Add a pre-upgrade job for migrations to run

charts/api/templates/migration-job.yaml

@@ -0,0 +1,162 @@
+# Copied from & Modified: https://github.com/helm/helm/blob/master/docs/examples/nginx/templates/post-install-job.yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "api.fullname" . }}-pre-upgrade-migration-artisan-setup
+  labels:
+    # The "app.kubernetes.io/managed-by" label is used to track which tool deployed a given chart.
+    # It is useful for admins who want to see what releases a particular tool
+    # is responsible for.
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    # The "app.kubernetes.io/instance" convention makes it easy to tie a release to all of the
+    # Kubernetes resources that were created as part of that release.
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    # This makes it easy to audit chart usage.
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    app.kubernetes.io/name: {{ template "api.name" . }}
+  annotations:
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    # Docs: https://github.com/helm/helm/blob/master/docs/charts_hooks.md
+    "helm.sh/hook": pre-upgrade
+spec:
+  template:
+    metadata:
+      name: {{ template "api.fullname" . }}
+      labels:
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        app.kubernetes.io/name: {{ template "api.name" . }}
+    spec:
+      restartPolicy: OnFailure
+      containers:
+        - name: pre-upgrade-migration-job
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          # All we're going to do is sleep for a while, then exit.
+          # TODO this could actually make the db user we need and also have the correct permissions?
+          command: ["/bin/sh"]
+          # -- isolate to avoid conflicts
+          args: ["-c", "php artisan migrate:install; php artisan migrate --isolated; php artisan passport:client --personal --no-interaction; php artisan passport:client --password --no-interaction"]
+          # TODO the env vars are mostly copied from the deployment, is there a way to reuse?
+          env:
+            - name: CONTAINER_ROLE
+              value: app
+            - name: APP_NAME
+              value: {{ .Values.app.name | quote }}
+            - name: APP_ENV
+              value: {{ .Values.app.env | quote }}
+            - name: APP_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.app.keySecretName | quote }}
+                  key: {{ .Values.app.keySecretKey | quote }}
+            - name: APP_DEBUG
+              value: {{ .Values.app.debug | quote }}
+            - name: APP_URL
+              value: {{ .Values.app.url | quote }}
+            - name: APP_TIMEZONE
+              value: {{ .Values.app.timezone | quote }}
+
+            - name: REDIS_PORT
+              value: {{ .Values.app.redis.port | quote }}
+            - name: REDIS_PASSWORD
+              {{- if .Values.app.redis.password }}
+              value: {{ .Values.app.redis.password | quote }}
+              {{- end }}
+              {{- if .Values.app.redis.passwordSecretName }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.app.redis.passwordSecretName | quote }}
+                  key: {{ .Values.app.redis.passwordSecretKey | quote }}
+              {{- end }}
+            - name: REDIS_DB
+              value: {{ .Values.app.redis.db | quote }}
+            - name: REDIS_CACHE_DB
+              value: {{ .Values.app.redis.cachedb | quote }}
+            - name: REDIS_PREFIX
+              value: {{ .Values.app.redis.prefix | quote }}
+
+            - name: MAIL_MAILER
+              value: {{ .Values.app.mail.mailer | quote }}
+            - name: MAILGUN_DOMAIN
+              value: {{ .Values.app.mail.mailgundomain | quote }}
+            - name: MAILGUN_SECRET
+              {{- if .Values.app.mail.mailgunsecret }}
+              value: {{ .Values.app.mail.mailgunsecret | quote }}
+              {{- else if .Values.app.mail.mailgunSecretName }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.app.mail.mailgunSecretName | quote }}
+                  key: {{ .Values.app.mail.mailgunSecretKey | quote }}
+              {{- end }}
+            - name: MAIL_FROM_ADDRESS
+              value: {{ .Values.app.mail.fromaddress | quote }}
+            - name: MAIL_FROM_NAME
+              value: {{ .Values.app.mail.fromname | quote }}
+
+            - name: ROUTES_LOAD_WEB
+              value: "1"
+            - name: ROUTES_LOAD_BACKEND
+              value: "1"
+
+            - name: LOG_CHANNEL
+              value: stderr
+            - name: STACKDRIVER_ENABLED
+              value: {{ .Values.app.stackdriver.enabled | quote }}
+            - name: STACKDRIVER_PROJECT_ID
+              value: {{ .Values.app.gce.projectId | quote }}
+            - name: STACKDRIVER_LOGGING_ENABLED
+              value: {{ .Values.app.stackdriver.loggingEnabled | quote }}
+            - name: STACKDRIVER_TRACING_ENABLED
+              value: {{ .Values.app.stackdriver.tracingEnabled | quote }}
+            - name: STACKDRIVER_ERROR_REPORTING_ENABLED
+              value: {{ .Values.app.stackdriver.errorReportingEnabled | quote }}
+            - name: STACKDRIVER_KEY_FILE_PATH
+              value: /var/run/secret/cloud.google.com/key.json
+            - name: STACKDRIVER_ERROR_REPORTING_BATCH_ENABLED
+              value: "false"
+            - name: STACKDRIVER_LOGGING_BATCH_ENABLED
+              value: "false"
+
+            - name: CACHE_DRIVER
+              value: {{ .Values.app.cacheDriver | quote }}
+            - name: QUEUE_CONNECTION
+              value: {{ .Values.app.queueConnection | quote }}
+            - name: JWT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.app.jwtSecretSecretName | quote }}
+                  key: {{ .Values.app.jwtSecretSecretKey | quote }}
+            - name: DB_CONNECTION
+              value: {{ .Values.app.db.connection | quote }}
+              # TODO from service discovery or something?
+            - name: DB_HOST_READ
+              value: {{ .Values.app.db.readHost | quote }}
+            - name: DB_HOST_WRITE
+              value: {{ .Values.app.db.writeHost | quote }}
+            - name: DB_PORT
+              value: {{ .Values.app.db.port | quote }}
+            - name: DB_DATABASE
+              value: {{ .Values.app.db.name | quote }}
+            - name: DB_USERNAME
+              value: {{ .Values.app.db.user | quote }}
+            - name: DB_PASSWORD
+              {{- if .Values.app.db.password }}
+              value: {{ .Values.app.db.password | quote }}
+              {{- end }}
+              {{- if .Values.app.db.passwordSecretName }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.app.db.passwordSecretName | quote }}
+                  key: {{ .Values.app.db.passwordSecretKey | quote }}
+              {{- end }}
+
+      {{- if .Values.app.gce.serviceAccountSecret }}
+      volumeMounts:
+        - name: "service-account-wbstack-api"
+          mountPath: "/var/run/secret/cloud.google.com"
+      volumes:
+        - name: "service-account-wbstack-api"
+          secret:
+            secretName: {{ .Values.app.gce.serviceAccountSecret | quote }}
+      {{- end }}