.accessModes }} + resources: + requests: + storage: {{ .Values.pgBackRest.repos.volume.storage }} + storageClassName: {{ .Values.pgBackRest.repos.volume.storageClassName }} + {{- if .Values.pgBackRest.s3.enabled }} + - name: repo2 + schedules: + full: {{ if .Values.pgBackRest.s3.fullSchedule }}{{ .Values.pgBackRest.s3.fullSchedule }}{{ else }}{{ .Values.pgBackRest.repos.schedules.full }}{{ end }} + incremental: {{ if .Values.pgBackRest.s3.incrementalSchedule }}{{ .Values.pgBackRest.s3.incrementalSchedule }}{{ else }}{{ .Values.pgBackRest.repos.schedules.incremental }}{{ end }} + s3: + bucket: {{ .Values.pgBackRest.s3.bucket }} + endpoint: {{ .Values.pgBackRest.s3.endpoint }} + region: {{ .Values.pgBackRest.s3.region }} + {{- end }} + # this stuff is for the "pgbackrest" container (the only non-init container) in the "postgres-crunchy-repo-host" pod + repoHost: + resources: + requests: + cpu: {{ .Values.pgBackRest.repoHost.requests.cpu }} + memory: {{ .Values.pgBackRest.repoHost.requests.memory }} + limits: + cpu: {{ .Values.pgBackRest.repoHost.limits.cpu }} + memory: {{ .Values.pgBackRest.repoHost.limits.memory }} + sidecars: + # this stuff is for the "pgbackrest" container in the "postgres-crunchy-ha" set of pods + pgbackrest: + resources: + requests: + cpu: {{ .Values.pgBackRest.sidecars.requests.cpu }} + memory: {{ .Values.pgBackRest.sidecars.requests.memory }} + limits: + cpu: {{ .Values.pgBackRest.sidecars.limits.cpu }} + memory: {{ .Values.pgBackRest.sidecars.limits.memory }} + pgbackrestConfig: + resources: + requests: + cpu: {{ .Values.pgBackRest.sidecars.requests.cpu }} + memory: {{ .Values.pgBackRest.sidecars.requests.memory }} + limits: + cpu: {{ .Values.pgBackRest.sidecars.limits.cpu }} + memory: {{ .Values.pgBackRest.sidecars.limits.memory }} + standby: + enabled: {{ .Values.standby.enabled }} + repoName: {{ .Values.standby.repoName }} + + patroni: + dynamicConfiguration: + postgresql: + pg_hba: + - {{ .Values.patroni.postgresql.pg_hba}} + parameters: + shared_buffers: {{ .Values.patroni.postgresql.parameters.shared_buffers }} + wal_buffers: {{ .Values.patroni.postgresql.parameters.wal_buffers }} + min_wal_size: {{ .Values.patroni.postgresql.parameters.min_wal_size }} + max_wal_size: {{ .Values.patroni.postgresql.parameters.max_wal_size }} + max_slot_wal_keep_size: {{ .Values.patroni.postgresql.parameters.max_slot_wal_keep_size }} + + proxy: + pgBouncer: + config: + global: + client_tls_sslmode: disable + {{ if .Values.proxy.pgBouncer.image }} + image: {{ .Values.proxy.pgBouncer.image }} + {{ end }} + replicas: {{ .Values.proxy.pgBouncer.replicas }} + # these resources are for the "pgbouncer" container in the "postgres-crunchy-ha-pgbouncer" set of pods + # there is a sidecar in these pods which are not mentioned here, but the requests/limits are teeny weeny by default so no worries there. + resources: + requests: + cpu: {{ .Values.proxy.pgBouncer.requests.cpu }} + memory: {{ .Values.proxy.pgBouncer.requests.memory }} + limits: + cpu: {{ .Values.proxy.pgBouncer.limits.cpu }} + memory: {{ .Values.proxy.pgBouncer.limits.memory }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: topology.kubernetes.io/zone + labelSelector: + matchLabels: + postgres-operator.crunchydata.com/cluster: + {{ .Values.instances.name }} + postgres-operator.crunchydata.com/role: pgbouncer diff --git a/openshift/crunchydb/charts/crunchy-postgres/templates/_helpers.tpl b/openshift/crunchydb/charts/crunchy-postgres/templates/_helpers.tpl new file mode 100644 index 000000000..584e9ad6c --- /dev/null +++ b/openshift/crunchydb/charts/crunchy-postgres/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "crunchy-postgres.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "crunchy-postgres.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "crunchy-postgres.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "crunchy-postgres.labels" -}} +helm.sh/chart: {{ include "crunchy-postgres.chart" . }} +{{ include "crunchy-postgres.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "crunchy-postgres.selectorLabels" -}} +app.kubernetes.io/name: {{ include "crunchy-postgres.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "crunchy-postgres.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "crunchy-postgres.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/openshift/crunchydb/charts/crunchy-postgres/templates/_s3.tpl b/openshift/crunchydb/charts/crunchy-postgres/templates/_s3.tpl new file mode 100644 index 000000000..9f71811f7 --- /dev/null +++ b/openshift/crunchydb/charts/crunchy-postgres/templates/_s3.tpl @@ -0,0 +1,18 @@ +{{/* Allow for S3 secret information to be stored in a Secret */}} +{{- define "postgres.s3" }} +[global] +{{- if .s3 }} + {{- if .s3.key }} +repo{{ add .index 1 }}-s3-key={{ .s3.key }} + {{- end }} + {{- if .s3.keySecret }} +repo{{ add .index 1 }}-s3-key-secret={{ .s3.keySecret }} + {{- end }} + {{- if .s3.keyType }} +repo{{ add .index 1 }}-s3-key-type={{ .s3.keyType }} + {{- end }} + {{- if .s3.encryptionPassphrase }} +repo{{ add .index 1 }}-cipher-pass={{ .s3.encryptionPassphrase }} + {{- end }} +{{- end }} +{{ end }} \ No newline at end of file diff --git a/openshift/crunchydb/charts/crunchy-postgres/templates/s3Secret.yaml b/openshift/crunchydb/charts/crunchy-postgres/templates/s3Secret.yaml new file mode 100644 index 000000000..5c1aef224 --- /dev/null +++ b/openshift/crunchydb/charts/crunchy-postgres/templates/s3Secret.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.pgBackRest.s3.enabled .Values.pgBackRest.s3.createS3Secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.pgBackRest.s3.s3Secret }} +type: Opaque +data: + {{- $args := dict "s3" .Values.pgBackRest.s3 "index" 1 }} + s3.conf: |- + {{ include "postgres.s3" $args | b64enc }} +{{- end }} \ No newline at end of file diff --git a/openshift/crunchydb/charts/crunchy-postgres/values.yaml b/openshift/crunchydb/charts/crunchy-postgres/values.yaml new file mode 100644 index 000000000..6959ac570 --- /dev/null +++ b/openshift/crunchydb/charts/crunchy-postgres/values.yaml @@ -0,0 +1,136 @@ +fullnameOverride: crunchy-postgres + +crunchyImage: # it's not necessary to specify an image as the images specified in the Crunchy Postgres Operator will be pulled by default +#crunchyImage: artifacts.developer.gov.bc.ca/bcgov-docker-local/crunchy-postgres-gis:ubi8-15.2-3.3-0 # use this image for POSTGIS +postgresVersion: 15 +#postGISVersion: '3.3' # use this version of POSTGIS. both crunchyImage and this property needs to have valid values for POSTGIS to be enabled. +imagePullPolicy: IfNotPresent + +# enable to bootstrap a standby cluster from backup. Then disable to promote this standby to primary +standby: + enabled: false + # If you want to recover from PVC, use repo1. If you want to recover from S3, use repo2 + repoName: repo2 + +instances: + name: ha # high availability + replicas: 2 + dataVolumeClaimSpec: + storage: 480Mi + storageClassName: netapp-block-standard + requests: + cpu: 1m + memory: 256Mi + limits: + cpu: 100m + memory: 512Mi + replicaCertCopy: + requests: + cpu: 1m + memory: 32Mi + limits: + cpu: 50m + memory: 64Mi + +# If we need to restore the cluster from a backup, we need to set the following values +# assuming restore from repo2 (s3), adjust as needed if your S3 repo is different +dataSource: + enabled: false + # should have the same name and contain the same keys as the pgbackrest secret + secretName: s3-pgbackrest + repo: + name: repo2 + path: "/habackup" + s3: + bucket: "bucketName" + endpoint: "s3.ca-central-1.amazonaws.com" + region: "ca-central-1" + stanza: db + +pgBackRest: + image: # it's not necessary to specify an image as the images specified in the Crunchy Postgres Operator will be pulled by default + retention: "2" # Ideally a larger number such as 30 backups/days + # If retention-full-type set to 'count' then the oldest backups will expire when the number of backups reach the number defined in retention + # If retention-full-type set to 'time' then the number defined in retention will take that many days worth of full backups before expiration + retentionFullType: count + repos: + schedules: + full: 0 8 * * * + incremental: 0 0,4,12,16,20 * * * + volume: + accessModes: "ReadWriteOnce" + storage: 64Mi + storageClassName: netapp-file-backup + repoHost: + requests: + cpu: 1m + memory: 64Mi + limits: + cpu: 50m + memory: 128Mi + sidecars: + requests: + cpu: 1m + memory: 64Mi + limits: + cpu: 50m + memory: 128Mi + s3: + enabled: false + createS3Secret: true + # the s3 secret name + s3Secret: s3-pgbackrest + # the path start with /, it will be created under bucket if it doesn't exist + s3Path: "/habackup" + # s3UriStyle is host or path + s3UriStyle: path + # bucket specifies the S3 bucket to use, + bucket: "bucketName" + # endpoint specifies the S3 endpoint to use. + endpoint: "endpointName" + # region specifies the S3 region to use. If your S3 storage system does not + # use "region", fill this in with a random value. + region: "ca-central-1" + # key is the S3 key. This is stored in a Secret. + # Please DO NOT push this value to GitHub + key: "s3keyValue" + # keySecret is the S3 key secret. This is stored in a Secret. + # Please DO NOT push this value to GitHub + keySecret: "s3SecretValue" + # setting the below to be one plus of the default schedule + # to avoid conflicts + fullSchedule: "0 9 * * *" + incrementalSchedule: "0 1,5,13,17,21 * * *" + +patroni: + postgresql: + pg_hba: "host all all 0.0.0.0/0 md5" + parameters: + shared_buffers: 16MB # default is 128MB; a good tuned default for shared_buffers is 25% of the memory allocated to the pod + wal_buffers: "64kB" # this can be set to -1 to automatically set as 1/32 of shared_buffers or 64kB, whichever is larger + min_wal_size: 32MB + max_wal_size: 64MB # default is 1GB + max_slot_wal_keep_size: 128MB # default is -1, allowing unlimited wal growth when replicas fall behind + +proxy: + pgBouncer: + image: # it's not necessary to specify an image as the images specified in the Crunchy Postgres Operator will be pulled by default + replicas: 2 + requests: + cpu: 1m + memory: 64Mi + limits: + cpu: 50m + memory: 128Mi + +# Postgres Cluster resource values: +pgmonitor: + enabled: false + exporter: + image: # it's not necessary to specify an image as the images specified in the Crunchy Postgres Operator will be pulled by default + requests: + cpu: 1m + memory: 64Mi + limits: + cpu: 50m + memory: 128Mi diff --git a/openshift/crunchydb/charts/tools/.helmignore b/openshift/crunchydb/charts/tools/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/openshift/crunchydb/charts/tools/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/openshift/crunchydb/charts/tools/Chart.yaml b/openshift/crunchydb/charts/tools/Chart.yaml new file mode 100644 index 000000000..fb0e3cfc2 --- /dev/null +++ b/openshift/crunchydb/charts/tools/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: crunchy-postgres-tools +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.3.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "0.1.0" diff --git a/openshift/crunchydb/charts/tools/README.md b/openshift/crunchydb/charts/tools/README.md new file mode 100644 index 000000000..efc8191f5 --- /dev/null +++ b/openshift/crunchydb/charts/tools/README.md @@ -0,0 +1,80 @@ +# Crunchy Postgres Tools chart + +A chart to provision service accounts and networking templates to our namespaces. + +This chart is meant to be deployed in all namespaces while using the `provisioner.namespace` value to conditionally deploy services in the correct namespaces. + +## Included templates: + +### Service accounts: + +#### Deployer + +A service account to be used to login to OpenShift and deploy your application in CI. This is deployed in all namespaces except for the tools/provisioner namespace. + +| Parameter | Description | Default | +| --------------------------------- | ----------------------------------- | ------- | +| `deployer.serviceAccount.enabled` | Enable the deployer service account | `true` | + +--- + +#### Provisioner + +A service account which is deployed to the tools namespace but the roles and rolebindings are deployed to all namespaces, giving the service account permissions to provision tools to all of the namespaces from the tools namespace. + +| Parameter | Description | Default | +| -------------------------------- | ----------------------------------------- | ------- | +| `deployer.provisioner.enabled` | Enable the provisioner service account | `true` | +| `deployer.provisioner.namespace` | The namespace the provisioner will run in | `true` | + +--- + +#### Linter + +A service account deployed to the /tools namespace and used to login to OpenShift and verify Helm templates. + +| Parameter | Description | Default | +| ------------------------- | --------------------------------- | ------- | +| `deployer.linter.enabled` | Enable the linter service account | `true` | + +--- + +### Networking + +#### Namespace ingress network policy + +Network policy to allow traffic from outside the namespace (like the internet) to access our pods + +| Parameter | Description | Default | +| ---------------------------------- | --------------------------------- | ------- | +| `networking.networkPolicy.enabled` | Enable the ingress network policy | `true` | + +--- + +#### Pod ingress network policy + +Pod network policy to allow pods to accept traffic from other pods in this namespace + +| Parameter | Description | Default | +| ------------------------------------- | ------------------------------------- | ------- | +| `networking.podNetworkPolicy.enabled` | Enable the pod ingress network policy | `true` | + +--- + +#### Route + +OpenShift route whitch allows you to host your application at a public URL. + +| Parameter | Description | Default | +| -------------------------- | -------------------------- | ------- | +| `networking.route.enabled` | Enable the OpenShift route | `true` | +| `networking.route.host` | The OpenShift route host | | + +--- + +## Name overrides + +| Parameter | Description | Default | +| ------------------ | ------------------------------------------ | ------------------------ | +| `fullnameOverride` | Override release name | `crunchy-postgres-tools` | +| `deploymentName` | The name of your dev/test/prod deployments | `crunchy-postgres` | diff --git a/openshift/crunchydb/charts/tools/templates/_helpers.tpl b/openshift/crunchydb/charts/tools/templates/_helpers.tpl new file mode 100644 index 000000000..012711fdc --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "crunchy-postgres-tools.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "crunchy-postgres-tools.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "crunchy-postgres-tools.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "crunchy-postgres-tools.labels" -}} +helm.sh/chart: {{ include "crunchy-postgres-tools.chart" . }} +{{ include "crunchy-postgres-tools.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "crunchy-postgres-tools.selectorLabels" -}} +app.kubernetes.io/name: {{ include "crunchy-postgres-tools.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "crunchy-postgres-tools.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "crunchy-postgres-tools.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/openshift/crunchydb/charts/tools/templates/deployer/deployerRole.yaml b/openshift/crunchydb/charts/tools/templates/deployer/deployerRole.yaml new file mode 100644 index 000000000..4acd4289c --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/deployer/deployerRole.yaml @@ -0,0 +1,217 @@ +{{ if and .Values.deployer.serviceAccount.enabled (ne .Release.Namespace .Values.provisioner.namespace) }} + +apiVersion: authorization.openshift.io/v1 +kind: Role +metadata: + labels: +{{ include "crunchy-postgres-tools.labels" . | indent 4}} + annotations: + openshift.io/description: A user who can deploy applications + openshift.io/reconcile-protect: "false" + name: {{ or .Values.deploymentName .Release.Name }}-deployer +rules: + - apiGroups: + - image.openshift.io + resources: + - imagestreamimages + - imagestreammappings + - imagestreams + - imagestreamtags + verbs: + - get + - list + - watch + - update + - apiGroups: + - image.openshift.io + resources: + - imagestreamtags + verbs: + - delete + - apiGroups: + - project.openshift.io + - "" + attributeRestrictions: null + resources: + - projects + verbs: + - get + - apiGroups: + - "" + attributeRestrictions: null + resources: + - replicationcontrollers + - persistentvolumeclaims + - services + - secrets + - configmaps + - endpoints + - pods + - pods/exec + verbs: + - watch + - list + - get + - create + - update + - patch + - delete + - deletecollection + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods/status + - pods/log + verbs: + - watch + - list + - get + - apiGroups: + - apps.openshift.io + attributeRestrictions: null + resources: + - deploymentconfigs + verbs: + - get + - create + - update + - patch + - apiGroups: + - apps + attributeRestrictions: null + resources: + - statefulsets + verbs: + - get + - create + - delete + - update + - patch + - apiGroups: + - route.openshift.io + attributeRestrictions: null + resources: + - routes + verbs: + - list + - get + - create + - update + - patch + - delete + - apiGroups: + - template.openshift.io + attributeRestrictions: null + resources: + - processedtemplates + verbs: + - create + - apiGroups: + - route.openshift.io + - "" + attributeRestrictions: null + resources: + - routes/custom-host + verbs: + - create + - apiGroups: + - batch + attributeRestrictions: null + resources: + - jobs + - cronjobs + verbs: + - get + - create + - update + - patch + - delete + - watch + - list + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - get + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - "rbac.authorization.k8s.io" + - "authorization.openshift.io" + resources: + - roles + - rolebindings + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - extensions + - apps + resources: + - deployments + - replicasets + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - list + - apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - postgres-operator.crunchydata.com + resources: + - postgresclusters + verbs: + - get + - create + - update + - patch + - delete +{{ end }} diff --git a/openshift/crunchydb/charts/tools/templates/deployer/deployerRoleBinding.yaml b/openshift/crunchydb/charts/tools/templates/deployer/deployerRoleBinding.yaml new file mode 100644 index 000000000..b5d26099f --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/deployer/deployerRoleBinding.yaml @@ -0,0 +1,18 @@ +{{ if and .Values.deployer.serviceAccount.enabled (ne .Release.Namespace .Values.provisioner.namespace) }} + +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ or .Values.deploymentName .Release.Name }}-deployer + labels: +{{ include "crunchy-postgres-tools.labels" . | indent 4}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ or .Values.deploymentName .Release.Name }}-deployer +subjects: + - kind: ServiceAccount + name: {{ or .Values.deploymentName .Release.Name }}-deployer + namespace: {{ .Release.namespace }} + +{{ end }} diff --git a/openshift/crunchydb/charts/tools/templates/deployer/deployerServiceAccount.yaml b/openshift/crunchydb/charts/tools/templates/deployer/deployerServiceAccount.yaml new file mode 100644 index 000000000..b2df66067 --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/deployer/deployerServiceAccount.yaml @@ -0,0 +1,11 @@ +{{ if and .Values.deployer.serviceAccount.enabled (ne .Release.Namespace .Values.provisioner.namespace) }} + +kind: ServiceAccount +apiVersion: v1 +metadata: + name: {{ or .Values.deploymentName .Release.Name }}-deployer + labels: +{{ include "crunchy-postgres-tools.labels" . | indent 4}} + namespace: {{ .Release.namespace }} + +{{ end }} diff --git a/openshift/crunchydb/charts/tools/templates/linter/linterRole.yaml b/openshift/crunchydb/charts/tools/templates/linter/linterRole.yaml new file mode 100644 index 000000000..480e2c27d --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/linter/linterRole.yaml @@ -0,0 +1,497 @@ +{{- if and (.Values.linter.serviceAccount.enabled) (eq .Release.Namespace .Values.provisioner.namespace) }} + +apiVersion: authorization.openshift.io/v1 +kind: Role +metadata: + labels: {{ include "crunchy-postgres-tools.labels" . | nindent 4}} + annotations: + openshift.io/description: A user who can view but not edit any resources within + the project. They can not view secrets or membership. + openshift.io/reconcile-protect: "false" + name: {{ .Release.Name }}-linter +rules: +- apiGroups: + - "" + attributeRestrictions: null + resources: + - configmaps + - endpoints + - persistentvolumeclaims + - projects + - pods + - replicationcontrollers + - replicationcontrollers/scale + - serviceaccounts + - services + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - bindings + - events + - limitranges + - namespaces/status + - pods/log + - pods/status + - replicationcontrollers/status + - resourcequotas + - resourcequotas/status + verbs: + - get + - list + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - apps + attributeRestrictions: null + resources: + - daemonsets + - deployments + - deployments/scale + - replicasets + - replicasets/scale + - statefulsets + verbs: + - get + - list + - watch +- apiGroups: + - autoscaling + attributeRestrictions: null + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - watch +- apiGroups: + - batch + attributeRestrictions: null + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch +- apiGroups: + - extensions + attributeRestrictions: null + resources: + - daemonsets + - deployments + - deployments/scale + - ingresses + - replicasets + - replicasets/scale + - replicationcontrollers/scale + verbs: + - get + - list + - watch +- apiGroups: + - policy + attributeRestrictions: null + resources: + - poddisruptionbudgets + verbs: + - get + - list + - watch +- apiGroups: + - apps + attributeRestrictions: null + resources: + - statefulsets/scale + verbs: + - get +- apiGroups: + - apps + attributeRestrictions: null + resources: + - statefulsets/scale + verbs: + - list +- apiGroups: + - apps + attributeRestrictions: null + resources: + - statefulsets/scale + verbs: + - watch +- apiGroups: + - extensions + attributeRestrictions: null + resources: + - networkpolicies + verbs: + - get +- apiGroups: + - extensions + attributeRestrictions: null + resources: + - networkpolicies + verbs: + - list +- apiGroups: + - extensions + attributeRestrictions: null + resources: + - networkpolicies + verbs: + - watch +- apiGroups: + - networking.k8s.io + attributeRestrictions: null + resources: + - networkpolicies + verbs: + - get +- apiGroups: + - networking.k8s.io + attributeRestrictions: null + resources: + - networkpolicies + verbs: + - list +- apiGroups: + - networking.k8s.io + attributeRestrictions: null + resources: + - networkpolicies + verbs: + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - configmaps + - endpoints + - persistentvolumeclaims + - pods + - replicationcontrollers + - serviceaccounts + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - bindings + - events + - limitranges + - namespaces + - namespaces/status + - pods/log + - pods/status + - replicationcontrollers/status + - resourcequotas + - resourcequotas/status + verbs: + - get + - list + - watch +- apiGroups: + - batch + attributeRestrictions: null + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch +- apiGroups: + - extensions + attributeRestrictions: null + resources: + - deployments + - deployments/scale + - replicasets + - replicasets/scale + verbs: + - get + - list + - watch +- apiGroups: + - extensions + attributeRestrictions: null + resources: + - daemonsets + verbs: + - get + - list + - watch +- apiGroups: + - apps + attributeRestrictions: null + resources: + - deployments + - deployments/scale + - statefulsets + verbs: + - get + - list + - watch +- apiGroups: + - build.openshift.io + - "" + attributeRestrictions: null + resources: + - buildconfigs + - buildconfigs/webhooks + - builds + verbs: + - get + - list + - watch +- apiGroups: + - build.openshift.io + - "" + attributeRestrictions: null + resources: + - builds/log + verbs: + - get + - list + - watch +- apiGroups: + - build.openshift.io + attributeRestrictions: null + resources: + - jenkins + verbs: + - view +- apiGroups: + - apps.openshift.io + - "" + attributeRestrictions: null + resources: + - deploymentconfigs + - deploymentconfigs/scale + verbs: + - get + - list + - watch +- apiGroups: + - apps.openshift.io + - "" + attributeRestrictions: null + resources: + - deploymentconfigs/log + - deploymentconfigs/status + verbs: + - get + - list + - watch +- apiGroups: + - image.openshift.io + - "" + attributeRestrictions: null + resources: + - imagestreamimages + - imagestreammappings + - imagestreams + - imagestreamtags + verbs: + - get + - list + - watch +- apiGroups: + - image.openshift.io + - "" + attributeRestrictions: null + resources: + - imagestreams/status + verbs: + - get + - list + - watch +- apiGroups: + - project.openshift.io + - "" + attributeRestrictions: null + resources: + - projects + verbs: + - get +- apiGroups: + - quota.openshift.io + - "" + attributeRestrictions: null + resources: + - appliedclusterresourcequotas + verbs: + - get + - list + - watch +- apiGroups: + - route.openshift.io + - "" + attributeRestrictions: null + resources: + - routes + verbs: + - get + - list + - watch +- apiGroups: + - route.openshift.io + - "" + attributeRestrictions: null + resources: + - routes/status + verbs: + - get + - list + - watch +- apiGroups: + - template.openshift.io + - "" + attributeRestrictions: null + resources: + - processedtemplates + - templateconfigs + - templateinstances + - templates + verbs: + - get + - list + - watch +- apiGroups: + - build.openshift.io + - "" + attributeRestrictions: null + resources: + - buildlogs + verbs: + - get + - list + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - resourcequotausages + verbs: + - get + - list + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - projects + verbs: + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - projects + verbs: + - list +- apiGroups: + - apps + attributeRestrictions: null + resources: + - replicasets + verbs: + - get +- apiGroups: + - apps + attributeRestrictions: null + resources: + - replicasets + verbs: + - list +- apiGroups: + - apps + attributeRestrictions: null + resources: + - replicasets + verbs: + - watch +- apiGroups: + - apps + attributeRestrictions: null + resources: + - replicasets/scale + verbs: + - get +- apiGroups: + - apps + attributeRestrictions: null + resources: + - replicasets/scale + verbs: + - list +- apiGroups: + - apps + attributeRestrictions: null + resources: + - replicasets/scale + verbs: + - watch +- apiGroups: + - apps + attributeRestrictions: null + resources: + - daemonsets + verbs: + - get +- apiGroups: + - apps + attributeRestrictions: null + resources: + - daemonsets + verbs: + - list +- apiGroups: + - apps + attributeRestrictions: null + resources: + - daemonsets + verbs: + - watch +- apiGroups: + - authorization.openshift.io + - rbac.authorization.k8s.io + attributeRestrictions: null + resources: + - rolebindings + - roles + verbs: + - get + - patch +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get +- apiGroups: + - postgres-operator.crunchydata.com + resources: + - postgresclusters + verbs: + - get + - list + +{{ end }} \ No newline at end of file diff --git a/openshift/crunchydb/charts/tools/templates/linter/linterRoleBinding.yaml b/openshift/crunchydb/charts/tools/templates/linter/linterRoleBinding.yaml new file mode 100644 index 000000000..ebb16624d --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/linter/linterRoleBinding.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.linter.serviceAccount.enabled (eq .Release.Namespace .Values.provisioner.namespace) }} + +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-linter + labels: {{ include "crunchy-postgres-tools.labels" . | nindent 4}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Release.Name }}-linter +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-linter + namespace: {{ .Values.linter.namespace }} + +{{ end }} diff --git a/openshift/crunchydb/charts/tools/templates/linter/linterServiceAccount.yaml b/openshift/crunchydb/charts/tools/templates/linter/linterServiceAccount.yaml new file mode 100644 index 000000000..cc1d53ec5 --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/linter/linterServiceAccount.yaml @@ -0,0 +1,10 @@ +{{- if and .Values.linter.serviceAccount.enabled (eq .Release.Namespace .Values.provisioner.namespace)}} + +kind: ServiceAccount +apiVersion: v1 +metadata: + name: {{ .Release.Name }}-linter + labels: {{ include "crunchy-postgres-tools.labels" . | nindent 4}} + namespace: {{ .Values.linter.namespace }} + +{{ end }} diff --git a/openshift/crunchydb/charts/tools/templates/networking/networkPolicy.yaml b/openshift/crunchydb/charts/tools/templates/networking/networkPolicy.yaml new file mode 100644 index 000000000..56b5d77c1 --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/networking/networkPolicy.yaml @@ -0,0 +1,23 @@ +{{- if and .Values.networking.networkPolicy.enabled (ne .Release.Namespace .Values.provisioner.namespace) }} + +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ or .Values.deploymentName .Release.Name }}-allow-route-ingress + labels: +{{ include "crunchy-postgres-tools.labels" . | indent 4}} +spec: + # This policy allows any pod with a route & service combination + # to accept traffic from the OpenShift router pods. This is + # required for things outside of OpenShift (like the Internet) + # to reach your pods. + ingress: + - from: + - namespaceSelector: + matchLabels: + network.openshift.io/policy-group: ingress + podSelector: {} + policyTypes: + - Ingress + +{{- end }} diff --git a/openshift/crunchydb/charts/tools/templates/networking/podNetworkPolicy.yaml b/openshift/crunchydb/charts/tools/templates/networking/podNetworkPolicy.yaml new file mode 100644 index 000000000..b706a96c0 --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/networking/podNetworkPolicy.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.networking.podNetworkPolicy.enabled (ne .Release.Namespace .Values.provisioner.namespace) }} + +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ or .Values.deploymentName .Release.Name }}-allow-same-namespace + labels: +{{ include "crunchy-postgres-tools.labels" . | indent 4}} +spec: + # This policy allows pods to accept traffic from other pods in this namespace + ingress: + - from: + - podSelector: {} + podSelector: {} + +{{ end }} diff --git a/openshift/crunchydb/charts/tools/templates/networking/route.yaml b/openshift/crunchydb/charts/tools/templates/networking/route.yaml new file mode 100644 index 000000000..55cc81f35 --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/networking/route.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.networking.route.enabled (ne .Release.Namespace .Values.provisioner.namespace) }} + +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: {{ template "crunchy-postgres-tools.fullname" . }} + labels: +{{ include "crunchy-postgres-tools.labels" . | indent 4}} +spec: + host: {{ .Values.networking.route.host }} + port: + targetPort: {{ template "crunchy-postgres-tools.fullname" . }} + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect + to: + kind: Service + name: {{ template "crunchy-postgres-tools.fullname" . }} + weight: 100 + +{{ end }} diff --git a/openshift/crunchydb/charts/tools/templates/provisioner/provisionerRole.yaml b/openshift/crunchydb/charts/tools/templates/provisioner/provisionerRole.yaml new file mode 100644 index 000000000..fa677b65f --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/provisioner/provisionerRole.yaml @@ -0,0 +1,237 @@ +{{ if .Values.provisioner.serviceAccount.enabled }} + +apiVersion: authorization.openshift.io/v1 +kind: Role +metadata: + labels: {{ include "crunchy-postgres-tools.labels" . | nindent 4}} + annotations: + openshift.io/description: A user who can deploy applications + openshift.io/reconcile-protect: "false" + name: {{ .Release.Name }}-provisioner +rules: + - apiGroups: + - image.openshift.io + resources: + - imagestreamimages + - imagestreammappings + - imagestreams + - imagestreamtags + verbs: + - get + - list + - watch + - update + - apiGroups: + - image.openshift.io + resources: + - imagestreamtags + verbs: + - delete + - apiGroups: + - project.openshift.io + - "" + attributeRestrictions: null + resources: + - projects + verbs: + - get + - apiGroups: + - "" + attributeRestrictions: null + resources: + - replicationcontrollers + - persistentvolumeclaims + - services + - secrets + - configmaps + - endpoints + - pods + - pods/exec + verbs: + - watch + - list + - get + - create + - update + - patch + - delete + - deletecollection + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods/status + - pods/log + verbs: + - watch + - list + - get + - apiGroups: + - apps.openshift.io + attributeRestrictions: null + resources: + - deploymentconfigs + verbs: + - get + - create + - update + - patch + - apiGroups: + - apps + attributeRestrictions: null + resources: + - statefulsets + verbs: + - get + - create + - delete + - update + - patch + - apiGroups: + - route.openshift.io + attributeRestrictions: null + resources: + - routes + verbs: + - list + - get + - create + - update + - patch + - delete + - apiGroups: + - template.openshift.io + attributeRestrictions: null + resources: + - processedtemplates + - templates + verbs: + - create + - patch + - apiGroups: + - route.openshift.io + attributeRestrictions: null + resources: + - routes + verbs: + - get + - create + - update + - patch + - apiGroups: + - route.openshift.io + - "" + attributeRestrictions: null + resources: + - routes/custom-host + verbs: + - create + - apiGroups: + - batch + attributeRestrictions: null + resources: + - jobs + - cronjobs + verbs: + - get + - create + - update + - patch + - delete + - watch + - list + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - get + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - "rbac.authorization.k8s.io" + - "authorization.openshift.io" + resources: + - roles + - rolebindings + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - extensions + - apps + resources: + - deployments + - replicasets + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - list + - apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - artifactory.devops.gov.bc.ca + resources: + - artifactoryserviceaccounts + verbs: + - get + - list + - apiGroups: + - postgres-operator.crunchydata.com + resources: + - postgresclusters + verbs: + - get + - list + - create + - update + - patch + - delete + +{{ end }} diff --git a/openshift/crunchydb/charts/tools/templates/provisioner/provisionerRoleBinding.yaml b/openshift/crunchydb/charts/tools/templates/provisioner/provisionerRoleBinding.yaml new file mode 100644 index 000000000..f89476fff --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/provisioner/provisionerRoleBinding.yaml @@ -0,0 +1,19 @@ +{{ if .Values.provisioner.serviceAccount.enabled }} + +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-provisioner + labels: +{{ include "crunchy-postgres-tools.labels" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Release.Name }}-provisioner +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-provisioner + namespace: {{ .Values.provisioner.namespace }} + + +{{ end }} diff --git a/openshift/crunchydb/charts/tools/templates/provisioner/provisionerServiceAccount.yaml b/openshift/crunchydb/charts/tools/templates/provisioner/provisionerServiceAccount.yaml new file mode 100644 index 000000000..fe04e79cc --- /dev/null +++ b/openshift/crunchydb/charts/tools/templates/provisioner/provisionerServiceAccount.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.provisioner.serviceAccount.enabled (eq .Release.Namespace .Values.provisioner.namespace) }} + +kind: ServiceAccount +apiVersion: v1 +metadata: + name: {{ .Release.Name }}-provisioner + labels: +{{ include "crunchy-postgres-tools.labels" . | indent 4 }} + namespace: {{ .Values.provisioner.namespace }} + +{{ end }} diff --git a/openshift/crunchydb/charts/tools/values.yaml b/openshift/crunchydb/charts/tools/values.yaml new file mode 100644 index 000000000..0cd0cf421 --- /dev/null +++ b/openshift/crunchydb/charts/tools/values.yaml @@ -0,0 +1,31 @@ +fullnameOverride: crunchy-postgres-tools +deploymentName: crunchy-postgres + +deployer: + serviceAccount: + enabled: true + +# Enable the provisioner service account which is used to deploy services to our other namespaces (dev/test/prod) +# The tools namespace needs to be passed in so we know which namespace to install the service account in and the rolebindings get proper permissions +provisioner: + namespace: #tools-namespace + serviceAccount: + enabled: true + +# Service account with fairly low permissions for the linter +linter: + serviceAccount: + enabled: true + +networking: + # Network policy to allow traffic from outside the namespace (like the internet) + networkPolicy: + enabled: true + # Pod network policy to allow pods to accept traffic from other pods in this namespace + podNetworkPolicy: + enabled: true + # Enable OpenShift route whitch allows you to host your application at a public URL + route: + enabled: false + host: # eg: crunchy-postgres-namespace.apps.silver.devops.gov.bc.ca + From e8324f9fd1b56650039b350d87e3635b78e5276d Mon Sep 17 00:00:00 2001 From: Walter Moar Date: Mon, 16 Dec 2024 09:46:20 -0800 Subject: [PATCH 2/5] fix: FORMS-1670 install oc for pr undeploy action. (#1546) GitHub has removed "oc" from the "ubuntu-latest" image. Do an explicit install of it. --- .github/workflows/pr_undeploy.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/pr_undeploy.yaml b/.github/workflows/pr_undeploy.yaml index 511127605..4af91cbc7 100644 --- a/.github/workflows/pr_undeploy.yaml +++ b/.github/workflows/pr_undeploy.yaml @@ -22,6 +22,10 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + - name: Install OpenShift CLI tools + uses: redhat-actions/openshift-tools-installer@v1 + with: + oc: "4.14" - name: Login to OpenShift Cluster uses: redhat-actions/oc-login@v1 with: From 6c3983c61744762e54feb6b72fb41a8fa51ae53b Mon Sep 17 00:00:00 2001 From: Nimya John <78105113+nimya-aot@users.noreply.github.com> Date: Tue, 17 Dec 2024 10:39:24 -0800 Subject: [PATCH 3/5] test: FORMS-1619 Cypress test scripts for adding Form Meta data section on form settings page (#1544) * #FORMS-974 * #974 updates * #980 modification to cypress config * FORMS-980 * #992 * #992 Fix cypress scripts * #1011 Form design page * #1011 test scripts * #1023 cypress scripts * #1023 advanced data components * #1023 Updated scripts * #1023 updation * Updated json file * Test/forms (#1011)(#1023) (#1307) * #FORMS-974 * #974 updates * #980 modification to cypress config * FORMS-980 * #992 * #992 Fix cypress scripts * #1011 Form design page * #1011 test scripts * #1023 cypress scripts * #1023 advanced data components * #1023 Updated scripts * #1023 updation * Updated json file * #1059 workflow file for cypress * #1059 updated the base url * #1059 updated workflow * Updated node version * updated * updated * Updation * updated file * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * updated package file * Update cypress-ci.yaml * Updated config file * Update cypress-ci.yaml * #1059 updated package * #1060 scripts for Advanced fields and BC Gov components * Fixing review comments * Updated changes * # Updated with PR comments * updated * Update form-design-basicfields.cy.js * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Modifies test scripts * Updated files * Fixed errors during CI/CD Run * Updated browser type * Updated Simple BC address component * Updated * Fields updated * Test script changed * Updated * Updated fields * Updated env variable * Update form-design-basicfields.cy.js * Updated * Update cypress-ci.yaml * Updated email input * screenshots * Updated path * Update cypress-ci.yaml * Update cypress-ci.yaml * Updated version on workflow * Fix to failed tests * Fix to BC address component * Updated the component * Changed button element * Fixed BC components * Modified submission * Modified components * Updated attribute * Updated * Changed simpleBC address component * Update package.json * Update package-lock.json * Test scripts * Updated * Pushed the changes * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Env change * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Update cypress-ci.yaml * Updated * Updated to take default env variable * Updated with current workflow * updated * Formatted * Update cypress.config.js * updated * Test scripts for updating submission data * Scripts for adding notes * Added scripts for logout after each run * Adding statuses to submission * Fixed alert message for subscription settings * Fixing CI/CD running issues * Fixed issues on schedule date verification * #1488 public form submission * #1488 form for public * form settings page for public form * Added scripts for public forms with no status assign ability * Changes with login page * Removed additional login page * #1478/Draft submission * Scripts for draft submission * #1478 Added column management functionality and delete button * Fixed some CI/Cd issues * #1478 Renamed public form * Removed duplicate files * # Fixed issues after implimenting custom metadata * Updated settings button * #1540 Test scripts for revise status changes * Modified scripts * Fixed CI/Cd issue * #1547 test scripts for export/imprt design * #1547 added preview form * Added downloads folder to config file * Added downloads folder * Fixed spacing issue * Removed downloaded files * Modified download folder path * Fixed some fornmatting issue * Updated component check * #1578 updated scripts * #1578 Added email notification * #1528 Scripts for email management * #1528 Fixed some running issues * Fixed running issues * Modified form-team-managememnt.cy.js file name * Fixed issue with export button click * #1346 Test scripts for API export functionality validation * #1346 Added External API existence checks * #1619 Added scripts for validatimg Meta form section * #1619 Added help link validations on form settings page --------- Co-authored-by: jasonchung1871 <101672465+jasonchung1871@users.noreply.github.com> --- .../e2e/form-edit-submission-data.cy.js | 8 ++-- tests/functional/cypress/support/login.js | 43 +++++++++++++++---- 2 files changed, 38 insertions(+), 13 deletions(-) diff --git a/tests/functional/cypress/e2e/form-edit-submission-data.cy.js b/tests/functional/cypress/e2e/form-edit-submission-data.cy.js index e39e2e7ba..1849de1c0 100644 --- a/tests/functional/cypress/e2e/form-edit-submission-data.cy.js +++ b/tests/functional/cypress/e2e/form-edit-submission-data.cy.js @@ -105,11 +105,9 @@ describe('Form Designer', () => { //view submission cy.visit(`/${depEnv}/form/manage?f=${arrayValues[0]}`); - cy.waitForLoad(); - cy.waitForLoad(); - - cy.get('.mdi-list-box-outline').click({multiple:true,force:true}); - //cy.get('[data-test="canViewFormSubmissions"]').click({multiple:true,force:true}); + cy.wait(2000); + //cy.get('.mdi-list-box-outline').click({multiple:true,force:true}); + cy.get('[data-test="canViewFormSubmissions"]').click({multiple:true,force:true}); cy.waitForLoad(); cy.get('.v-data-table__tr > :nth-child(2)').should('exist'); cy.get('input[type="checkbox"]').then($el => { diff --git a/tests/functional/cypress/support/login.js b/tests/functional/cypress/support/login.js index 6bf2015fb..405a58ec5 100644 --- a/tests/functional/cypress/support/login.js +++ b/tests/functional/cypress/support/login.js @@ -13,12 +13,10 @@ export function formsettings(){ else { - - cy.visit(`/${depEnv}`); } - + cy.get('#logoutButton > .v-btn__content > span').should('not.exist'); cy.get('[data-test="base-auth-btn"] > .v-btn > .v-btn__content > span').click(); cy.get('[data-test="idir"]').click(); @@ -36,8 +34,6 @@ export function formsettings(){ let title="title" + Math.random().toString(16).slice(2); - - cy.get('[data-test="text-name"]').type(title); cy.get('[data-test="text-description"]').type('test description'); @@ -51,19 +47,49 @@ export function formsettings(){ cy.get(':nth-child(2) > .v-card > .v-card-text > .v-input--error > :nth-child(2)').contains('Please select 1 log-in type'); cy.get('input[value="team"]').click(); + cy.get('.v-label > .mdi-help-circle-outline').click(); + cy.contains('Add team members from the Team Management settings after creating this form.').should('be.visible'); + cy.get('.v-label > div > .mdi-help-circle-outline').then($el => { + const email_notify=$el[1]; + cy.get(email_notify).click({force: true}); + cy.contains('Send a notification to your specified email address when any user submits this form').should('be.visible'); + }); cy.get('[data-test="canSaveAndEditDraftsCheckbox"]').click(); cy.get(':nth-child(3) > .v-card > .v-card-text > :nth-child(2) > .v-input__control > .v-selection-control > .v-label > span').click();//Update the status of the form - //cy.get(':nth-child(3) > .v-input__control > .v-selection-control > .v-label > div > .mdi-flask').should('be.enabled');//Multiple draft upload cy.get(':nth-child(5) > .v-input__control > .v-selection-control > .v-label > div > span > strong').click();//Copy existing submission cy.get(':nth-child(7) > .v-input__control > .v-selection-control > .v-label > div').click();//Wide form Layout - + cy.get('[data-test="email-test"] > .v-input__control > .v-selection-control > .v-label > div > span').click({force: true}); cy.get('[data-test="email-test"] > .v-input__control > .v-selection-control > .v-label > div > span').click(); cy.get(':nth-child(4) > .v-card > .v-card-text > .v-text-field > .v-input__control > .v-field > .v-field__field > .v-field__input').type('abc@gmail.com'); + cy.get('.mb-6 > .mdi-help-circle-outline').should('exist'); + cy.get('a.preview_info_link_field_white').then($el => { + const drftupload=$el[0]; + const copy_sub=$el[1]; + const wide_layput=$el[3]; + const metadata=$el[4]; + cy.get(drftupload).should("have.attr", "href", "https://developer.gov.bc.ca/docs/default/component/chefs-techdocs/Capabilities/Functionalities/Allow-multiple-draft-upload/"); + cy.get(copy_sub).should("have.attr", "href", "https://developer.gov.bc.ca/docs/default/component/chefs-techdocs/Capabilities/Functionalities/Copy-an-existing-submission/"); + cy.get(wide_layput).should("have.attr", "href", "https://developer.gov.bc.ca/docs/default/component/chefs-techdocs/Capabilities/Functionalities/Wide-Form-Layout"); + cy.get(metadata).should("have.attr", "href", "https://developer.gov.bc.ca/docs/default/component/chefs-techdocs/Capabilities/Integrations/Form-Metadata/"); + }); + //Validate Form Meta Data section + cy.get('textarea').then($el => { + + const metadata=$el[1]; + cy.get(metadata).click({force: true}); + cy.get('[data-test="json-test"]').type('{selectall}{backspace}'); + cy.get('.v-messages__message').contains('Form metadata must be valid JSON. Use double-quotes around attributes and values.').should('exist'); + cy.get('[data-test="json-test"]').type('{}'); + + + }); cy.get('.v-row > :nth-child(1) > .v-input > .v-input__control > .v-field > .v-field__append-inner').click(); cy.contains("Citizens' Services (CITZ)").click(); - + cy.get('.mb-4 > .mdi-help-circle-outline').click(); + cy.contains('If you do not see your specific use case, contact the CHEFS team to discuss further options').should('be.visible'); + cy.get('[data-test="case-select"]').click(); cy.get('.v-list').should('contain','Applications that will be evaluated followed'); cy.get('.v-list').should('contain','Collection of Datasets, data submission'); @@ -77,6 +103,7 @@ export function formsettings(){ cy.get('[data-test="api-true"] > .v-label > span').click(); cy.get('.mt-3 > .mdi-help-circle-outline').should('be.visible'); cy.get('.mt-3 > .mdi-help-circle-outline').click(); + cy.contains('Labels serve as a means to categorize similar forms that may belong to a common organization or share a related context.').should('be.visible'); cy.get('.d-flex > .v-input > .v-input__control > .v-field > .v-field__field > .v-field__input').click(); cy.get('.d-flex > .v-input > .v-input__control > .v-field > .v-field__field > .v-field__input').type('test label'); cy.get(':nth-child(4) > .v-card-text > .v-input > .v-input__control > .v-selection-control > .v-label > span').click(); From beeb6049624dd9bf2230e44ca985c7628b57953d Mon Sep 17 00:00:00 2001 From: Walter Moar Date: Tue, 17 Dec 2024 13:35:28 -0800 Subject: [PATCH 4/5] fix: FORMS-1652 upgrade redash db to crunchy (#1545) Upgrade the database used by Redash from single-pod PostgreSQL to a CrunchyDB cluster. --- openshift/redash/README.md | 9 +++++++ .../crunchydb-postgres-values-no-limits.yaml | 24 +++++++++++++++++++ .../redash/crunchydb-postgres-values.yaml | 18 ++++++++++++++ openshift/redash/crunchydb-tools-values.yaml | 2 ++ 4 files changed, 53 insertions(+) create mode 100644 openshift/redash/crunchydb-postgres-values-no-limits.yaml create mode 100644 openshift/redash/crunchydb-postgres-values.yaml create mode 100644 openshift/redash/crunchydb-tools-values.yaml diff --git a/openshift/redash/README.md b/openshift/redash/README.md index 79ee0fff5..71d19a9e8 100644 --- a/openshift/redash/README.md +++ b/openshift/redash/README.md @@ -2,6 +2,15 @@ CHEFS uses [Redash](https://redash.io) to visualize forms metadata and display it in dashboards. +## Database + +Redash uses CrunchyDB for its highly available database. + +```sh +helm -n a12c97-tools upgrade --install crunchy-tools-redash ../crunchydb/charts/tools -f crunchydb-tools-values.yaml +helm -n a12c97-tools upgrade --install crunchy-postgres-redash ../crunchydb/charts/crunchy-postgres -f crunchydb-postgres-values-no-limits.yaml -f crunchydb-postgres-values.yaml +``` + ## Install Pre-requisites The Redash Helm Chart doesn't work well in OpenShift due to the accounts it is trying to use for PostgreSQL and Redis. Install our own versions of them: diff --git a/openshift/redash/crunchydb-postgres-values-no-limits.yaml b/openshift/redash/crunchydb-postgres-values-no-limits.yaml new file mode 100644 index 000000000..369208eef --- /dev/null +++ b/openshift/redash/crunchydb-postgres-values-no-limits.yaml @@ -0,0 +1,24 @@ +instances: + limits: + cpu: + memory: + replicaCertCopy: + limits: + cpu: + memory: + +pgBackRest: + repoHost: + limits: + cpu: + memory: + sidecars: + limits: + cpu: + memory: + +proxy: + pgBouncer: + limits: + cpu: + memory: diff --git a/openshift/redash/crunchydb-postgres-values.yaml b/openshift/redash/crunchydb-postgres-values.yaml new file mode 100644 index 000000000..8a16cb9b9 --- /dev/null +++ b/openshift/redash/crunchydb-postgres-values.yaml @@ -0,0 +1,18 @@ +fullnameOverride: crunchy-postgres-redash + +postgresVersion: 16 + +instances: + replicas: 3 + dataVolumeClaimSpec: + storage: 512Mi + +pgBackRest: + repos: + schedules: + full: 0 12 * * * + incremental: 0 0,4,8,16,20 * * * + +proxy: + pgBouncer: + replicas: 3 diff --git a/openshift/redash/crunchydb-tools-values.yaml b/openshift/redash/crunchydb-tools-values.yaml new file mode 100644 index 000000000..bf1f2ec5b --- /dev/null +++ b/openshift/redash/crunchydb-tools-values.yaml @@ -0,0 +1,2 @@ +fullnameOverride: crunchy-postgres-tools-redash +deploymentName: crunchy-postgres-redash From 6fb6b647001e119e417cc68afc674df054ef7e35 Mon Sep 17 00:00:00 2001 From: bhuvan-aot <61068301+bhuvan-aot@users.noreply.github.com> Date: Tue, 17 Dec 2024 15:50:14 -0800 Subject: [PATCH 5/5] FORMS-1642 - Wide Layout Mode as default when users land on form (#1540) --- .../components/designer/FormViewerActions.vue | 17 ++++++++++------ .../src/components/forms/FormSubmission.vue | 1 + .../designer/FormViewerActions.spec.js | 20 +++++++++++++++++++ .../components/forms/FormSubmission.spec.js | 3 +++ 4 files changed, 35 insertions(+), 6 deletions(-) diff --git a/app/frontend/src/components/designer/FormViewerActions.vue b/app/frontend/src/components/designer/FormViewerActions.vue index cd274f32b..116b43258 100644 --- a/app/frontend/src/components/designer/FormViewerActions.vue +++ b/app/frontend/src/components/designer/FormViewerActions.vue @@ -1,6 +1,6 @@