Merge pull request #96 from bcgov/ci/sidecar

Add CDOGS Helm Chart and associated GA workflow
bcgov · Nov 11, 2023 · 69c8c16 · 69c8c16
2 parents 818ca5e + bffbc79
commit 69c8c16
Show file tree

Hide file tree

Showing 14 changed files with 530 additions and 30 deletions.
diff --git a/.github/actions/deploy-to-environment/action.yaml b/.github/actions/deploy-to-environment/action.yaml
@@ -45,7 +45,7 @@ runs:
       run: >-
         helm upgrade --install --atomic ${{ inputs.job_name }} ${{ inputs.app_name }}
         --namespace ${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }}
-        --repo https://bcgov.github.io/common-object-management-service
+        --repo https://bcgov.github.io/common-document-generation-service
         --values ./.github/environments/values.${{ inputs.environment }}.yaml
         --set image.repository=ghcr.io/${{ github.repository_owner }}
         --set image.tag=sha-$(git rev-parse --short HEAD)

diff --git a/.github/environments/values.dev.yaml b/.github/environments/values.dev.yaml
@@ -12,10 +12,13 @@ config:
     SERVER_LOGLEVEL: http
     SERVER_PORT: "3000"
 
-    CACHE_DIR: "/tmp/carbone-files"
+    CACHE_DIR: "/var/lib/file-cache/data"
     CACHE_SIZE: 2GB
     CONVERTER_FACTORY_TIMEOUT: "60000"
     START_CARBONE: "true"
     UPLOAD_FIELD_NAME: template
     UPLOAD_FILE_COUNT: "1"
     UPLOAD_FILE_SIZE: 25MB
+
+fluentBit:
+  enabled: true
diff --git a/.github/environments/values.pr.yaml b/.github/environments/values.pr.yaml
@@ -1 +1,6 @@
 ---
+persistentVolumeClaim:
+  enabled: false
+
+fluentBit:
+  enabled: false
diff --git a/.github/environments/values.prod.yaml b/.github/environments/values.prod.yaml
@@ -3,18 +3,22 @@ config:
   enabled: true
   configMap:
     KC_ENABLED: "true"
-    KC_PUBLICKEY: ~
+    KC_PUBLICKEY: >-
+      MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtq5+xTKB1FRCwufdluEx8mNIZU3eXpo91QUrqlpq226HcyF9WPihdpuZzdlS+kW6EC2prZfJpvDvzT/Og4fx9ZoQVKV0uYvWvEg5Sc3ikQMfO0ngqUC6FkxElj9LzpijpdEQd0JAmmem2329lITwWroX70imLhYu3aY+Q3hSY2lg5OJCBw0I2pulfQiMsGn3vgkwSvmIsDhOgSnwPJhPxD9TY6kjvTff6LB1bFSwlxh1l8dRBqRabDunoHn/uHfhVAHB/SgPkvP5Ybc5bP/idBNP0kiQcWiT02Z7aB1r7Fnd5YH9FEDhhF5OIYYBzHP4hPm6AgqG/IDhAuiqf/F9eQIDAQAB
     KC_REALM: comsvcauth
     KC_SERVERURL: "https://loginproxy.gov.bc.ca/auth"
 
     SERVER_BODYLIMIT: 100mb
     SERVER_LOGLEVEL: http
     SERVER_PORT: "3000"
 
-    CACHE_DIR: "/tmp/carbone-files"
+    CACHE_DIR: "/var/lib/file-cache/data"
     CACHE_SIZE: 2GB
     CONVERTER_FACTORY_TIMEOUT: "60000"
     START_CARBONE: "true"
     UPLOAD_FIELD_NAME: template
     UPLOAD_FILE_COUNT: "1"
     UPLOAD_FILE_SIZE: 25MB
+
+fluentBit:
+  enabled: true
diff --git a/.github/environments/values.test.yaml b/.github/environments/values.test.yaml
@@ -3,18 +3,22 @@ config:
   enabled: true
   configMap:
     KC_ENABLED: "true"
-    KC_PUBLICKEY: ~
+    KC_PUBLICKEY: >-
+      MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1dLa3e2Q65cvzoKYdqSu/Qkoi5fbG9FF++u0TVm3461sS7uLo2aIviNXHrfzgu4RKnzoy51VXhAfeT58mGiAweJiRyILr0OtwbDEd/W9D4Y8FdWV37Ltmb4D1M0kCHPHo9wkl5aGZj0VFgExdFXenSDlNuglZpNuAVOwWTL7hX1Cc+5Z5hX8891fcxcdAF/GkDGcyIteHV04aeoCWEMak0gSpGsNUgEhn7FUHI6maqiaBdoyOWn0Jbw/JpqewcD9ZYFLzZTMuBssTXJt4ipTibeqbI/bAdCtxXLJgmpkyMSA/KQeHLmBPdq3ayctoDRpqVMHsnC31Hm7Fz8aDHKaDwIDAQAB
     KC_REALM: comsvcauth
     KC_SERVERURL: "https://test.loginproxy.gov.bc.ca/auth"
 
     SERVER_BODYLIMIT: 100mb
     SERVER_LOGLEVEL: http
     SERVER_PORT: "3000"
 
-    CACHE_DIR: "/tmp/carbone-files"
+    CACHE_DIR: "/var/lib/file-cache/data"
     CACHE_SIZE: 2GB
     CONVERTER_FACTORY_TIMEOUT: "60000"
     START_CARBONE: "true"
     UPLOAD_FIELD_NAME: template
     UPLOAD_FILE_COUNT: "1"
     UPLOAD_FILE_SIZE: 25MB
+
+fluentBit:
+  enabled: true
diff --git a/.github/workflows/charts-release.yaml b/.github/workflows/charts-release.yaml
@@ -0,0 +1,27 @@
+name: Release Charts
+
+on:
+  push:
+    paths:
+      - 'charts/**'
+    branches:
+      - master
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "[email protected]"
+
+      - name: Run chart-releaser
+        uses: helm/[email protected]
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/app/config/default.json b/app/config/default.json
@@ -9,7 +9,7 @@
     "port": "3000"
   },
   "carbone": {
-    "cacheDir": "/tmp/carbone-files",
+    "cacheDir": "/var/lib/file-cache/data",
     "cacheSize": "2GB",
     "converterFactoryTimeout": "60000",
     "formFieldName": "template",

diff --git a/charts/cdogs/README.md b/charts/cdogs/README.md
@@ -29,40 +29,63 @@ Kubernetes: `>= 1.13.0`
 | autoscaling.maxReplicas | int | `16` |  |
 | autoscaling.minReplicas | int | `2` |  |
 | autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
-| config.configMap | object | `{"CACHE_DIR":"/tmp/carbone-files","CACHE_SIZE":"2GB","CONVERTER_FACTORY_TIMEOUT":"60000","KC_PUBLICKEY":null,"KC_REALM":null,"KC_SERVERURL":null,"SERVER_BODYLIMIT":"100mb","SERVER_LOGLEVEL":"http","SERVER_PORT":"3000","START_CARBONE":"true","UPLOAD_FIELD_NAME":"template","UPLOAD_FILE_COUNT":"1","UPLOAD_FILE_SIZE":"25MB"}` | These values will be wholesale added to the configmap as is; refer to the cdogs documentation for what each of these values mean and whether you need them defined. Ensure that all values are represented explicitly as strings, as non-string values will not translate over as expected into container environment variables. For configuration keys named `*_ENABLED`, either leave them commented/undefined, or set them to string value "true". |
+| awsSecretOverride.password | string | `nil` | AWS Kinesis password - used by fluent-bit |
+| awsSecretOverride.username | string | `nil` | AWS Kinesis username - used by fluent-bit |
+| config.configMap | object | `{"CACHE_DIR":"/var/lib/file-cache/data","CACHE_SIZE":"2GB","CONVERTER_FACTORY_TIMEOUT":"60000","KC_PUBLICKEY":null,"KC_REALM":null,"KC_SERVERURL":null,"SERVER_BODYLIMIT":"100mb","SERVER_LOGLEVEL":"http","SERVER_PORT":"3000","START_CARBONE":"true","UPLOAD_FIELD_NAME":"template","UPLOAD_FILE_COUNT":"1","UPLOAD_FILE_SIZE":"25MB"}` | These values will be wholesale added to the configmap as is; refer to the cdogs documentation for what each of these values mean and whether you need them defined. Ensure that all values are represented explicitly as strings, as non-string values will not translate over as expected into container environment variables. For configuration keys named `*_ENABLED`, either leave them commented/undefined, or set them to string value "true". |
 | config.enabled | bool | `false` |  |
 | config.releaseScoped | bool | `false` | This should be set to true if and only if you require configmaps and secrets to be release scoped. In the event you want all instances in the same namespace to share a similar configuration, this should be set to false |
 | failurePolicy | string | `"Retry"` |  |
-| fluentBit.enabled | bool | `false` |  |
+| fluentBit.config.aws.defaultRegion | string | `"ca-central-1"` | AWS Kinesis default region |
+| fluentBit.config.aws.kinesisStream | string | `"nress-prod-iit-logs"` | AWS Kinesis stream name |
+| fluentBit.config.aws.roleArn | string | `nil` | AWS Kinesis role ARN |
+| fluentBit.config.logHostname | string | `"fluentd-csst.apps.silver.devops.gov.bc.ca"` | Fluentd logging hostname endpoint |
+| fluentBit.config.namespace | string | `nil` | The openshift/k8s namespace identifier |
+| fluentBit.config.product | string | `"cdogs"` | The application/product name identifier |
+| fluentBit.enabled | bool | `false` | Specifies whether the fluent-bit logging sidecar should be enabled |
+| fluentBit.image.name | string | `"fluent-bit"` | Default image name |
+| fluentBit.image.repository | string | `"docker.io/fluent"` | Default image repository |
+| fluentBit.image.tag | string | `"2.1.10"` | Default image tag |
+| fluentBit.resources.limits.cpu | string | `"100m"` | Limit Peak CPU (in millicores ex. 1000m) |
+| fluentBit.resources.limits.memory | string | `"64Mi"` | Limit Peak Memory (in gigabytes Gi or megabytes Mi ex. 2Gi) |
+| fluentBit.resources.requests.cpu | string | `"10m"` | Requested CPU (in millicores ex. 500m) |
+| fluentBit.resources.requests.memory | string | `"16Mi"` | Requested Memory (in gigabytes Gi or megabytes Mi ex. 500Mi) |
+| fluentBit.route.metrics.path | string | `"/"` |  |
+| fluentBit.service.httpPlugin.name | string | `"http-plugin"` | HTTP Plugin service name |
+| fluentBit.service.httpPlugin.port | int | `80` | HTTP Plugin service port |
+| fluentBit.service.metrics.name | string | `"metrics"` | Metrics service name |
+| fluentBit.service.metrics.port | int | `2020` | Metrics service port |
 | fullnameOverride | string | `nil` | String to fully override fullname |
-| image.pullPolicy | string | `"IfNotPresent"` |  |
-| image.repository | string | `"docker.io/bcgovimages"` |  |
-| image.tag | string | `nil` |  |
+| image.pullPolicy | string | `"IfNotPresent"` | Default image pull policy |
+| image.repository | string | `"docker.io/bcgovimages"` | Default image repository |
+| image.tag | string | `nil` | Overrides the image tag whose default is the chart appVersion. |
 | imagePullSecrets | list | `[]` | Specify docker-registry secret names as an array |
-| keycloakSecretOverride.password | string | `nil` |  |
-| keycloakSecretOverride.username | string | `nil` |  |
+| keycloakSecretOverride.password | string | `nil` | Keycloak password |
+| keycloakSecretOverride.username | string | `nil` | Keycloak username |
 | nameOverride | string | `nil` | String to partially override fullname |
 | networkPolicy.enabled | bool | `true` | Specifies whether a network policy should be created |
+| persistentVolumeClaim.enabled | bool | `true` | Specifies whether a persistent volume claim should be created |
+| persistentVolumeClaim.storageClassName | string | `"netapp-file-standard"` | Default storage class type |
+| persistentVolumeClaim.storageSize | string | `"2G"` | PVC Storage size (use M or G, not Mi or Gi) |
 | podAnnotations | object | `{}` | Annotations for cdogs pods |
-| podSecurityContext | object | `{}` |  |
+| podSecurityContext | object | `{}` | Privilege and access control settings |
 | replicaCount | int | `2` |  |
-| resources.limits.cpu | string | `"1000m"` |  |
-| resources.limits.memory | string | `"1Gi"` |  |
-| resources.requests.cpu | string | `"50m"` |  |
-| resources.requests.memory | string | `"256Mi"` |  |
-| route.annotations | object | `{}` | Annotations to add to the route |
+| resources.limits.cpu | string | `"1000m"` | Limit Peak CPU (in millicores ex. 1000m) |
+| resources.limits.memory | string | `"1Gi"` | Limit Peak Memory (in gigabytes Gi or megabytes Mi ex. 2Gi) |
+| resources.requests.cpu | string | `"50m"` | Requested CPU (in millicores ex. 500m) |
+| resources.requests.memory | string | `"256Mi"` | Requested Memory (in gigabytes Gi or megabytes Mi ex. 500Mi) |
+| route.annotations | object | `{"haproxy.router.openshift.io/timeout":"60s"}` | Annotations to add to the route |
 | route.enabled | bool | `true` | Specifies whether a route should be created |
 | route.host | string | `"chart-example.local"` |  |
 | route.tls.insecureEdgeTerminationPolicy | string | `"Redirect"` |  |
 | route.tls.termination | string | `"edge"` |  |
 | route.wildcardPolicy | string | `"None"` |  |
-| securityContext | object | `{}` |  |
-| service.port | int | `3000` |  |
-| service.portName | string | `"http"` |  |
-| service.type | string | `"ClusterIP"` |  |
+| securityContext | object | `{}` | Privilege and access control settings |
+| service.port | int | `3000` | Service port |
+| service.portName | string | `"http"` | Service port name |
+| service.type | string | `"ClusterIP"` | Service type |
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
 | serviceAccount.enabled | bool | `false` | Specifies whether a service account should be created |
 | serviceAccount.name | string | `nil` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
+Autogenerated from chart metadata using [helm-docs v1.11.3](https://github.com/norwoodj/helm-docs/releases/v1.11.3)
diff --git a/charts/cdogs/templates/NOTES.txt b/charts/cdogs/templates/NOTES.txt
@@ -1,5 +1,9 @@
 {{- $configMapName := printf "%s-%s" (include "cdogs.configname" .) "config" }}
 {{- $configMap := (lookup "v1" "ConfigMap" .Release.Namespace $configMapName ) }}
+{{- $awsSecretName := printf "%s-%s" (include "cdogs.configname" .) "aws" }}
+{{- $awsSecret := (lookup "v1" "Secret" .Release.Namespace $awsSecretName ) }}
+{{- $kcSecretName := printf "%s-%s" (include "cdogs.configname" .) "keycloak" }}
+{{- $kcSecret := (lookup "v1" "Secret" .Release.Namespace $kcSecretName ) }}
 Get the application URL by running these commands:
 {{- if .Values.route.enabled }}
   http{{ if $.Values.route.tls }}s{{ end }}://{{ .Values.route.host }}{{ .Values.route.path }}
@@ -22,3 +26,11 @@ Get the application URL by running these commands:
 
 Make sure that ConfigMap "{{ $configMapName }}" is defined in the namespace; the deployment will fail to run without it!
 {{- end }}
+{{- if and (not $awsSecret) (.Values.fluentBit.enabled) }}
+
+Make sure that Secret "{{ $awsSecretName }}" is defined in the namespace; the deployment will fail to run without it!
+{{- end }}
+{{- if and (not $kcSecret) (.Values.config.configMap.KC_ENABLED) }}
+
+Make sure that Secret "{{ $kcSecretName }}" is defined in the namespace; the deployment will fail to run without it!
+{{- end }}