Adding features like serviceAccountName for OpenShift security constr…

…aints

- Fix a bug with postgresql.enabled value
- Add optional serviceAccount to deployment for required security on OpenShift
- Add docs for the new serviceAccount values
- Allow customizing the postgresqlDatabase value and PGDATABASE environment variable on the betydb container
- Allow disabling the creation of a betydb Secret in order to use an ExternalSecret from a vault instead
- Remove the conflicting PGDATABASE in the init container that points to the bety database
- Removing the PG_TABLE=sessions and PG_DATABASE=bety environment variable
- When the PG_TABLE=sessions environment variable is set, the check-postgresql init container fails. When the deployment fails, the argocd application never completes and enters the post-install phase. The load-db Job depends on the post-install hook running, so the bety database is never created.
- Remove post-install helm hook from load-db Job so that the bety database gets created for the Deployment
- Added string around the -r 0 parameter of the command

parent 9cc5541
author Christopher Tate <[email protected]> 1677561053 -0700
committer Christopher Tate <[email protected]> 1680705101 -0600
gpgsig -----BEGIN PGP SIGNATURE-----

 iQEzBAABCAAdFiEE8gjca+F8TU1M4A3jZbVOLA7tOVIFAmQthk0ACgkQZbVOLA7t
 OVIK1AgA1wYe2xmMRpyz/qQfGH7UpdoLv+az9JReXlW2+cda41VYaQahcEUSuRy3
 c3iJynk5uoaO9QcR8gKGThmuO6kZYpJceyaPGP/ms+KBT+rgN9XFcUPQIGjuRIoj
 OplUx9IqKPrTqVLb7H448QHNDq+oST43vvmzxmXei5KSHSxq6Vrjgiqe+3UoyjdM
 HidKEaIYddajhpbzGiHZ96klIq5TNiU+q1xsuTzT5fsFkiPzwrpom5H5MlQ31EGg
 CeKpBPtG7qNI3zrK3gi9//4n8BlYqh14ncr/7Ju5MxP9bjIHyL22ksasMYL3HMxu
 ggwyLGRQmhbpsXoRHVbxelyi381a7w==
 =pmxl
 -----END PGP SIGNATURE-----

Chart.lock

@@ -2,5 +2,5 @@ dependencies:
 - name: postgresql
   repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami
   version: 8.9.9
-digest: sha256:526629d1646df6a72d4414adc89f3728f0e97e37a4e8ac65036c51e06361c7bb
-generated: "2022-06-22T22:35:06.775527-05:00"
+digest: sha256:9bf0731393755a97be066c786f40dd92f7a640137658a129a37c29cedd7d6560
+generated: "2023-02-27T22:24:29.970340243-07:00"

Chart.yaml

@@ -36,7 +36,7 @@ dependencies:
 - name: postgresql
   version: ~8.9
   repository:  https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami
-  condition: postgres.enabled
+  condition: postgresql.enabled
 
 annotations:
   artifacthub.io/links: |

README.md

@@ -86,6 +86,14 @@ The following table lists the configurable parameters of the Bety chart and thei
 | `betyPassword`                       | Password value for bety.password                                              | `bety`                                                  |
 | `betyDatabase`                       | Name of the database for bety.database                                        | `bety`                                                  |
 
+### OpenShift/Kubernetes parameters
+
+| Parameter                         | Description                                              | Default                        |
+|-----------------------------------|----------------------------------------------------------|--------------------------------|
+| `serviceAccount.enabled`          | Enable creation and use of a deployment service account  | false                          |
+| `serviceAccount.name`             | Add a serviceAccountName to the deployment               | ``                             |
+| `serviceAccount.annotations`      | Add annotations to the serviceAccount                    | {}                             |
+
 ### Ingress parameters
 
 | Parameter                         | Description                                              | Default                        |

templates/_helpers.tpl

@@ -24,6 +24,23 @@ If release name contains chart name it will be used as a full name.
 {{- end -}}
 {{- end -}}
 
+{{/*
+Create a default service account name.
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "serviceAccount.fullname" -}}
+{{- if .Values.serviceAccount.name -}}
+{{- .Values.serviceAccount.name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Create chart name and version as used by the chart label.
 */}}
@@ -74,6 +91,8 @@ Environment variables for PostgreSQL
   value: {{ include "betydb.postgresqlHost" . | quote }}
 - name: PGPORT
   value: {{ include "betydb.postgresqlPort" . | quote }}
+- name: PGDATABASE
+  value: {{ .Values.postgresql.postgresqlDatabase | default "postgres" | quote }}
 - name: PGUSER
   value: {{ .Values.postgresql.postgresqlUsername | default "postgres" | quote }}
 - name: PGPASSWORD

templates/deployment.yaml

@@ -42,10 +42,6 @@ spec:
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           env:
             {{- include "betydb.postgresqlEnv" . | nindent 12 }}
-            - name: PGDATABASE
-              value: {{ .Values.betyDatabase | quote }}
-            - name: PG_TABLE
-              value: "sessions"
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
@@ -100,6 +96,9 @@ spec:
       nodeSelector:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if .Values.serviceAccount.enabled }}
+      serviceAccountName: {{ include "serviceAccount.fullname" . | quote }}
+      {{- end }}
     {{- with .Values.affinity }}
       affinity:
         {{- toYaml . | nindent 8 }}

templates/hooks/load-db.yaml

@@ -49,7 +49,7 @@ spec:
             - -m
             - ${LOCAL_SERVER}
             - -r
-            - 0
+            - '0'
             - -w
             - {{ .Values.dburl | quote }}
           {{- else }}

templates/secrets.yaml

@@ -1,3 +1,4 @@
+{{- if not .Values.externalSecret }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -11,3 +12,4 @@ data:
 {{- end }}
   betyPassword:  {{ .Values.betyPassword | b64enc | quote }}
   secretKey:  {{ .Values.secretKey | b64enc | quote }}
+{{- end }}

templates/serviceAccount.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.enabled -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "serviceAccount.fullname" . }}
+  labels:
+    {{- include "betydb.labels" . | nindent 4 }}
+  annotations:
+  {{- with .Values.serviceAccount.annotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

values.yaml

@@ -39,6 +39,11 @@ betyDatabase: bety
 ## changed users will not be able to login with their existing passwords.
 secretKey: thisisnotasecret
 
+## Set to true if you will be managing the `betydb` secret with external secrets. 
+## The `betydb` secret includes `betyPassword`, `postgresqlPassword`, 
+## and `secretKey`.
+externalSecret: false
+
 ## dbtag is the tag of the database to load. Normally will use latest to
 ## make sure latest tag is loaded, this might not work with an older database.
 ## set this to "" to not load the database
@@ -107,6 +112,9 @@ postgresql:
   ## not saved in the database.
   postgresqlPassword: supersecret
 
+  ## postgresqlDatabase postgresql database to connect to load the database
+  postgresqlDatabase: postgres
+
   # need more space
   persistence:
     size: 20Gi
@@ -169,6 +177,21 @@ resources: {}
 ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
 nodeSelector: {}
 
+serviceAccount:
+
+  # Specifies whether a service account should be added to the deployment
+  enabled: false
+
+  # Specifies whether a service account should be created
+  create: false
+
+  # Annotations to add to the service account
+  annotations: {}
+
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
 ## Tolerations
 ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
 tolerations: []