🔧(helm) rework chart based on jenny helm chart

Rework Warren Helm chart based on the work done on Jenny Helm chart in PR
openfun/charts#5
Changes done in this commit:
- Jobs for database migration or static collection are abstracted into a single
  job template
- Env variables are now processed in the helper template
- Removed unused HorizontalPodAutoscaler
- Add startup probes for migration checks
- Migration jobs are now executed post helm installation/upgrade
- Removed unnecessary security context variables
- Add a nginx container alongside warren-app to serve static files
- Rework postgresql values to have a functional Helm chart on a local cluster
- Update Helm chart README.md

Author: wilbrdt

src/helm/README.md

@@ -102,63 +102,30 @@ Our Elasticsearch cluster is all set. In the next section, we will now deploy
 
 ### Deploy the LRS: Ralph
 
-Ralph is also distributed as a Helm chart that can be deployed with a single
-line of code:
+Ralph is also distributed as a Helm chart. Check out the [Ralph Helm chart README](https://github.com/openfun/ralph/blob/main/src/helm/README.md) to deploy it!
 
-```bash
-helm install \
-    --values charts/ralph/values.yaml \
-    --set envSecrets.RALPH_BACKENDS__DATABASE__ES__HOSTS=https://elastic:"${ELASTIC_PASSWORD}"@data-lake-es-http:9200 \
-    lrs oci://registry-1.docker.io/openfuncharts/ralph
-```
-
-One can check if the server is running by opening a network tunnel to the
-service using the `port-forward` sub-command:
-
-
-```bash
-kubectl port-forward svc/lrs-ralph 8080:8080
-```
-
-And then send a request to the server using this tunnel:
-
-```bash
-curl --user admin:password localhost:8080/whoami
-```
-
-We expect a valid JSON response stating about the user you are using for this
-request.
-
-If everything went well, we can send 22k xAPI statements to the LRS using:
+### Deploy the dashboard suite: Warren
 
+Let's create the secrets needed for Warren deployment:
 ```bash
-gunzip -c ../../data/statements.jsonl.gz | \
-  sed "s/@timestamp/timestamp/g" | \
-  jq -s . | \
-  curl -Lk \
-    --user admin:password \
-    -X POST \
-    -H "Content-Type: application/json" \
-    http://localhost:8080/xAPI/statements/ -d @-
+kubectl apply -f manifests/warren-app-secrets.yaml
+kubectl apply -f manifests/warren-api-secrets.yaml
 ```
 
-### Deploy the dashboard suite: Warren
-
-Now that the LRS is running, we can deploy warren along with its dependencies
+We can now deploy Warren along with its dependencies
 using:
 
 ```bash
 # Fetch dependencies
-cd warren && helm dependency build
+helm dependency build ./warren
 
-# Deploy postgresql for Warren `app` service (Django)
+# Install Warren
 helm install warren ./warren --values development.yaml --debug --atomic
 ```
 
 If you want to upgrade your deployment (after a change in a template or a
 value), you can upgrade deployed version using:
 
 ```bash
-# Deploy postgresql for Warren `app` service (Django)
 helm upgrade --install warren ./warren --values development.yaml --debug --atomic
 ```

src/helm/charts/ralph/values.yaml

@@ -1,15 +1,5 @@
-envSecrets:
-  RALPH_BACKENDS__DATABASE__ES__INDEX: statements
-  RALPH_BACKENDS__DATABASE__ES__CLIENT_OPTIONS__ca_certs: "/usr/local/share/ca-certificates/ca.crt"
-  RALPH_BACKENDS__DATABASE__ES__CLIENT_OPTIONS__verify_certs: "true"
-
-lrs:
-  auth:
-    - username: "admin"
-      hash: "$2b$12$JFK.YCdbUWD2rS94fT4.m.KC/fIMzUMPMtjaD4t3t1iAfqki3ZPOq"
-      scopes: ["example_scope"]
-
-elastic:
-  enabled: true
-  mountCACert: true
-  caSecretName: "data-lake-es-http-certs-public"
+database:
+  tls:
+    enabled: true
+    certificatesSecret: "data-lake-es-http-certs-public"
+    certificatesMountPath: "/usr/local/share/ca-certificates/"

src/helm/development.yaml

@@ -3,9 +3,10 @@
 # -- Warren - app service --
 app:
   enabled: true
-  allowedHosts:
-    - "localhost"
-  djangoConfiguration: Development
+  django:
+    allowedHosts:
+      - "localhost"
+    configuration: "Development"
   image:
     pullPolicy: Always
   persistence:
@@ -14,7 +15,8 @@ app:
 # -- Warren - api service --
 api:
   enabled: true
-  allowedHosts:
+  fastapi:
+    allowedHosts: 
     - "http://localhost:8080"
   image:
     pullPolicy: Always
@@ -24,10 +26,13 @@ postgresql:
   enabled: true
   image:
     tag: 12.17.0-debian-11-r12
-
-global:
-  postgresql:
-    auth:
-      username: fun
-      password: pass
-      database: warren-api
+  auth:
+    username: fun
+    password: pass
+    database: warren-api
+  primary:
+    initdb:
+      scripts:
+        init.sql: |
+          CREATE DATABASE "warren-app";
+          GRANT ALL PRIVILEGES ON DATABASE "warren-app" TO fun;

src/helm/manifests/warren-api-secrets.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: warren-api-db
+type: Opaque
+stringData:
+  WARREN_API_DB_PASSWORD: pass
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: warren-api-lrs
+type: Opaque
+stringData:
+  WARREN_LRS_AUTH_BASIC_PASSWORD: password
+---

src/helm/manifests/warren-app-secrets.yaml

@@ -0,0 +1,25 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: warren-app-db
+type: Opaque
+stringData:
+  WARREN_APP_DB_PASSWORD: pass
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: warren-app-secret-key
+type: Opaque
+stringData:
+  WARREN_APP_SECRET_KEY: change_me_please
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: warren-signing-key
+type: Opaque
+stringData:
+  WARREN_APP_SIGNING_KEY: change_me
+---

src/helm/manifests/warren-secrets.yaml

@@ -7,6 +7,6 @@ dependencies:
   version: 0.1.0
 - name: postgresql
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 13.2.24
-digest: sha256:4b13561dfdca97064192f6861fd5f75f25cdf8b4161a2bb092fbede18f879c61
-generated: "2023-12-07T16:42:14.91623072+01:00"
+  version: 13.4.6
+digest: sha256:254a201e5c57f8ae32c527f319492b34167626947c642491343413df2bd61874
+generated: "2024-07-03T15:58:33.064365499+02:00"

src/helm/warren/Chart.lock

@@ -4,4 +4,4 @@ name: api
 description: Warren HTTP API
 type: application
 version: 0.1.0
-appVersion: "0.1.0"
+appVersion: "0.3.2"

src/helm/warren/charts/api/Chart.yaml

@@ -1,21 +1,28 @@
-1. Get the application URL by running these commands:
+CHART NAME: {{ .Chart.Name }}
+CHART VERSION: {{ .Chart.Version }}
+APP VERSION: {{ .Chart.AppVersion }}
+
+** Please be patient while the chart is being deployed **
+
+1. Access your Warren api installation:
 {{- if .Values.ingress.enabled }}
-{{- range $host := .Values.ingress.hosts }}
-  {{- range .paths }}
-  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  Connect to one of the following hosts:
+  {{ if .Values.ingress.tls }}
+    https://{{ .Values.ingress.host }}
+  {{- else }}
+    http://{{ .Values.ingress.host }}
   {{- end }}
-{{- end }}
 {{- else if contains "NodePort" .Values.service.type }}
   export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "api.fullname" . }})
   export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
-  echo http://$NODE_IP:$NODE_PORT
+  echo "Warren API URL: http://$NODE_IP:$NODE_PORT"
 {{- else if contains "LoadBalancer" .Values.service.type }}
      NOTE: It may take a few minutes for the LoadBalancer IP to be available.
            You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "api.fullname" . }}'
   export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "api.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
   echo http://$SERVICE_IP:{{ .Values.service.port }}
 {{- else if contains "ClusterIP" .Values.service.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "api.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "api.name" . }},api.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
   export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
   echo "Visit http://127.0.0.1:8080 to use your application"
   kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT

src/helm/warren/charts/api/templates/NOTES.txt

@@ -48,11 +48,76 @@ Selector labels
 {{- define "api.selectorLabels" -}}
 app.kubernetes.io/name: {{ include "api.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/component: api
+app.kubernetes.io/part-of: warren
 {{- end }}
 
 {{/*
-Allowed hosts string (environment variable value)
+Environment variables
 */}}
-{{- define "api.allowedHosts" -}}
-{{- printf "%q" .Values.allowedHosts | replace " " "," | quote -}}
+{{- define "api.envs" -}}
+- name: "WARREN_API_SERVER_PORT"
+  value: "{{ .Values.service.port }}"
+- name: "WARREN_API_DB_NAME"
+  value: "{{ .Values.fastapi.db.name }}"
+- name: "WARREN_API_DB_USER"
+  value: "{{ .Values.fastapi.db.user }}"
+- name: "WARREN_API_DB_PASSWORD"
+  valueFrom:
+    secretKeyRef:
+      name: warren-api-db
+      key: WARREN_API_DB_PASSWORD
+- name: "WARREN_API_DB_ENGINE"
+  value: "{{ .Values.fastapi.db.engine }}"
+- name: "WARREN_API_DB_HOST"
+  value: "{{ .Values.fastapi.db.host }}"
+- name: "WARREN_API_DB_PORT"
+  value: "{{ .Values.fastapi.db.port }}"
+- name: "WARREN_ALLOWED_HOSTS"
+  value: {{ printf "%q" .Values.fastapi.allowedHosts | replace " " "," | quote }}
+- name: "WARREN_LRS_HOSTS"
+  value: "{{ .Values.fastapi.lrs.host }}"
+- name: "WARREN_LRS_AUTH_BASIC_USERNAME"
+  value: "{{ .Values.fastapi.lrs.username }}"
+- name: "WARREN_LRS_AUTH_BASIC_PASSWORD"
+  valueFrom:
+    secretKeyRef:
+      name: warren-api-lrs
+      key: WARREN_LRS_AUTH_BASIC_PASSWORD
+- name: "WARREN_XI_LMS_BASE_URL"
+  value: "{{ .Values.fastapi.xi.lmsBaseUrl }}"
+- name: "WARREN_XI_LMS_API_TOKEN"
+  valueFrom:
+    secretKeyRef:
+      name: warren-api-lms
+      key: WARREN_XI_LMS_API_TOKEN
+- name: "WARREN_XI_DEFAULT_LANG"
+  value: "{{ .Values.fastapi.xi.defaultLang }}"
+- name: "WARREN_APP_SIGNING_ALGORITHM"
+  value: "{{ .Values.fastapi.signingAlgorithm }}"
+- name: "WARREN_APP_SIGNING_KEY"
+  valueFrom:
+    secretKeyRef:
+      name: warren-signing-key
+      key: WARREN_APP_SIGNING_KEY
+{{- range $key, $val := .Values.env.secret }}
+- name: {{ $val.envName }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $val.secretName }}
+      key: {{ $val.keyName }}
+{{- end }}
+{{- end }}
+
+{{/*
+ImagePullSecrets
+*/}}
+{{- define "fastapi.imagePullSecrets" -}}
+{{- $pullSecrets := .Values.imagePullSecrets }}
+{{- if (not (empty $pullSecrets)) }}
+imagePullSecrets:
+{{- range $pullSecrets }}
+- name: {{ . }}
+{{ end }}
+{{- end -}}
 {{- end }}