From 89f4a22f8398a17972d8111ee6a26d69928beebe Mon Sep 17 00:00:00 2001 From: bbk Date: Sun, 5 May 2024 10:34:55 +0200 Subject: [PATCH 01/12] redis password --- README.md | 4 ++-- charts/wger/Chart.yaml | 6 +++--- charts/wger/templates/deployment.yaml | 11 +++++++++++ charts/wger/templates/secret-redis.yaml | 2 +- charts/wger/values.yaml | 22 +++++++++++++++++++++- example/prod_values.yaml | 13 +++++++++++-- 6 files changed, 49 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 2de4d58..2313e8c 100644 --- a/README.md +++ b/README.md @@ -219,8 +219,8 @@ wger-app requires for the django database migrations the superuser privileges, s | Name | Description | Type | Default Value | |------|-------------|------|---------------| | `redis.enabled` | Enable the redis chart | Boolean | `true` | -| `redis.auth.enabled` | Whether to enable redis login. Currently, only `false` is supported | Boolean | `false` | -| `redis.auth.password` | Password for redis login. Not required if `redis.auth.enabled` is `false` | String | `wger` | +| `redis.auth.enabled` | Whether to enable redis login. | Boolean | `false` | +| `redis.auth.password` | Password for redis login. Not required if `redis.auth.enabled` is `false` | String | `randAlphaNum 25` | | `redis.service.serverPort` | Redis server service port | Integer | `6379` | | `redis.storage.persistentVolumeClaimName` | PVC name when existing storage volume should be used | String | `Nil` | | `redis.storage.requestedSize` | Size for new PVC, when no existing PVC is used | String | `Nil` | diff --git a/charts/wger/Chart.yaml b/charts/wger/Chart.yaml index c1245e3..2784078 100644 --- a/charts/wger/Chart.yaml +++ b/charts/wger/Chart.yaml @@ -1,6 +1,6 @@ --- apiVersion: v2 -version: 0.1.12 +version: 0.1.13-alpha appVersion: latest name: wger description: A Helm chart for Wger installation on Kubernetes @@ -14,11 +14,11 @@ dependencies: condition: postgres.enabled tags: - groundhog2k - version: 0.4.5 + version: 1.3.1 repository: https://groundhog2k.github.io/helm-charts - name: redis condition: redis.enabled tags: - groundhog2k - version: 0.6.14 + version: 1.2.0 repository: https://groundhog2k.github.io/helm-charts diff --git a/charts/wger/templates/deployment.yaml b/charts/wger/templates/deployment.yaml index 4821101..2121d84 100644 --- a/charts/wger/templates/deployment.yaml +++ b/charts/wger/templates/deployment.yaml @@ -64,6 +64,17 @@ spec: secretKeyRef: name: "{{.Release.Name}}-postgres" key: "POSTGRES_DB" + # to enable redis authentication + # additional settings in the values + # must be made, passed to the redis + # container + {{- if .Values.redis.auth.enabled } + - name: DJANGO_CACHE_CLIENT_PASSWORD + valueFrom: + secretKeyRef: + name: "redis" + key: "redis-password" + {{- end }} {{- if .Values.celery.flower.enabled }} - name: CELERY_FLOWER_PASSWORD valueFrom: diff --git a/charts/wger/templates/secret-redis.yaml b/charts/wger/templates/secret-redis.yaml index a775b26..fb853e0 100644 --- a/charts/wger/templates/secret-redis.yaml +++ b/charts/wger/templates/secret-redis.yaml @@ -10,7 +10,7 @@ stringData: {{ if .Values.redis.auth.password }} redis-password: {{ .Values.redis.auth.password | b64enc | quote }} {{ else }} - redis-password: {{ randAlphaNum 10 | b64enc | quote }} + redis-password: {{ randAlphaNum 25 | b64enc | quote }} {{ end }} {{- end }} {{- end }} diff --git a/charts/wger/values.yaml b/charts/wger/values.yaml index b44582c..1d9b3d0 100644 --- a/charts/wger/values.yaml +++ b/charts/wger/values.yaml @@ -154,9 +154,29 @@ postgres: redis: # Note: keep these variables present as the chart uses them for the Deployment enabled: true + # auth: is used in wger-helm-charts to auto-create a secret for redis + # + # if you enable auth it will create new secret from auth.password + # if auth.password is missing it will randomly generate one. + # + # to enable authentication in the redis container, you need + # to enable the env and args mentioned below auth: enabled: false - password: wger + # default no password set, this will randomly create + # one upon first installation + #password: XXXXXXXXXXXXXXXXXX + # Uncomment the following to enable password authentication: + # # Additional environment variables (Redis server and Sentinel) + # env: + # - name: REDIS_PASSWORD + # valueFrom: + # secretKeyRef: + # name: redis + # key: redis-password + # # Arguments for the container entrypoint process (Redis server) + # args: + # - "--requirepass $(REDIS_PASSWORD)" storage: ## Set persistentVolumenClaimName to reference an existing PVC persistentVolumeClaimName: diff --git a/example/prod_values.yaml b/example/prod_values.yaml index ccc2e2b..3d5a074 100644 --- a/example/prod_values.yaml +++ b/example/prod_values.yaml @@ -81,8 +81,17 @@ postgres: redis: enabled: true auth: - enabled: false - password: wger + enabled: true + # Additional environment variables (Redis server and Sentinel) + env: + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis + key: redis-password + # Arguments for the container entrypoint process (Redis server) + args: + - "--requirepass $(REDIS_PASSWORD)" storage: persistentVolumeClaimName: wger-redis className: "csi-cephfs-sc" From f42ffc93d98215244e0ba8a484be6b5ea1938acf Mon Sep 17 00:00:00 2001 From: bbk Date: Sun, 5 May 2024 10:37:26 +0200 Subject: [PATCH 02/12] remove Chart.lock --- charts/wger/Chart.lock | 9 --------- 1 file changed, 9 deletions(-) delete mode 100644 charts/wger/Chart.lock diff --git a/charts/wger/Chart.lock b/charts/wger/Chart.lock deleted file mode 100644 index f1ba1ac..0000000 --- a/charts/wger/Chart.lock +++ /dev/null @@ -1,9 +0,0 @@ -dependencies: -- name: postgres - repository: https://groundhog2k.github.io/helm-charts - version: 0.4.5 -- name: redis - repository: https://groundhog2k.github.io/helm-charts - version: 0.6.14 -digest: sha256:19881f3f3425a4b56c047feb0529f2e0729eafb73b294b8770e7fccbb4ba802f -generated: "2023-07-26T10:55:01.686592589+02:00" From 9939dbcf4eeaa87b0336faa07e276f9ef869d1b9 Mon Sep 17 00:00:00 2001 From: bbk Date: Sun, 5 May 2024 10:55:56 +0200 Subject: [PATCH 03/12] wip --- charts/wger/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/wger/templates/deployment.yaml b/charts/wger/templates/deployment.yaml index 2121d84..ccda28b 100644 --- a/charts/wger/templates/deployment.yaml +++ b/charts/wger/templates/deployment.yaml @@ -68,7 +68,7 @@ spec: # additional settings in the values # must be made, passed to the redis # container - {{- if .Values.redis.auth.enabled } + {{- if .Values.redis.auth.enabled }} - name: DJANGO_CACHE_CLIENT_PASSWORD valueFrom: secretKeyRef: From 395902a955b38558d3aeba8140df7046dc9a15da Mon Sep 17 00:00:00 2001 From: bbk Date: Sun, 5 May 2024 11:13:51 +0200 Subject: [PATCH 04/12] postgres values change --- charts/wger/values.yaml | 15 ++++++++++----- example/prod_values.yaml | 15 ++++++++++----- 2 files changed, 20 insertions(+), 10 deletions(-) diff --git a/charts/wger/values.yaml b/charts/wger/values.yaml index 1d9b3d0..8f6a7e1 100644 --- a/charts/wger/values.yaml +++ b/charts/wger/values.yaml @@ -121,12 +121,17 @@ postgres: # changes to the superuser and userDatabase passwords will update # the secret where they are save in settings: - superuser: postgres - superuserPassword: postgres + superuser: + value: postgres + superuserPassword: + value: postgres userDatabase: - name: wger - user: wger - password: wger + name: + value: wger + user: + value: wger + password: + value: wger # the user from the user database will be turned into a superuser # some database migration in django requires this # otherwise it was not able to create the database diff --git a/example/prod_values.yaml b/example/prod_values.yaml index 3d5a074..e2186cc 100644 --- a/example/prod_values.yaml +++ b/example/prod_values.yaml @@ -66,12 +66,17 @@ ingress: postgres: enabled: true settings: - superuser: postgres - superuserPassword: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + superuser: + value: postgres + superuserPassword: + value: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX userDatabase: - name: wger - user: wger - password: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + name: + value: wger + user: + value: wger + password: + value: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX service: port: 5432 storage: From bc98006c640dc6119f315e0dd0e83381e3ae009b Mon Sep 17 00:00:00 2001 From: bbk Date: Sun, 5 May 2024 11:52:23 +0200 Subject: [PATCH 05/12] make version jump --- charts/wger/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/wger/Chart.yaml b/charts/wger/Chart.yaml index 2784078..92b50ea 100644 --- a/charts/wger/Chart.yaml +++ b/charts/wger/Chart.yaml @@ -1,6 +1,6 @@ --- apiVersion: v2 -version: 0.1.13-alpha +version: 0.2.0-alpha appVersion: latest name: wger description: A Helm chart for Wger installation on Kubernetes From c5d1aa297e960f8e27fb7a39e514678711d24664 Mon Sep 17 00:00:00 2001 From: bbk Date: Sun, 5 May 2024 11:56:50 +0200 Subject: [PATCH 06/12] celery needs redis access too --- charts/wger/templates/deployment.yaml | 33 +++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/charts/wger/templates/deployment.yaml b/charts/wger/templates/deployment.yaml index ccda28b..884251b 100644 --- a/charts/wger/templates/deployment.yaml +++ b/charts/wger/templates/deployment.yaml @@ -235,6 +235,17 @@ spec: secretKeyRef: name: "{{.Release.Name}}-postgres" key: "POSTGRES_DB" + # to enable redis authentication + # additional settings in the values + # must be made, passed to the redis + # container + {{- if .Values.redis.auth.enabled }} + - name: DJANGO_CACHE_CLIENT_PASSWORD + valueFrom: + secretKeyRef: + name: "redis" + key: "redis-password" + {{- end }} {{- if .Values.celery.flower.enabled }} - name: CELERY_FLOWER_PASSWORD valueFrom: @@ -284,6 +295,17 @@ spec: secretKeyRef: name: "{{.Release.Name}}-postgres" key: "POSTGRES_DB" + # to enable redis authentication + # additional settings in the values + # must be made, passed to the redis + # container + {{- if .Values.redis.auth.enabled }} + - name: DJANGO_CACHE_CLIENT_PASSWORD + valueFrom: + secretKeyRef: + name: "redis" + key: "redis-password" + {{- end }} - name: CELERY_FLOWER_PASSWORD valueFrom: secretKeyRef: @@ -394,6 +416,17 @@ spec: secretKeyRef: name: "{{.Release.Name}}-postgres" key: "POSTGRES_DB" + # to enable redis authentication + # additional settings in the values + # must be made, passed to the redis + # container + {{- if .Values.redis.auth.enabled }} + - name: DJANGO_CACHE_CLIENT_PASSWORD + valueFrom: + secretKeyRef: + name: "redis" + key: "redis-password" + {{- end }} {{- if .Values.celery.flower.enabled }} - name: CELERY_FLOWER_PASSWORD valueFrom: From adef3bdf7f572b4243e9dcde2357fa2c513bd5d4 Mon Sep 17 00:00:00 2001 From: bbk Date: Sun, 5 May 2024 14:33:32 +0200 Subject: [PATCH 07/12] add updated Chart.lock --- charts/wger/Chart.lock | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 charts/wger/Chart.lock diff --git a/charts/wger/Chart.lock b/charts/wger/Chart.lock new file mode 100644 index 0000000..b8c3b23 --- /dev/null +++ b/charts/wger/Chart.lock @@ -0,0 +1,9 @@ +dependencies: +- name: postgres + repository: https://groundhog2k.github.io/helm-charts + version: 1.3.1 +- name: redis + repository: https://groundhog2k.github.io/helm-charts + version: 1.2.0 +digest: sha256:6a2d1e1a702d88285fce9e5dfcf72d4fa78c42a9b255fa77a8264e1df41c065f +generated: "2024-05-05T14:31:11.163945533+02:00" From 7e5aeabfbd6e0131a5103ffd858199aaf216c2ed Mon Sep 17 00:00:00 2001 From: bbk Date: Sun, 5 May 2024 14:34:00 +0200 Subject: [PATCH 08/12] random password only when not existing --- charts/wger/templates/secret-redis.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/charts/wger/templates/secret-redis.yaml b/charts/wger/templates/secret-redis.yaml index fb853e0..3fb30e8 100644 --- a/charts/wger/templates/secret-redis.yaml +++ b/charts/wger/templates/secret-redis.yaml @@ -7,10 +7,14 @@ metadata: name: redis namespace: {{ .Release.Namespace }} stringData: - {{ if .Values.redis.auth.password }} + {{- if .Values.redis.auth.password }} redis-password: {{ .Values.redis.auth.password | b64enc | quote }} {{ else }} + {{- if .Release.IsInstall }} redis-password: {{ randAlphaNum 25 | b64enc | quote }} - {{ end }} + {{ else }} + redis-password: {{ index (lookup "v1" "Secret" .Release.Namespace "redis").data "redis-password" }} + {{- end }} + {{- end }} {{- end }} {{- end }} From 2c9c5bcbda9a053ecd5df71f1e837f29c4b14f65 Mon Sep 17 00:00:00 2001 From: bbk Date: Sun, 5 May 2024 14:55:29 +0200 Subject: [PATCH 09/12] fix wrong encoded secret --- charts/wger/templates/secret-redis.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/wger/templates/secret-redis.yaml b/charts/wger/templates/secret-redis.yaml index 3fb30e8..ba37bc3 100644 --- a/charts/wger/templates/secret-redis.yaml +++ b/charts/wger/templates/secret-redis.yaml @@ -6,14 +6,14 @@ kind: Secret metadata: name: redis namespace: {{ .Release.Namespace }} -stringData: +data: {{- if .Values.redis.auth.password }} redis-password: {{ .Values.redis.auth.password | b64enc | quote }} {{ else }} - {{- if .Release.IsInstall }} - redis-password: {{ randAlphaNum 25 | b64enc | quote }} + {{- if .Release.IsUpgrade }} + redis-password: {{ index (lookup "v1" "Secret" .Release.Namespace "redis").data "redis-password" | quote }} {{ else }} - redis-password: {{ index (lookup "v1" "Secret" .Release.Namespace "redis").data "redis-password" }} + redis-password: {{ randAlphaNum 25 | b64enc | quote }} {{- end }} {{- end }} {{- end }} From 434116e31525badffb5d3418c5a20a4880833917 Mon Sep 17 00:00:00 2001 From: bbk Date: Sun, 5 May 2024 15:22:42 +0200 Subject: [PATCH 10/12] release candy --- RELEASENOTES.md | 43 ++++++++++++++++++++++++++++++++++++++++++ charts/wger/Chart.yaml | 2 +- 2 files changed, 44 insertions(+), 1 deletion(-) diff --git a/RELEASENOTES.md b/RELEASENOTES.md index 027a780..8647abd 100644 --- a/RELEASENOTES.md +++ b/RELEASENOTES.md @@ -1,3 +1,46 @@ +## 0.2.0 + +* redis upgrade +* postgres minor upgrade + +Upgraded chart from groundhog2k for postgres requires changes to the `values.yml`: + +```yaml +postgres: + settings: + superuser: + value: postgres + superuserPassword: + value: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + userDatabase: + name: + value: wger + user: + value: wger + password: + value: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX +``` + +* setting a redis password is now possible + +This requires you to set the following `env` and `args`, when enabling it. + +```yaml +redis: + auth: + enabled: true + # Additional environment variables (Redis server and Sentinel) + env: + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis + key: redis-password + # Arguments for the container entrypoint process (Redis server) + args: + - "--requirepass $(REDIS_PASSWORD)" +``` + ## 0.1.6 * get the database credentials from the secret, like the postgres chart does diff --git a/charts/wger/Chart.yaml b/charts/wger/Chart.yaml index 92b50ea..97ba2f6 100644 --- a/charts/wger/Chart.yaml +++ b/charts/wger/Chart.yaml @@ -1,6 +1,6 @@ --- apiVersion: v2 -version: 0.2.0-alpha +version: 0.2.0-rc.1 appVersion: latest name: wger description: A Helm chart for Wger installation on Kubernetes From b8ec612b931ea93e508075c257e8af9ef22eb55a Mon Sep 17 00:00:00 2001 From: bbk Date: Sun, 5 May 2024 22:17:10 +0200 Subject: [PATCH 11/12] add release notes --- RELEASENOTES.md | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/RELEASENOTES.md b/RELEASENOTES.md index 8647abd..cfb0e24 100644 --- a/RELEASENOTES.md +++ b/RELEASENOTES.md @@ -2,6 +2,11 @@ * redis upgrade * postgres minor upgrade +* setting a redis password is now possible + +### Upgrade + +#### Postgres values change Upgraded chart from groundhog2k for postgres requires changes to the `values.yml`: @@ -21,9 +26,18 @@ postgres: value: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ``` -* setting a redis password is now possible +#### Redis password + +When enabling the redis password after the installation (upgrade), it is required to set the password once in the `values.yml`, as soon as the secret is created it can be removed. + +```yaml +redis: + auth: + enabled: true + password: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX +``` -This requires you to set the following `env` and `args`, when enabling it. +Enabling redis authentication, requires you to set the following `env` and `args`, for the redis container: ```yaml redis: From 20eb2d50fdc1e23ef8c9aa55ad87d007bf2b6b62 Mon Sep 17 00:00:00 2001 From: bbk Date: Mon, 13 May 2024 20:43:12 +0200 Subject: [PATCH 12/12] beauty --- charts/wger/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/wger/values.yaml b/charts/wger/values.yaml index 8f6a7e1..65279f6 100644 --- a/charts/wger/values.yaml +++ b/charts/wger/values.yaml @@ -126,7 +126,7 @@ postgres: superuserPassword: value: postgres userDatabase: - name: + name: value: wger user: value: wger @@ -170,7 +170,7 @@ redis: enabled: false # default no password set, this will randomly create # one upon first installation - #password: XXXXXXXXXXXXXXXXXX + # password: XXXXXXXXXXXXXXXXXX # Uncomment the following to enable password authentication: # # Additional environment variables (Redis server and Sentinel) # env: