Merge branch 'main' into add-shutdown-grace-time

Author: PJEstrada

.gitignore

@@ -7,3 +7,21 @@ values_production*
 
 
 values_staging.yaml
+
+.vs
+example.com\+5-key.pem
+
+example.com\+5.pem
+
+example.com\+6-key.pem
+
+example.com\+6.pem
+
+# Chart dependencies
+**/charts/*.tgz
+ca.crt
+
+ca.key
+
+local-ca.crt
+/values_local.yaml

.helmignore

@@ -0,0 +1,29 @@
+
+.idea/*
+values_testing.yaml
+values_testing_*
+values_production*
+
+
+values_staging.yaml
+
+.vs
+example.com\+5-key.pem
+
+example.com\+5.pem
+
+example.com\+6-key.pem
+
+example.com\+6.pem
+
+# Chart dependencies
+ca.crt
+
+*.txt
+.git
+README.md
+
+ca.key
+
+local-ca.crt
+/values_local.yaml

Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
-- name: cert-manager
-  repository: https://charts.jetstack.io/
-  version: v1.1.0
-digest: sha256:50d9686126f61b7d7b8a50112464b41ac426a483ae053b4820c9e5f953cf7b76
-generated: "2021-01-29T14:30:59.744116786-06:00"
+- name: rabbitmq
+  repository: https://charts.bitnami.com/bitnami
+  version: 9.1.4
+digest: sha256:a92c6d671ae303d36df25c5c05705ee5193e1e22a6987e1476f4f815aa9887d7
+generated: "2022-05-24T22:45:09.592488539-06:00"

Chart.yaml

@@ -15,10 +15,16 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 1.0.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.0.1"
+appVersion: "0.0.1"
+
+dependencies:
+  - name: rabbitmq
+    version: 9.1.4
+    repository: https://charts.bitnami.com/bitnami
+    condition: useRabbitMq

README.md

@@ -1,34 +1,69 @@
 # diffgram-helm
 Helm Chart for DIffgram
 
-# Pre-requisites
-### Opencore or Enterprise
 
-Make sure you set the value of  `diffgramEdition` in the `values.yaml` to either `opencore`
-or `enterprise`.
+Full Tutorial on Azure: https://medium.com/diffgram/tutorial-installing-diffgram-on-azure-aks-b9447685e271
 
-If you set the `diffgramEdition` to `enterprise` you will have to provide the GCR credentials 
-Key (Provided by the Diffgram Team). And set the value on `imagePullCredentials.gcrCredentials` value inside the `values.yaml` file.
-### Setting Up the Docker Registry Key (Enterprise Only):
+# How to Install: 
 
-To install the helm chart with the Enterprise Edition of Diffgram you will need to receive a GCR key with the permissions from
-the Diffgram team to fetch our images.
+## A. Pre-requisites
 
-Please Contact us if you want  to get one here:  https://diffgram.com/contact
+### Ingress Controller
+If you are using minikube make sure you've done:
 
-Once you have your GCR Key please set it in the `values.yaml` file, specifically inside the
-key `imagePullCredentials.gcrCredentials`.
+`minikube addons enable ingress`
 
+To have the ingress enabled, otherwise you won't be able to acess your diffgram services from outside the cluster.
 
+If you are not on minikube, you can use the Nginx K8s Ingress Controller. Check how to install on your cloud provider here: https://kubernetes.github.io/ingress-nginx/deploy/
+
+### TLS Ceritificates
+#### Using minikube (For local testing) 
+Install Cert Manager
+
+https://artifacthub.io/packages/helm/microfunctions/cert-manager
 ```
-imagePullCredentials:
-  # The service account with permissions to pull from the GCR Repository. [Should be Provided by Diffgram Team.]
-  gcrCredentials: <YOUR KEY GOES HERE>
+kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.crds.yaml
+helm repo add jetstack https://charts.jetstack.io
+helm install cert-manager --namespace default jetstack/cert-manager --set installCRDs=true
 ```
 
 
+Default domain on diffgram is: `example.com` so make sure you add that to your local hosts file:
 
-### TLS Ceritificates
+`echo "$(minikube ip) example.com" | sudo tee -a /etc/hosts`
+
+In order for TLS to work on your local machine, you will need to provide local certificate authorities.
+Otherwise your web browser will detect the certificates as invalid.
+
+To do that you can generate a key and certificate like this:
+```
+# Generate key
+openssl genrsa -out ca.key 2048
+# Create CA certificate signing it with the previous key.
+openssl req -x509 -new -nodes -key ca.key -sha256 -subj "/CN=sampleissuer.local" -days 1024 -out ca.crt -extensions v3_ca
+```
+Now create the certificates as secrets on your minkube cluster:
+```angular2html
+kubectl create secret tls my-local-ca-key-pair --key=ca.key --cert=ca.crt
+```
+Finally Modify your `values.yaml` so that helm chart can grab the secret using cert-manager
+issuers. Set `tlsIssuer` to `issuer-local` and `localCaSecretName` to the name you have to the secret created above:
+
+```angular2html
+tlsIssuer: issuer-local # One of: "issuer-local", "letsencrypt-staging", or "letsencrypt-prod"
+localCaSecretName: my-local-ca-key-pair
+
+```
+
+
+#### Using cert-manager & Public Domains           
+
+##### Caution
+This guide assumes you will be using a regular domain name like `diffgram.com`. If you are using an auto generated domain name it may require different configuration.
+SSL is up to you/your IT team. For debugging the config tools like [SSL Labs](https://www.ssllabs.com/ssltest/analyze.html) may be useful.
+
+##### Guide
 1. If you want to have TLS connections, please make sure you have a domain available and access to the name servers so you can modify the records to point to the IP addresses of the ingress.
 
 `helm repo add jetstack https://charts.jetstack.io`
@@ -38,23 +73,38 @@ imagePullCredentials:
 2. Now edit the values.yaml of Diffgram’s helm chart and change the following keys:
  - **diffgramDomain:** set it to the domain you own.
  - **useCertManager:** set this to true. This will allow the certificate issue to be created so you can automatically get a TLS certificate for your domain with let’s encrypt.
-
+ - **tlsIssuer** set this to `letsencrypt-prod` so that TLS is validated by Let's Encrypt.
 3. Reinstall the helm chart
 
 
-`helm upgrade diffgram -f diffgram/new_updated_values_from_above_step.yaml`
+`helm upgrade -n diffgram-ns diffgram -f diffgram/new_updated_values_from_above_step.yaml`
 
 4. After a few minutes you should be able to see the issuer and the certificate generated. You can confirm this by running:
 `kubectl describe issuer letsencrypt-prod`
 
-# Installation
-`helm install diffgram ./diffgram`
+## B. Installation
+`git clone https://github.com/diffgram/diffgram-helm/`
+
+` cd diffgram-helm && helm dependency build`
+
+`helm install -n diffgram-ns diffgram . --create-namespace`
+
+If you don't change anything on `values.yaml`. You will have the namespace `default` created on your cluster
+
+Note: if on Minikube: run `echo "$(minikube ip) example.com" | sudo tee -a /etc/hosts`
+
+To point minikube to domain example.com (or whatever domain you have set in the `diffgramDomain` inside `values.yaml`
+
+### Values to Change in `values.yaml`
+Check section D. to see required values.
 
-You can substitute `./diffgram` with whatever the path to this repo is on your local machine. Also feel free to install on any other namespace.
+
+
+You can substitute `./diffgram-helm` with whatever the path to this repo is on your local machine. Also feel free to install on any other namespace.
 
 Future versions will provide a repo to download the chart without cloning from github.
 
-# Main Structure
+## C. Main Structure
 When deploying this chart there are 5 main components to be aware of:
 
 **1. default-service:** This is the service in charge for most of the API calls and data management. Both for the SDK and for the Frontend UI.
@@ -68,7 +118,7 @@ When deploying this chart there are 5 main components to be aware of:
 **5. ingress:** A Nginx ingress controller for accessing all the services. This is the entry point and router to all the above services.
 
 
-# Configurations:
+## D. Configurations:
 The following are some of the most important configurations of the values.yaml in the helm chart. Please feel free to contact us if you have any questions on any of the configurations.
 ## 4.1 Database Settings
 **1. dbSettings.dbProvider:** Set this to “rds”, "azure", or "local" depending on your DB managed service.
@@ -84,6 +134,7 @@ The following are some of the most important configurations of the values.yaml i
 **6. dbSettings.dbPassword:** Set this to RDS instance’s password
 
 ## 4.2 Diffgram Configuration Settings
+**1. diffgramSecrets.DIFFGRAM_STATIC_STORAGE_PROVIDER:** Set this to “aws”, "azure", or "gcp" depending on your DB managed service. Default is `aws`
 **1. diffgramSecrets.DIFFGRAM_AWS_ACCESS_KEY_ID:** Set this to your AWS credentials access key. Make sure the account has permissions to the S3 bucket you’ll use as static storage.
 
 **2. diffgramSecrets.DIFFGRAM_AWS_ACCESS_KEY_SECRET:** Set this to your AWS credentials secret. Make sure the account has permissions to the S3 bucket you’ll use as static storage.
@@ -92,5 +143,18 @@ The following are some of the most important configurations of the values.yaml i
 
 **4. diffgramSettings.ML__DIFFGRAM_S3_BUCKET_NAME:** Set this to your S3’s bucket name for static file storage.
 
+## E. Common Issues:
+
+### 1. My Helm Chart gets stuck during install and the timesout with 
+
+Try doing `kubectl get pods` and find a pod named `diffgram-pre-install-{SOME-ID}`.
+
+Now do `kubectl logs diffgram-pre-install-{SOME-ID} -c pre-upgrade-alembic-hook`
+
+This will show the logs of the POD to further debug the issue. Most common causes for this error are:
+
+- Missing Blob Storage Provider Credentials (Either AWS Access Keys, GCP Service Account or Azure Conn String)
 
+### 2. `directory_id` header is not present on my SDK requests.
+Your ingress might not have the `allow-underscores-in-headers` config. Please enable it by looking at this config: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#enable-underscores-in-headers
 

templates/default/configmap.yaml

@@ -3,23 +3,4 @@ kind: ConfigMap
 metadata:
   name: diffgram-default-configmap
 data:
-  USERDOMAIN: {{ .Values.diffgramSettings.USERDOMAIN }}
-  DIFFGRAM_SYSTEM_MODE: {{ .Values.diffgramSettings.DIFFGRAM_SYSTEM_MODE }}
-  DIFFGRAM_STATIC_STORAGE_PROVIDER: {{ .Values.diffgramSettings.DIFFGRAM_STATIC_STORAGE_PROVIDER }}
-  DIFFGRAM_S3_BUCKET_NAME: {{ .Values.diffgramSettings.DIFFGRAM_S3_BUCKET_NAME }}
-  ML__DIFFGRAM_S3_BUCKET_NAME: {{ .Values.diffgramSettings.ML__DIFFGRAM_S3_BUCKET_NAME }}
-  GOOGLE_APPLICATION_CREDENTIALS: /etc/gcp/sa_credentials.json # Check the volume in deployment.yaml and service_account_secret.yaml
-  CLOUD_STORAGE_BUCKET:  {{ .Values.diffgramSettings.CLOUD_STORAGE_BUCKET }}
-  ML__CLOUD_STORAGE_BUCKET:  {{ .Values.diffgramSettings.ML__CLOUD_STORAGE_BUCKET }}
-  URL_BASE: {{ .Values.diffgramDomain }}
-  WALRUS_SERVICE_URL_BASE: {{ .Values.diffgramSettings.WALRUS_SERVICE_URL_BASE }}
-  SERVICE_ACCOUNT_FULL_PATH: {{ .Values.diffgramSettings.SERVICE_ACCOUNT_FULL_PATH }}
-  DIFFGRAM_AZURE_CONTAINER_NAME: {{ .Values.diffgramSettings.DIFFGRAM_AZURE_CONTAINER_NAME }}
-  ML__DIFFGRAM_AZURE_CONTAINER_NAME: {{ .Values.diffgramSettings.ML__DIFFGRAM_AZURE_CONTAINER_NAME }}
-  DIFFGRAM_INSTALL_FINGERPRINT: {{ .Values.diffgramSettings.DIFFGRAM_INSTALL_FINGERPRINT }}
-  DIFFGRAM_VERSION_TAG: {{ .Values.diffgramVersion }}
-  DIFFGRAM_HOST_OS: {{ .Values.diffgramSettings.DIFFGRAM_HOST_OS }}
-  DATABASE_CONNECTION_POOL_SIZE: {{ .Values.diffgramSettings.DATABASE_CONNECTION_POOL_SIZE }}
-  PYTHONPATH: "/app:/app/shared:/"
-  PROCESS_MEDIA_NUM_VIDEO_THREADS: {{ .Values.diffgramSettings.PROCESS_MEDIA_NUM_VIDEO_THREADS }}
-  PROCESS_MEDIA_NUM_FRAME_THREADS: {{ .Values.diffgramSettings.PROCESS_MEDIA_NUM_FRAME_THREADS }}
+{{- template "diffgram.settings" . }}

templates/default/deployment.yaml

@@ -19,10 +19,6 @@ spec:
       nodeSelector:
         poolName: {{ .Values.nodeGroupLabel }}
       {{ end }}
-      {{ if eq .Values.diffgramEdition "enterprise"}}
-      imagePullSecrets:
-      - name: diffgramsecret
-      {{ end }}
       volumes:
       {{ if eq .Values.diffgramSettings.DIFFGRAM_STATIC_STORAGE_PROVIDER "gcp"}}
       - name: service-account-credentials-volume
@@ -47,12 +43,7 @@ spec:
         command: ['sh', '-c', 'until pg_isready -h postgres-azure-service -p 5432; do echo waiting for database; sleep 2; done;']
         {{ end }}
       containers:
-      {{ if eq .Values.diffgramEdition "enterprise"}}
-      - image: gcr.io/diffgram-enterprise/default:{{ .Values.diffgramVersion }}
-      {{ end }}
-      {{ if eq .Values.diffgramEdition "opencore"}}
-      - image: gcr.io/diffgram-open-core/default:{{ .Values.diffgramVersion }}
-      {{ end }}
+      - image: diffgram/default:{{ .Values.diffgramVersion }}
         imagePullPolicy: Always
         name: diffgram-default
         ports:

templates/default/secrets.yaml

@@ -4,22 +4,4 @@ metadata:
   name: diffgram-default-secrets
 type: Opaque
 stringData:
-  STRIPE_API_KEY: {{ .Values.diffgramSecrets.STRIPE_API_KEY }}
-  DIFFGRAM_AWS_ACCESS_KEY_SECRET: {{ .Values.diffgramSecrets.DIFFGRAM_AWS_ACCESS_KEY_SECRET }}
-  _ANALYTICS_WRITE_KEY: {{ .Values.diffgramSecrets._ANALYTICS_WRITE_KEY }}
-  MAILGUN_KEY: {{ .Values.diffgramSecrets.MAILGUN_KEY }}
-  HUB_SPOT_KEY: {{ .Values.diffgramSecrets.HUB_SPOT_KEY }}
-  SECRET_KEY: {{ .Values.diffgramSecrets.SECRET_KEY }}
-  INTER_SERVICE_SECRET: {{ .Values.diffgramSecrets.INTER_SERVICE_SECRET }}
-  FERNET_KEY: {{ .Values.diffgramSecrets.FERNET_KEY }}
-  {{ if eq .Values.dbSettings.dbProvider "local"}}
-  DATABASE_URL:  "postgresql+psycopg2://{{ .Values.dbSettings.dbUser }}:{{ .Values.dbSettings.dbPassword }}@diffgram-postgres/{{ .Values.dbSettings.dbName }}"
-  {{ end }}
-  {{ if eq .Values.dbSettings.dbProvider "rds"}}
-  DATABASE_URL:  "postgresql+psycopg2://{{ .Values.dbSettings.dbUser }}:{{ .Values.dbSettings.dbPassword }}@postgres-rds-service/{{ .Values.dbSettings.dbName }}"
-  {{ end }}
-  {{ if eq .Values.dbSettings.dbProvider "azure"}}
-  DATABASE_URL:  "postgresql+psycopg2://{{ .Values.dbSettings.dbUser }}:{{ .Values.dbSettings.dbPassword }}@postgres-azure-service/{{ .Values.dbSettings.dbName }}"
-  {{ end }}
-  USER_PASSWORDS_SECRET:  {{ .Values.diffgramSecrets.USER_PASSWORDS_SECRET }}
-  DIFFGRAM_AZURE_CONNECTION_STRING:  {{ .Values.diffgramSecrets.DIFFGRAM_AZURE_CONNECTION_STRING }}
+{{- template "diffgram.secrets" . }}

templates/diffgram_settings.tpl

@@ -0,0 +1,60 @@
+{{- define "diffgram.settings" }}
+  USERDOMAIN: {{ .Values.diffgramSettings.USERDOMAIN }}
+  DIFFGRAM_SYSTEM_MODE: {{ .Values.diffgramSettings.DIFFGRAM_SYSTEM_MODE }}
+  DIFFGRAM_STATIC_STORAGE_PROVIDER: {{ .Values.diffgramSettings.DIFFGRAM_STATIC_STORAGE_PROVIDER }}
+  DIFFGRAM_S3_BUCKET_NAME: {{ .Values.diffgramSettings.DIFFGRAM_S3_BUCKET_NAME }}
+  IS_DIFFGRAM_S3_V4_SIGNATURE: {{ .Values.diffgramSettings.IS_DIFFGRAM_S3_V4_SIGNATURE }}
+  SIGNED_URL_CACHE_MINIMUM_SECONDS_VALID: {{ .Values.diffgramSettings.SIGNED_URL_CACHE_MINIMUM_SECONDS_VALID }}
+  SIGNED_URL_CACHE_NEW_OFFSET_SECONDS_VALID: {{ .Values.diffgramSettings.SIGNED_URL_CACHE_NEW_OFFSET_SECONDS_VALID }}
+  DIFFGRAM_S3_BUCKET_REGION: {{ .Values.diffgramSettings.DIFFGRAM_S3_BUCKET_REGION }}
+  ML__DIFFGRAM_S3_BUCKET_NAME: {{ .Values.diffgramSettings.ML__DIFFGRAM_S3_BUCKET_NAME }}
+  GOOGLE_APPLICATION_CREDENTIALS: /etc/gcp/sa_credentials.json # Check the volume in deployment.yaml and service_account_secret.yaml
+  CLOUD_STORAGE_BUCKET:  {{ .Values.diffgramSettings.CLOUD_STORAGE_BUCKET }}
+  ML__CLOUD_STORAGE_BUCKET:  {{ .Values.diffgramSettings.ML__CLOUD_STORAGE_BUCKET }}
+  {{ if eq .Values.useTls true}}
+  URL_BASE: https://{{ .Values.diffgramDomain }}
+  {{ end }}
+  {{ if eq .Values.useTls false}}
+  URL_BASE: http://{{ .Values.diffgramDomain }}
+  {{ end }}
+  WALRUS_SERVICE_URL_BASE: https://{{ .Values.diffgramDomain }}
+  SERVICE_ACCOUNT_FULL_PATH: {{ .Values.diffgramSettings.SERVICE_ACCOUNT_FULL_PATH }}
+  DIFFGRAM_AZURE_CONTAINER_NAME: {{ .Values.diffgramSettings.DIFFGRAM_AZURE_CONTAINER_NAME }}
+  ML__DIFFGRAM_AZURE_CONTAINER_NAME: {{ .Values.diffgramSettings.ML__DIFFGRAM_AZURE_CONTAINER_NAME }}
+  DIFFGRAM_INSTALL_FINGERPRINT: {{ .Values.diffgramSettings.DIFFGRAM_INSTALL_FINGERPRINT }}
+  DIFFGRAM_VERSION_TAG: {{ .Values.diffgramVersion }}
+  DIFFGRAM_HOST_OS: {{ .Values.diffgramSettings.DIFFGRAM_HOST_OS }}
+  DATABASE_CONNECTION_POOL_SIZE: {{ .Values.diffgramSettings.DATABASE_CONNECTION_POOL_SIZE }}
+  PYTHONPATH: "/app:/app/shared:/"
+  PROCESS_MEDIA_NUM_VIDEO_THREADS: {{ .Values.diffgramSettings.PROCESS_MEDIA_NUM_VIDEO_THREADS }}
+  PROCESS_MEDIA_NUM_FRAME_THREADS: {{ .Values.diffgramSettings.PROCESS_MEDIA_NUM_FRAME_THREADS }}
+  NEW_RELIC_LICENSE_KEY: {{ .Values.diffgramSettings.NEW_RELIC_LICENSE_KEY }}
+  EMAIL_DOMAIN_NAME: {{ .Values.diffgramSettings.EMAIL_DOMAIN_NAME }}
+  ALLOW_EVENTHUB: {{ .Values.diffgramSettings.ALLOW_EVENTHUB }}
+  EMAIL_VALIDATION: {{ .Values.diffgramSettings.EMAIL_VALIDATION }}
+  ALLOW_STRIPE_BILLING: {{ .Values.diffgramSettings.ALLOW_STRIPE_BILLING }}
+  IS_OPEN_SOURCE: {{ .Values.diffgramSettings.IS_OPEN_SOURCE }}
+  DIFFGRAM_MINIO_ENDPOINT_URL: {{.Values.diffgramSettings.DIFFGRAM_MINIO_ENDPOINT_URL}}
+  DIFFGRAM_MINIO_ACCESS_KEY_ID: {{.Values.diffgramSettings.DIFFGRAM_MINIO_ACCESS_KEY_ID}}
+  DIFFGRAM_MINIO_ACCESS_KEY_SECRET: {{.Values.diffgramSettings.DIFFGRAM_MINIO_ACCESS_KEY_SECRET}}
+  DIFFGRAM_MINIO_DISABLED_SSL_VERIFY: {{.Values.diffgramSettings.DIFFGRAM_MINIO_DISABLED_SSL_VERIFY}}
+  RABBITMQ_HOST: {{.Values.diffgramSettings.RABBITMQ_HOST}}
+  RABBITMQ_PORT: {{.Values.diffgramSettings.RABBITMQ_PORT}}
+  RABBITMQ_USE_SSL: {{.Values.diffgramSettings.RABBITMQ_USE_SSL}}
+  RABBITMQ_DEFAULT_USER: {{.Values.rabbitmq.auth.username}}
+  USE_OAUTH2: {{.Values.diffgramSettings.USE_OAUTH2}}
+  OAUTH2_PROVIDER_NAME: {{.Values.diffgramSettings.OAUTH2_PROVIDER_NAME}}
+  OAUTH2_PROVIDER_HOST: {{.Values.diffgramSettings.OAUTH2_PROVIDER_HOST}}
+  OAUTH2_PROVIDER_CLIENT_ID: {{.Values.diffgramSettings.OAUTH2_PROVIDER_CLIENT_ID}}
+  OAUTH2_PROVIDER_PUBLIC_KEY: {{.Values.diffgramSettings.OAUTH2_PROVIDER_PUBLIC_KEY}}
+  DISABLE_SELF_REGISTRATION: {{.Values.diffgramSettings.DISABLE_SELF_REGISTRATION}}
+  COGNITO_LOGIN_URL: {{.Values.diffgramSettings.COGNITO_LOGIN_URL}}
+  KEY_CLOAK_MASTER_USER: {{.Values.diffgramSettings.KEY_CLOAK_MASTER_USER}}
+  KEY_CLOAK_DIFFGRAM_USER: {{.Values.diffgramSettings.KEY_CLOAK_DIFFGRAM_USER}}
+  KEYCLOAK_REALM: {{.Values.diffgramSettings.KEYCLOAK_REALM}}
+  KEYCLOAK_REALM: {{.Values.diffgramSettings.KEYCLOAK_REALM}}
+  SMTP_HOST: {{.Values.diffgramSettings.SMTP_HOST}}
+  SMTP_PORT: {{.Values.diffgramSettings.SMTP_PORT}}
+  SMTP_USERNAME: {{.Values.diffgramSettings.SMTP_USERNAME}}
+  SMTP_FROM_EMAIL: {{.Values.diffgramSettings.SMTP_FROM_EMAIL}}
+{{- end }}