GDB-9068: Improvements pt2

CHANGELOG.md

@@ -29,7 +29,7 @@ TODO: decide how detailed we want this to be
 - Moved all proxy configurations from `graphdb.clusterProxy` to just `proxy`
   - Renamed `proxy.persistence.enablePersistence` toggle to just `enabled`
   - Moved `proxy.serviceType` to `proxy.service.type`
-- Configmaps from `graphdb.configs` are now under `extraConfiguration`, `repositories` and `initialConfiguration` with a different structure allowing
+- Configmaps from `graphdb.configs` are now under `configuration`, `repositories`, `cluster` and `security` with a different structure allowing
   better reuse of existing configmaps
   - Users are now provided as a Secret
 - Moved job related configurations from `graphdb` (e.g. `graphdb.jobResources`) to a new root section `jobs`
@@ -85,12 +85,12 @@ TODO: decide how detailed we want this to be
 - Added a Service for single GraphDB deployments, configured with new configurations under `service`
 - Added new proxy configurations `proxy.command` and `proxy.args` that override the default container entrypoint and command, use for troubleshooting
 - Added new `global.clusterDomain` for reconfiguring the default Kubernetes cluster domain suffix in case it is different than `cluster.local`
-- Added `cluster.existingConfigmapKey` to specify a custom configmap key if needed
+- Added `cluster.config.configmapKey` to specify a custom configmap key if needed
 - Added `namespaceOverride` for overriding the deployment namespace for all resources in case of multi-namespace deployment
 - Added `proxy.logging.logback` configurations for providing the proxy with a custom Logback XML configuration
 - Added `extraConfiguration.existingSecret` for appending GraphDB properties from an existing Secret resource
 - Added `proxy.extraConfiguration` for appending extra GraphDB properties from existing ConfigMap and Secret resources
-- Added `cluster.existingClusterSecret` and `cluster.existingClusterSecretKey` for using an existing Secret instead of providing the cluster secret 
+- Added `cluster.token.existingSecret` and `cluster.token.secretKey` for using an existing Secret instead of providing the cluster secret 
   token as plaintext in values.yaml
 - Added default Secret objects for GraphDB and the proxy that contain sensitive GraphDB configurations
 - Added `configuration.secretProperties` and `proxy.secretProperties` for appending additional sensitive GraphDB configurations if needed
@@ -116,7 +116,7 @@ TODO: decide how detailed we want this to be
 - Added `jobs.persistence.emptyDir` configurations for the default temporary storage for all jobs
 - Added `security.provisioner.existingSecret` and `security.provisioner.tokenKey` to provide an existing authentication token
 - Added `security.admin` for configuring the username and/or the password of the administrator user
-- Added `security.users` for inserting additional users into the default initial user.js configuration
+- Added `security.initialUsers.users` for inserting additional users into the default initial user.js configuration
 - Added `initContainerDataPermissions` and `proxy.initContainerDataPermissions` for changing permissions in the storage volumes if needed
 - Added `extraVolumeClaimTemplates` and `proxy.extraVolumeClaimTemplates`
 
@@ -139,6 +139,7 @@ TODO: decide how detailed we want this to be
 - Overhauled NOTES.txt to be more helpful
 - Added default resource limits and requests for all init containers and provisioning jobs
 - PodDisruptionBudget are enabled by default for both GraphDB and GraphDB proxy
+- Node scheduling configurations are now processed as templates
 - Updated init containers to invoke `bash` instead of `sh`
 
 ## Version 10.6.0-R2

README.md

@@ -475,34 +475,38 @@ about defining resource limits.
 | args | list | `[]` |  |
 | automountServiceAccountToken | bool | `false` |  |
 | cluster.clusterCreationTimeout | int | `60` |  |
-| cluster.clusterSecret | string | `"s3cr37"` |  |
+| cluster.config.configmapKey | string | `"cluster-config.json"` |  |
 | cluster.config.electionMinTimeout | int | `8000` |  |
 | cluster.config.electionRangeTimeout | int | `6000` |  |
+| cluster.config.existingConfigmap | string | `""` |  |
 | cluster.config.heartbeatInterval | int | `2000` |  |
 | cluster.config.messageSizeKB | int | `64` |  |
 | cluster.config.transactionLogMaximumSizeGB | int | `50` |  |
 | cluster.config.verificationTimeout | int | `1500` |  |
-| cluster.existingClusterSecret | string | `""` |  |
-| cluster.existingClusterSecretKey | string | `""` |  |
-| cluster.existingConfig | string | `""` |  |
-| cluster.existingConfigmapKey | string | `"cluster-config.json"` |  |
 | cluster.jobs.createCluster.enabled | bool | `true` |  |
 | cluster.jobs.patchCluster.enabled | bool | `true` |  |
 | cluster.jobs.scaleCluster.enabled | bool | `true` |  |
+| cluster.token.existingSecret | string | `""` |  |
+| cluster.token.secret | string | `"s3cr37"` |  |
+| cluster.token.secretKey | string | `""` |  |
 | command | list | `[]` |  |
 | configuration.defaultJavaArguments | string | `"-XX:+UseContainerSupport -XX:MaxRAMPercentage=70 -XX:-UseCompressedOops"` |  |
 | configuration.externalUrl | string | `"http://graphdb.127.0.0.1.nip.io/"` |  |
+| configuration.extraProperties.configmapKey | string | `"graphdb.properties"` |  |
+| configuration.extraProperties.existingConfigmap | string | `""` |  |
+| configuration.extraProperties.existingSecret | string | `""` |  |
+| configuration.extraProperties.secretKey | string | `"graphdb.properties"` |  |
+| configuration.initialSettings.configmapKey | string | `"settings.js"` |  |
+| configuration.initialSettings.existingConfigmap | string | `""` |  |
 | configuration.javaArguments | string | `""` |  |
+| configuration.logback.configmapKey | string | `"logback.xml"` |  |
+| configuration.logback.existingConfigmap | string | `""` |  |
 | configuration.properties | object | `{}` |  |
 | configuration.secretProperties | object | `{}` |  |
 | containerPorts.http | int | `7200` |  |
 | containerPorts.rpc | int | `7300` |  |
 | dnsConfig | object | `{}` |  |
 | dnsPolicy | string | `""` |  |
-| extraConfiguration.properties.configmapKey | string | `"graphdb.properties"` |  |
-| extraConfiguration.properties.existingConfigmap | string | `""` |  |
-| extraConfiguration.properties.existingSecret | string | `""` |  |
-| extraConfiguration.properties.secretKey | string | `"graphdb.properties"` |  |
 | extraContainerPorts | object | `{}` |  |
 | extraContainers | list | `[]` |  |
 | extraEnv | list | `[]` |  |
@@ -554,10 +558,6 @@ about defining resource limits.
 | initContainerSecurityContext.capabilities.drop[0] | string | `"ALL"` |  |
 | initContainerSecurityContext.readOnlyRootFilesystem | bool | `true` |  |
 | initContainerSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
-| initialConfiguration.settings.configmapKey | string | `"settings.js"` |  |
-| initialConfiguration.settings.existingConfigmap | string | `""` |  |
-| initialConfiguration.users.existingSecret | string | `""` |  |
-| initialConfiguration.users.secretKey | string | `"users.js"` |  |
 | jobs.backoffLimit | int | `10` |  |
 | jobs.persistence.emptyDir.sizeLimit | string | `"10Mi"` |  |
 | jobs.podSecurityContext.fsGroup | int | `10001` |  |
@@ -585,8 +585,6 @@ about defining resource limits.
 | livenessProbe.initialDelaySeconds | int | `60` |  |
 | livenessProbe.periodSeconds | int | `10` |  |
 | livenessProbe.timeoutSeconds | int | `5` |  |
-| logging.logback.configmapKey | string | `"logback.xml"` |  |
-| logging.logback.existingConfigmap | string | `""` |  |
 | nameOverride | string | `""` |  |
 | namespaceOverride | string | `""` |  |
 | nodeSelector | object | `{}` |  |
@@ -613,17 +611,19 @@ about defining resource limits.
 | proxy.args | list | `[]` |  |
 | proxy.command | list | `[]` |  |
 | proxy.configuration.defaultJavaArguments | string | `"-XX:+UseContainerSupport -XX:MaxRAMPercentage=70"` |  |
+| proxy.configuration.extraProperties.configmapKey | string | `"graphdb.properties"` |  |
+| proxy.configuration.extraProperties.existingConfigmap | string | `""` |  |
+| proxy.configuration.extraProperties.existingSecret | string | `""` |  |
+| proxy.configuration.extraProperties.secretKey | string | `"graphdb.properties"` |  |
 | proxy.configuration.javaArguments | string | `""` |  |
+| proxy.configuration.logback.configmapKey | string | `"logback.xml"` |  |
+| proxy.configuration.logback.existingConfigmap | string | `""` |  |
 | proxy.configuration.properties | object | `{}` |  |
 | proxy.configuration.secretProperties | object | `{}` |  |
 | proxy.containerPorts.http | int | `7200` |  |
 | proxy.containerPorts.rpc | int | `7300` |  |
 | proxy.dnsConfig | object | `{}` |  |
 | proxy.dnsPolicy | string | `""` |  |
-| proxy.extraConfiguration.properties.configmapKey | string | `"graphdb.properties"` |  |
-| proxy.extraConfiguration.properties.existingConfigmap | string | `""` |  |
-| proxy.extraConfiguration.properties.existingSecret | string | `""` |  |
-| proxy.extraConfiguration.properties.secretKey | string | `"graphdb.properties"` |  |
 | proxy.extraContainerPorts | object | `{}` |  |
 | proxy.extraContainers | list | `[]` |  |
 | proxy.extraEnv | list | `[]` |  |
@@ -655,8 +655,6 @@ about defining resource limits.
 | proxy.livenessProbe.initialDelaySeconds | int | `120` |  |
 | proxy.livenessProbe.periodSeconds | int | `10` |  |
 | proxy.livenessProbe.timeoutSeconds | int | `5` |  |
-| proxy.logging.logback.configmapKey | string | `"logback.xml"` |  |
-| proxy.logging.logback.existingConfigmap | string | `""` |  |
 | proxy.nameOverride | string | `""` |  |
 | proxy.nodeSelector | object | `{}` |  |
 | proxy.persistence.emptyDir.sizeLimit | string | `"500Mi"` |  |
@@ -718,20 +716,22 @@ about defining resource limits.
 | readinessProbe.periodSeconds | int | `10` |  |
 | readinessProbe.timeoutSeconds | int | `5` |  |
 | replicas | int | `1` |  |
-| repositories.repositoriesConfigmap | string | `""` |  |
+| repositories.existingConfigmap | string | `""` |  |
 | resources.limits.memory | string | `"2Gi"` |  |
 | resources.requests.cpu | string | `"500m"` |  |
 | resources.requests.memory | string | `"2Gi"` |  |
 | revisionHistoryLimit | int | `10` |  |
 | schedulerName | string | `""` |  |
-| security.admin.password | string | `""` |  |
+| security.admin.initialPassword | string | `""` |  |
 | security.admin.username | string | `"admin"` |  |
 | security.enabled | bool | `false` |  |
+| security.initialUsers.existingSecret | string | `""` |  |
+| security.initialUsers.secretKey | string | `"users.js"` |  |
+| security.initialUsers.users | object | `{}` |  |
 | security.provisioner.existingSecret | string | `""` |  |
 | security.provisioner.password | string | `"iHaveSuperpowers"` |  |
 | security.provisioner.tokenKey | string | `"GRAPHDB_AUTH_TOKEN"` |  |
 | security.provisioner.username | string | `"provisioner"` |  |
-| security.users | object | `{}` |  |
 | securityContext.allowPrivilegeEscalation | bool | `false` |  |
 | securityContext.capabilities.drop[0] | string | `"ALL"` |  |
 | securityContext.readOnlyRootFilesystem | bool | `true` |  |

examples/custom-logback/values.yaml

@@ -1,11 +1,9 @@
-logging:
+configuration:
   logback:
     existingConfigmap: "graphdb-custom-logback-config"
-    configmapKey: "logback.xml"
 
-# You can use the same configuration for the proxy as well
+# You can use the same Logback configuration for the proxy as well
 proxy:
-  logging:
+  configuration:
     logback:
       existingConfigmap: "graphdb-custom-logback-config"
-      configmapKey: "logback.xml"

examples/openshift-local/README.md

@@ -2,7 +2,7 @@
 
 Example configurations for deploying GraphDB cluster in [OpenShift Local](https://developers.redhat.com/products/openshift-local/overview).
 
-The primary purpose is to show an example of the necessary OpenShift local overrides and the proper `securityContext` configurations so 
+The primary purpose is to show an example of the necessary OpenShift local overrides and the proper `podSecurityContext` configurations so 
 GraphDB can be deployed without policy violations.
 
 Read more about Kubernetes security context and OpenShift security context constraints:
@@ -45,7 +45,9 @@ Instances are configured for being accessed at [https://graphdb.apps-crc.testing
 You'll have to use the `oc` utility provided by `crc` (from step 1):
 
 ```bash
-oc create route edge --service=graphdb-cluster-proxy --port=7200 --hostname=graphdb.apps-crc.testing --namespace graphdb
+oc create route edge --service=graphdb-proxy --port=7200 --hostname=graphdb.apps-crc.testing --namespace graphdb
 ```
 
+Note: You might need to update your hosts file to resolve `graphdb.apps-crc.testing`
+
 You can now access GraphDB at [https://graphdb.apps-crc.testing/](https://graphdb.apps-crc.testing/).

examples/openshift-local/values.yaml

@@ -1,74 +1,34 @@
-global:
-  storageClass: "crc-csi-hostpath-provisioner"
 
-deployment:
-  host: graphdb.apps-crc.testing
-  protocol: https
-  ingress:
-    enabled: false
+fullnameOverride: graphdb
 
-graphdb:
-  clusterConfig:
-    nodesCount: 3
+# Cluster requires license, you have to provision it before deploying this chart
+license:
+  existingSecret: graphdb-license
 
-  workbench:
-    subpath: /
+replicas: 3
 
-  node:
-    # Cluster requires license, you have to provision it before deploying this chart
-    license: graphdb-license
-    securityContext:
-      runAsNonRoot: true
-      allowPrivilegeEscalation: false
-      readOnlyRootFilesystem: true
-      seccompProfile:
-        type: RuntimeDefault
-      capabilities:
-        drop:
-          - ALL
-    # Uncomment to disable default resource limits and requests
-    #resources:
-    #  limits:
-    #    memory: null
-    #    cpu: null
-    #  requests:
-    #    memory: null
-    #    cpu: null
-    initContainerSecurityContext:
-      runAsNonRoot: true
-      allowPrivilegeEscalation: false
-      readOnlyRootFilesystem: true
-      seccompProfile:
-        type: RuntimeDefault
-      capabilities:
-        drop:
-          - ALL
+configuration:
+  externalUrl: https://graphdb.apps-crc.testing
 
-  clusterProxy:
-    securityContext:
-      runAsNonRoot: true
-      allowPrivilegeEscalation: false
-      readOnlyRootFilesystem: true
-      seccompProfile:
-        type: RuntimeDefault
-      capabilities:
-        drop:
-          - ALL
-    # Uncomment to disable default resource limits and requests
-    #resources:
-    #  limits:
-    #    memory: null
-    #    cpu: null
-    #  requests:
-    #    memory: null
-    #    cpu: null
+ingress:
+  enabled: false
 
-  jobSecurityContext:
-    runAsNonRoot: true
-    allowPrivilegeEscalation: false
-    readOnlyRootFilesystem: true
-    seccompProfile:
-      type: RuntimeDefault
-    capabilities:
-      drop:
-        - ALL
+# OpenShift uses very high uid/gid, override the default with 1000660000
+podSecurityContext:
+  runAsUser: 1000660000
+  runAsGroup: 1000660000
+  fsGroup: 1000660000
+
+jobs:
+  podSecurityContext:
+    runAsUser: 1000660000
+    runAsGroup: 1000660000
+    fsGroup: 1000660000
+
+proxy:
+  fullnameOverride: graphdb-proxy
+
+  podSecurityContext:
+    runAsUser: 1000660000
+    runAsGroup: 1000660000
+    fsGroup: 1000660000

files/config/users.js

@@ -2,7 +2,7 @@
   "users" : {
     "{{ .Values.security.admin.username }}" : {
       "username" : "{{ .Values.security.admin.username }}",
-      "password" : {{ coalesce .Values.security.admin.password "{bcrypt}$2a$10$H7uekkF1ZFLIV5M1g9tDs.syZGtkMqrfj2Si2SHG1WgwhpNqpZwne" | quote }},
+      "password" : {{ .Values.security.admin.initialPassword | default "{bcrypt}$2a$10$H7uekkF1ZFLIV5M1g9tDs.syZGtkMqrfj2Si2SHG1WgwhpNqpZwne" | quote }},
       "grantedAuthorities" : [ "ROLE_ADMIN" ],
       "appSettings" : {
         "DEFAULT_INFERENCE" : true,

templates/_helpers.tpl

@@ -78,8 +78,8 @@ Renders the HTTP address of each GraphDB node that is part of the cluster, joine
 {{- end -}}
 
 {{- define "grahdb.security.extra-users.json" -}}
-{{- if .Values.security.users -}}
-  {{- range $user, $data := .Values.security.users -}}
+{{- if .Values.security.initialUsers.users -}}
+  {{- range $user, $data := .Values.security.initialUsers.users -}}
     {{- $user | quote }}: {{ $data | mustToPrettyJson }},
   {{- end -}}
 {{- end -}}

templates/graphdb/_labels.tpl

@@ -2,6 +2,10 @@
 Helper functions for labels related to GraphDB resources
 */}}
 
+{{- define "graphdb.fullname.configmap.environment" -}}
+  {{- printf "%s-%s" (include "graphdb.fullname" .) "environment" -}}
+{{- end -}}
+
 {{- define "graphdb.fullname.configmap.properties" -}}
   {{- printf "%s-%s" (include "graphdb.fullname" .) "properties" -}}
 {{- end -}}
@@ -10,12 +14,12 @@ Helper functions for labels related to GraphDB resources
   {{- printf "%s-%s" (include "graphdb.fullname" .) "properties" -}}
 {{- end -}}
 
-{{- define "graphdb.fullname.configmap.settings" -}}
-  {{- printf "%s-%s" (include "graphdb.fullname" .) "settings" -}}
+{{- define "graphdb.fullname.configmap.initial-settings" -}}
+  {{- printf "%s-%s" (include "graphdb.fullname" .) "initial-settings" -}}
 {{- end -}}
 
-{{- define "graphdb.fullname.secret.users" -}}
-  {{- printf "%s-%s" (include "graphdb.fullname" .) "users" -}}
+{{- define "graphdb.fullname.secret.initial-users" -}}
+  {{- printf "%s-%s" (include "graphdb.fullname" .) "initial-users" -}}
 {{- end -}}
 
 {{- define "graphdb.fullname.service.headless" -}}

templates/graphdb/configmap.yaml → templates/graphdb/configmap-environment.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ include "graphdb.fullname" . }}
+  name: {{ include "graphdb.fullname.configmap.environment" . }}
   namespace: {{ include "graphdb.namespace" . }}
   labels:
     {{- include "graphdb.labels" . | nindent 4 }}

templates/graphdb/configmap-settings.yaml → templates/graphdb/configmap-initial-settings.yaml

@@ -1,8 +1,8 @@
-{{- if and .Values.security.enabled (not .Values.initialConfiguration.settings.existingConfigmap) }}
+{{- if and .Values.security.enabled (not .Values.configuration.initialSettings.existingConfigmap) }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ include "graphdb.fullname.configmap.settings" . }}
+  name: {{ include "graphdb.fullname.configmap.initial-settings" . }}
   namespace: {{ include "graphdb.namespace" . }}
   labels:
     {{- include "graphdb.labels" . | nindent 4 }}
@@ -11,6 +11,6 @@ metadata:
     {{- tpl (toYaml .) $ | nindent 4 }}
   {{- end }}
 data:
-  {{ .Values.initialConfiguration.settings.configmapKey }}: |-
+  {{ .Values.configuration.initialSettings.configmapKey }}: |-
     {{- tpl (.Files.Get "files/config/settings.js" | trim) . | nindent 4 }}
 {{- end }}

templates/graphdb/secret-users.yaml → templates/graphdb/secret-initial-users.yaml

@@ -1,8 +1,8 @@
-{{- if and .Values.security.enabled (not .Values.initialConfiguration.users.existingSecret) }}
+{{- if and .Values.security.enabled (not .Values.security.initialUsers.existingSecret) }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "graphdb.fullname.secret.users" . }}
+  name: {{ include "graphdb.fullname.secret.initial-users" . }}
   namespace: {{ include "graphdb.namespace" . }}
   labels:
     {{- include "graphdb.labels" . | nindent 4 }}
@@ -12,5 +12,5 @@ metadata:
   {{- end }}
 type: Opaque
 data:
-  {{ .Values.initialConfiguration.users.secretKey }}: {{ tpl (.Files.Get "files/config/users.js" | trim) . | b64enc | quote }}
+  {{ .Values.security.initialUsers.secretKey }}: {{ tpl (.Files.Get "files/config/users.js" | trim) . | b64enc | quote }}
 {{- end }}