feat(pearl): export config in values

- container port var is now different from service port - add configuration for liveness/readiness/startup probes - add vault secrets - add sealed secrets
InseeFr · Apr 5, 2024 · 0c7b2c6 · 0c7b2c6
1 parent 3b8b5a7
commit 0c7b2c6
Show file tree

Hide file tree

Showing 5 changed files with 172 additions and 31 deletions.
diff --git a/charts/pearl/templates/api/deployment.yaml b/charts/pearl/templates/api/deployment.yaml
@@ -32,8 +32,10 @@ spec:
             {{- toYaml .Values.api.securityContext | nindent 12 }}
           image: "{{ .Values.api.image.repository }}:{{ .Values.api.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.api.image.pullPolicy }}
-          {{- if .Values.postgresql.enabled }}
+
+          {{- if or .Values.postgresql.enabled .Values.api.vaultStaticSecret.enabled }}
           env:
+            {{- if .Values.postgresql.enabled }}
             - name: FR_INSEE_PEARLJAM_PERSISTENCE_DATABASE_PASSWORD
               valueFrom:
                 secretKeyRef:
@@ -45,43 +47,51 @@ spec:
               value: {{ .Values.postgresql.auth.username | quote}}
             - name: FR_INSEE_PEARLJAM_PERSISTENCE_DATABASE_SCHEMA
               value: {{ .Values.postgresql.auth.database | quote}}
+            {{- end }}
+
+            {{- if .Values.api.vaultStaticSecret.enabled }}
+            {{- range $key, $value := .Values.api.vaultStaticSecret.config }}
+            - name:  {{ $value.nomEnv }}
+              valueFrom:
+                secretKeyRef: 
+                  name: {{ $value.secretName }}
+                  key:  {{ $value.keyUsed }}
+            {{- end }}
+            {{- end }}
           {{- end }}
-          {{- if and .Values.api.env .Values.api.enabled }}
+
+          {{- if or .Values.api.env .Values.api.sealedSecret.enabled }}
           envFrom:
+            {{- if .Values.api.env }}
             - configMapRef:
                 name: {{ template "pearl.api.fullname" . }}
+            {{- end }}
+            {{- if .Values.api.sealedSecret.enabled }}            
+            {{- range $key, $value := .Values.api.sealedSecret.config }}
+            - secretRef:
+                name: {{ $key }}
+            {{- end }}
+            {{- end }}
           {{- end }}
+
           ports:
-            - name: http
-              containerPort: 8080
+            - name: container-port
+              containerPort: {{ .Values.api.container.port }}
               protocol: TCP
+
+          {{- with .Values.api.livenessProbe }}
           livenessProbe:
-            failureThreshold: 3
-            httpGet:
-              path: /api/healthcheck
-              port: http
-              scheme: HTTP
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 2
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.api.readinessProbe }}
           readinessProbe:
-            failureThreshold: 3
-            httpGet:
-              path: /api/healthcheck
-              port: http
-              scheme: HTTP
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 5
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.api.startupProbe }}
           startupProbe:
-            failureThreshold: 30
-            httpGet:
-              path: /api/healthcheck
-              port: http
-              scheme: HTTP
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 1
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+
           resources:
             {{- toYaml .Values.api.resources | nindent 12 }}
       {{- with .Values.api.nodeSelector }}
@@ -96,4 +106,4 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-{{- end -}}
+{{- end -}}
diff --git a/charts/pearl/templates/api/sealedsecret.yaml b/charts/pearl/templates/api/sealedsecret.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.api.sealedSecret.enabled -}}
+{{- range $key, $value := .Values.api.sealedSecret.config }}
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: {{ $key }}
+spec:
+  encryptedData:
+  {{- range $cle, $valeur := $value.secretEnv }}
+    {{ $cle }}: {{ $valeur }}
+  {{- end }}
+  template:
+    metadata:
+      name: {{ $key }}
+      namespace: {{ $value.namespace }}
+    type: Opaque
+{{- end }}
+{{- end -}}
diff --git a/charts/pearl/templates/api/service.yaml b/charts/pearl/templates/api/service.yaml
@@ -9,9 +9,9 @@ spec:
   type: {{ .Values.api.service.type }}
   ports:
     - port: {{ .Values.api.service.port }}
-      targetPort: http
+      targetPort: container-port
       protocol: TCP
-      name: http
+      name: service-port
   selector: 
     {{- include "pearl.api.selectorLabels" . | nindent 4 }}
 {{- end }}
diff --git a/charts/pearl/templates/api/vaultstaticsecret.yaml b/charts/pearl/templates/api/vaultstaticsecret.yaml
@@ -0,0 +1,32 @@
+{{- if .Values.api.vaultStaticSecret.enabled -}}
+{{- range $key, $value := .Values.api.vaultStaticSecret.config }}
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: {{ $key }}
+spec:
+  rolloutRestartTargets:
+    - kind: Deployment 
+      name: {{ include "pearl.api.fullname" $ }}
+
+  type: kv-v2
+
+  # mount path
+  mount:  {{ $value.mount }}
+
+  # path of the secret
+  path: {{ $value.path }}
+
+  # dest k8s secret
+  destination:
+    name: {{ $value.secretName }}
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: {{ $value.refreshAfter }}
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: {{ $value.vaultAuthRef }}
+{{- end }}
+{{- end -}}
diff --git a/charts/pearl/values.yaml b/charts/pearl/values.yaml
@@ -126,6 +126,9 @@ api:
     # runAsNonRoot: true
     # runAsUser: 1000
 
+  container:
+    port: 8080
+
   service:
     type: ClusterIP
     port: 80
@@ -147,6 +150,48 @@ api:
     #    hosts:
     #      - chart-example.local
 
+  # check if pod is alive
+  # if problem with the pod itself, restart it
+  livenessProbe:
+    {}
+    # failureThreshold: 3
+    # httpGet:
+    #   path: /health/liveness
+    #   port: http
+    #   scheme: HTTP
+    # initialDelaySeconds: 15
+    # periodSeconds: 10
+    # successThreshold: 1
+    # timeoutSeconds: 1
+
+  # check if pod can accept traffic
+  # if pod cannot accept traffic because of external system failures (db down for example)
+  # do not forward traffic to the pod until pod is ready again
+  readinessProbe:
+    {}
+    # failureThreshold: 3
+    # httpGet:
+    #   path: /health/readiness
+    #   port: http
+    #   scheme: HTTP
+    # initialDelaySeconds: 15
+    # periodSeconds: 10
+    # successThreshold: 1
+    # timeoutSeconds: 1
+
+  # like liveness, but at startup time, it gives the opportunity to wait a little longer until the pod is ready
+  startupProbe:
+    {}
+    # failureThreshold: 30
+    # httpGet:
+    #   path: /health/liveness
+    #   port: http
+    #   scheme: HTTP
+    # initialDelaySeconds: 15
+    # periodSeconds: 10
+    # successThreshold: 1
+    # timeoutSeconds: 1
+
   resources:
     {}
     # We usually recommend not to specify default resources and to leave this as a conscious
@@ -175,6 +220,41 @@ api:
 
   env: {}
 
+  sealedSecret:
+    enabled: false
+    # env variables to set (with ciphered values)
+    config: {}
+    #   sealed-secret1:
+    #     namespace: "namespace-name"
+    #     secretEnv:
+    #       password: "ciphered value"
+    #   sealed-secret2:
+    #     namespace: "namespace-name"
+    #     secretEnv:
+    #       token1:
+    #       token2:
+
+  vaultStaticSecret:
+    enabled: false
+    # -- Configuration retrieving vault secrets
+    config: {}
+    #   nameVaultStaticSecret1:
+    #     mount: "secrets-env1"
+    #     path: ""
+    #     secretName: ""
+    #     refreshAfter: "30s"
+    #     vaultAuthRef: "namespaceName/namespaceName"
+    #     nomEnv: ""
+    #     keyUsed: ""
+    #   nameVaultStaticSecret2:
+    #     mount: "secrets-env1"
+    #     path: ""
+    #     secretname: ""
+    #     refreshAfter: "30s"
+    #     vaultAuthRef: ""
+    #     nomEnv: ""
+    #     keyUsed: ""
+
   metrics:
     enabled: false