diff --git a/.gitignore b/.gitignore index 0255e5e..c910d3f 100644 --- a/.gitignore +++ b/.gitignore @@ -16,3 +16,11 @@ example.com\+5.pem example.com\+6-key.pem example.com\+6.pem + +# Chart dependencies +**/charts/*.tgz +ca.crt + +ca.key + +local-ca.crt diff --git a/Chart.lock b/Chart.lock index 4bb6015..80079b9 100644 --- a/Chart.lock +++ b/Chart.lock @@ -1,6 +1,6 @@ dependencies: -- name: cert-manager - repository: https://charts.jetstack.io/ - version: v1.1.0 -digest: sha256:50d9686126f61b7d7b8a50112464b41ac426a483ae053b4820c9e5f953cf7b76 -generated: "2021-01-29T14:30:59.744116786-06:00" +- name: rabbitmq + repository: https://charts.bitnami.com/bitnami + version: 9.1.4 +digest: sha256:a92c6d671ae303d36df25c5c05705ee5193e1e22a6987e1476f4f815aa9887d7 +generated: "2022-05-24T22:45:09.592488539-06:00" diff --git a/Chart.yaml b/Chart.yaml index e1f8568..371afb3 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -15,10 +15,16 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 +version: 1.0.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.0.1" \ No newline at end of file +appVersion: "0.0.1" + +dependencies: + - name: rabbitmq + version: 9.1.4 + repository: https://charts.bitnami.com/bitnami + condition: useRabbitMq \ No newline at end of file diff --git a/README.md b/README.md index 7eaab4a..602e477 100644 --- a/README.md +++ b/README.md @@ -46,15 +46,41 @@ imagePullCredentials: ### TLS Ceritificates #### Using minikube (For local testing) Install Cert Manager -`helm repo add jetstack https://charts.jetstack.io` +``` +helm repo add jetstack https://charts.jetstack.io +helm install cert-manager --namespace default jetstack/cert-manager --set installCRDs=true +``` -`helm install cert-manager --namespace default jetstack/cert-manager --set installCRDs=true` Default domain on diffgram is: `example.com` so make sure you add that to your local hosts file: `echo "$(minikube ip) example.com" | sudo tee -a /etc/hosts` -#### Using cert-manager +In order for TLS to work on your local machine, you will need to provide local certificate authorities. +Otherwise your web browser will detect the certificates as invalid. + +To do that you can generate a key and certificate like this: +``` +# Generate key +openssl genrsa -out ca.key 2048 +# Create CA certificate signing it with the previous key. +openssl req -x509 -new -nodes -key ca.key -sha256 -subj "/CN=sampleissuer.local" -days 1024 -out ca.crt -extensions v3_ca +``` +Now create the certificates as secrets on your minkube cluster: +```angular2html +kubectl create secret tls my-local-ca-key-pair --key=ca.key --cert=ca.crt +``` +Finally Modify your `values.yaml` so that helm chart can grab the secret using cert-manager +issuers. Set `tlsIssuer` to `issuer-local` and `localCaSecretName` to the name you have to the secret created above: + +```angular2html +tlsIssuer: issuer-local # One of: "issuer-local", "letsencrypt-staging", or "letsencrypt-prod" +localCaSecretName: my-local-ca-key-pair + +``` + + +#### Using cert-manager & Public Domains 1. If you want to have TLS connections, please make sure you have a domain available and access to the name servers so you can modify the records to point to the IP addresses of the ingress. @@ -69,7 +95,7 @@ Default domain on diffgram is: `example.com` so make sure you add that to your l 3. Reinstall the helm chart -`helm upgrade diffgram -f diffgram/new_updated_values_from_above_step.yaml` +`helm upgrade -n diffgram-ns diffgram -f diffgram/new_updated_values_from_above_step.yaml` 4. After a few minutes you should be able to see the issuer and the certificate generated. You can confirm this by running: `kubectl describe issuer letsencrypt-prod` @@ -77,7 +103,7 @@ Default domain on diffgram is: `example.com` so make sure you add that to your l ## B. Installation `git clone https://github.com/diffgram/diffgram-helm/` -`helm install diffgram ./diffgram-helm --create-namespace` +`helm install -n diffgram-ns diffgram ./diffgram-helm --create-namespace` If you don't change anything on `values.yaml`. You will have the namespace `default` created on your cluster diff --git a/templates/default/configmap.yaml b/templates/default/configmap.yaml index 7c75807..f3da080 100644 --- a/templates/default/configmap.yaml +++ b/templates/default/configmap.yaml @@ -3,29 +3,4 @@ kind: ConfigMap metadata: name: diffgram-default-configmap data: - USERDOMAIN: {{ .Values.diffgramSettings.USERDOMAIN }} - DIFFGRAM_SYSTEM_MODE: {{ .Values.diffgramSettings.DIFFGRAM_SYSTEM_MODE }} - DIFFGRAM_STATIC_STORAGE_PROVIDER: {{ .Values.diffgramSettings.DIFFGRAM_STATIC_STORAGE_PROVIDER }} - DIFFGRAM_S3_BUCKET_NAME: {{ .Values.diffgramSettings.DIFFGRAM_S3_BUCKET_NAME }} - ML__DIFFGRAM_S3_BUCKET_NAME: {{ .Values.diffgramSettings.ML__DIFFGRAM_S3_BUCKET_NAME }} - GOOGLE_APPLICATION_CREDENTIALS: /etc/gcp/sa_credentials.json # Check the volume in deployment.yaml and service_account_secret.yaml - CLOUD_STORAGE_BUCKET: {{ .Values.diffgramSettings.CLOUD_STORAGE_BUCKET }} - ML__CLOUD_STORAGE_BUCKET: {{ .Values.diffgramSettings.ML__CLOUD_STORAGE_BUCKET }} - URL_BASE: {{ .Values.diffgramDomain }} - WALRUS_SERVICE_URL_BASE: {{ .Values.diffgramSettings.WALRUS_SERVICE_URL_BASE }} - SERVICE_ACCOUNT_FULL_PATH: {{ .Values.diffgramSettings.SERVICE_ACCOUNT_FULL_PATH }} - DIFFGRAM_AZURE_CONTAINER_NAME: {{ .Values.diffgramSettings.DIFFGRAM_AZURE_CONTAINER_NAME }} - ML__DIFFGRAM_AZURE_CONTAINER_NAME: {{ .Values.diffgramSettings.ML__DIFFGRAM_AZURE_CONTAINER_NAME }} - DIFFGRAM_INSTALL_FINGERPRINT: {{ .Values.diffgramSettings.DIFFGRAM_INSTALL_FINGERPRINT }} - DIFFGRAM_VERSION_TAG: {{ .Values.diffgramVersion }} - DIFFGRAM_HOST_OS: {{ .Values.diffgramSettings.DIFFGRAM_HOST_OS }} - DATABASE_CONNECTION_POOL_SIZE: {{ .Values.diffgramSettings.DATABASE_CONNECTION_POOL_SIZE }} - PYTHONPATH: "/app:/app/shared:/" - PROCESS_MEDIA_NUM_VIDEO_THREADS: {{ .Values.diffgramSettings.PROCESS_MEDIA_NUM_VIDEO_THREADS }} - PROCESS_MEDIA_NUM_FRAME_THREADS: {{ .Values.diffgramSettings.PROCESS_MEDIA_NUM_FRAME_THREADS }} - NEW_RELIC_LICENSE_KEY: {{ .Values.diffgramSettings.NEW_RELIC_LICENSE_KEY }} - EMAIL_DOMAIN_NAME: {{ .Values.diffgramSettings.EMAIL_DOMAIN_NAME }} - ALLOW_EVENTHUB: {{ .Values.diffgramSettings.ALLOW_EVENTHUB }} - EMAIL_VALIDATION: {{ .Values.diffgramSettings.EMAIL_VALIDATION }} - ALLOW_STRIPE_BILLING: {{ .Values.diffgramSettings.ALLOW_STRIPE_BILLING }} - IS_OPEN_SOURCE: {{ .Values.diffgramSettings.IS_OPEN_SOURCE }} \ No newline at end of file +{{- template "diffgram.settings" . }} \ No newline at end of file diff --git a/templates/default/secrets.yaml b/templates/default/secrets.yaml index 271775a..f1322a8 100644 --- a/templates/default/secrets.yaml +++ b/templates/default/secrets.yaml @@ -4,23 +4,4 @@ metadata: name: diffgram-default-secrets type: Opaque stringData: - STRIPE_API_KEY: {{ .Values.diffgramSecrets.STRIPE_API_KEY }} - DIFFGRAM_AWS_ACCESS_KEY_SECRET: {{ .Values.diffgramSecrets.DIFFGRAM_AWS_ACCESS_KEY_SECRET }} - DIFFGRAM_AWS_ACCESS_KEY_ID: {{ .Values.diffgramSecrets.DIFFGRAM_AWS_ACCESS_KEY_ID }} - _ANALYTICS_WRITE_KEY: {{ .Values.diffgramSecrets._ANALYTICS_WRITE_KEY }} - MAILGUN_KEY: {{ .Values.diffgramSecrets.MAILGUN_KEY }} - HUB_SPOT_KEY: {{ .Values.diffgramSecrets.HUB_SPOT_KEY }} - SECRET_KEY: {{ .Values.diffgramSecrets.SECRET_KEY }} - INTER_SERVICE_SECRET: {{ .Values.diffgramSecrets.INTER_SERVICE_SECRET }} - FERNET_KEY: {{ .Values.diffgramSecrets.FERNET_KEY }} - {{ if eq .Values.dbSettings.dbProvider "local"}} - DATABASE_URL: "postgresql+psycopg2://{{ .Values.dbSettings.dbUser }}:{{ .Values.dbSettings.dbPassword }}@diffgram-postgres/{{ .Values.dbSettings.dbName }}" - {{ end }} - {{ if eq .Values.dbSettings.dbProvider "rds"}} - DATABASE_URL: "postgresql+psycopg2://{{ .Values.dbSettings.dbUser }}:{{ .Values.dbSettings.dbPassword }}@postgres-rds-service/{{ .Values.dbSettings.dbName }}" - {{ end }} - {{ if eq .Values.dbSettings.dbProvider "azure"}} - DATABASE_URL: "postgresql+psycopg2://{{ .Values.dbSettings.dbUser }}:{{ .Values.dbSettings.dbPassword }}@postgres-azure-service/{{ .Values.dbSettings.dbName }}" - {{ end }} - USER_PASSWORDS_SECRET: {{ .Values.diffgramSecrets.USER_PASSWORDS_SECRET }} - DIFFGRAM_AZURE_CONNECTION_STRING: {{ .Values.diffgramSecrets.DIFFGRAM_AZURE_CONNECTION_STRING }} \ No newline at end of file +{{- template "diffgram.secrets" . }} \ No newline at end of file diff --git a/templates/diffgram_settings.tpl b/templates/diffgram_settings.tpl new file mode 100644 index 0000000..a8287fc --- /dev/null +++ b/templates/diffgram_settings.tpl @@ -0,0 +1,35 @@ +{{- define "diffgram.settings" }} + USERDOMAIN: {{ .Values.diffgramSettings.USERDOMAIN }} + DIFFGRAM_SYSTEM_MODE: {{ .Values.diffgramSettings.DIFFGRAM_SYSTEM_MODE }} + DIFFGRAM_STATIC_STORAGE_PROVIDER: {{ .Values.diffgramSettings.DIFFGRAM_STATIC_STORAGE_PROVIDER }} + DIFFGRAM_S3_BUCKET_NAME: {{ .Values.diffgramSettings.DIFFGRAM_S3_BUCKET_NAME }} + ML__DIFFGRAM_S3_BUCKET_NAME: {{ .Values.diffgramSettings.ML__DIFFGRAM_S3_BUCKET_NAME }} + GOOGLE_APPLICATION_CREDENTIALS: /etc/gcp/sa_credentials.json # Check the volume in deployment.yaml and service_account_secret.yaml + CLOUD_STORAGE_BUCKET: {{ .Values.diffgramSettings.CLOUD_STORAGE_BUCKET }} + ML__CLOUD_STORAGE_BUCKET: {{ .Values.diffgramSettings.ML__CLOUD_STORAGE_BUCKET }} + URL_BASE: {{ .Values.diffgramDomain }} + WALRUS_SERVICE_URL_BASE: https://{{ .Values.diffgramDomain }} + SERVICE_ACCOUNT_FULL_PATH: {{ .Values.diffgramSettings.SERVICE_ACCOUNT_FULL_PATH }} + DIFFGRAM_AZURE_CONTAINER_NAME: {{ .Values.diffgramSettings.DIFFGRAM_AZURE_CONTAINER_NAME }} + ML__DIFFGRAM_AZURE_CONTAINER_NAME: {{ .Values.diffgramSettings.ML__DIFFGRAM_AZURE_CONTAINER_NAME }} + DIFFGRAM_INSTALL_FINGERPRINT: {{ .Values.diffgramSettings.DIFFGRAM_INSTALL_FINGERPRINT }} + DIFFGRAM_VERSION_TAG: {{ .Values.diffgramVersion }} + DIFFGRAM_HOST_OS: {{ .Values.diffgramSettings.DIFFGRAM_HOST_OS }} + DATABASE_CONNECTION_POOL_SIZE: {{ .Values.diffgramSettings.DATABASE_CONNECTION_POOL_SIZE }} + PYTHONPATH: "/app:/app/shared:/" + PROCESS_MEDIA_NUM_VIDEO_THREADS: {{ .Values.diffgramSettings.PROCESS_MEDIA_NUM_VIDEO_THREADS }} + PROCESS_MEDIA_NUM_FRAME_THREADS: {{ .Values.diffgramSettings.PROCESS_MEDIA_NUM_FRAME_THREADS }} + NEW_RELIC_LICENSE_KEY: {{ .Values.diffgramSettings.NEW_RELIC_LICENSE_KEY }} + EMAIL_DOMAIN_NAME: {{ .Values.diffgramSettings.EMAIL_DOMAIN_NAME }} + ALLOW_EVENTHUB: {{ .Values.diffgramSettings.ALLOW_EVENTHUB }} + EMAIL_VALIDATION: {{ .Values.diffgramSettings.EMAIL_VALIDATION }} + ALLOW_STRIPE_BILLING: {{ .Values.diffgramSettings.ALLOW_STRIPE_BILLING }} + IS_OPEN_SOURCE: {{ .Values.diffgramSettings.IS_OPEN_SOURCE }} + DIFFGRAM_MINIO_ENDPOINT_URL: {{.Values.diffgramSettings.DIFFGRAM_MINIO_ENDPOINT_URL}} + DIFFGRAM_MINIO_ACCESS_KEY_ID: {{.Values.diffgramSettings.DIFFGRAM_MINIO_ACCESS_KEY_ID}} + DIFFGRAM_MINIO_ACCESS_KEY_SECRET: {{.Values.diffgramSettings.DIFFGRAM_MINIO_ACCESS_KEY_SECRET}} + DIFFGRAM_MINIO_DISABLED_SSL_VERIFY: {{.Values.diffgramSettings.DIFFGRAM_MINIO_DISABLED_SSL_VERIFY}} + RABBITMQ_HOST: {{.Values.diffgramSettings.RABBITMQ_HOST}} + RABBITMQ_PORT: {{.Values.diffgramSettings.RABBITMQ_PORT}} + RABBITMQ_DEFAULT_USER: {{.Values.rabbitmq.auth.username}} +{{- end }} \ No newline at end of file diff --git a/templates/diffgrams_secrets.tpl b/templates/diffgrams_secrets.tpl new file mode 100644 index 0000000..16780b7 --- /dev/null +++ b/templates/diffgrams_secrets.tpl @@ -0,0 +1,23 @@ +{{- define "diffgram.secrets" }} + STRIPE_API_KEY: {{ .Values.diffgramSecrets.STRIPE_API_KEY }} + DIFFGRAM_AWS_ACCESS_KEY_SECRET: {{ .Values.diffgramSecrets.DIFFGRAM_AWS_ACCESS_KEY_SECRET }} + DIFFGRAM_AWS_ACCESS_KEY_ID: {{ .Values.diffgramSecrets.DIFFGRAM_AWS_ACCESS_KEY_ID }} + _ANALYTICS_WRITE_KEY: {{ .Values.diffgramSecrets._ANALYTICS_WRITE_KEY }} + MAILGUN_KEY: {{ .Values.diffgramSecrets.MAILGUN_KEY }} + HUB_SPOT_KEY: {{ .Values.diffgramSecrets.HUB_SPOT_KEY }} + SECRET_KEY: {{ .Values.diffgramSecrets.SECRET_KEY }} + INTER_SERVICE_SECRET: {{ .Values.diffgramSecrets.INTER_SERVICE_SECRET }} + FERNET_KEY: {{ .Values.diffgramSecrets.FERNET_KEY }} + {{ if eq .Values.dbSettings.dbProvider "local"}} + DATABASE_URL: "postgresql+psycopg2://{{ .Values.dbSettings.dbUser }}:{{ .Values.dbSettings.dbPassword }}@diffgram-postgres/{{ .Values.dbSettings.dbName }}" + {{ end }} + {{ if eq .Values.dbSettings.dbProvider "rds"}} + DATABASE_URL: "postgresql+psycopg2://{{ .Values.dbSettings.dbUser }}:{{ .Values.dbSettings.dbPassword }}@postgres-rds-service/{{ .Values.dbSettings.dbName }}" + {{ end }} + {{ if eq .Values.dbSettings.dbProvider "azure"}} + DATABASE_URL: "postgresql+psycopg2://{{ .Values.dbSettings.dbUser }}:{{ .Values.dbSettings.dbPassword }}@postgres-azure-service/{{ .Values.dbSettings.dbName }}" + {{ end }} + USER_PASSWORDS_SECRET: {{ .Values.diffgramSecrets.USER_PASSWORDS_SECRET }} + DIFFGRAM_AZURE_CONNECTION_STRING: {{ .Values.diffgramSecrets.DIFFGRAM_AZURE_CONNECTION_STRING }} + RABBITMQ_DEFAULT_PASS: {{ .Values.rabbitmq.auth.password }} +{{- end }} \ No newline at end of file diff --git a/templates/eventhandlers/configmap.yaml b/templates/eventhandlers/configmap.yaml new file mode 100644 index 0000000..3b8721f --- /dev/null +++ b/templates/eventhandlers/configmap.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: diffgram-eventhandlers-configmap +data: +{{- template "diffgram.settings" . }} \ No newline at end of file diff --git a/templates/eventhandlers/deployment.yaml b/templates/eventhandlers/deployment.yaml new file mode 100644 index 0000000..c6bfd28 --- /dev/null +++ b/templates/eventhandlers/deployment.yaml @@ -0,0 +1,77 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: diffgram-eventhandlers + name: diffgram-eventhandlers + namespace: {{ .Release.Namespace }} +spec: + replicas: {{ .Values.defaultService.numReplicas }} + selector: + matchLabels: + app: diffgram-eventhandlers + template: + metadata: + labels: + app: diffgram-eventhandlers + spec: + {{ if .Values.nodeGroupLabel }} + nodeSelector: + poolName: {{ .Values.nodeGroupLabel }} + {{ end }} + {{ if eq .Values.diffgramEdition "enterprise"}} + imagePullSecrets: + - name: diffgramsecret + {{ end }} + volumes: + {{ if eq .Values.diffgramSettings.DIFFGRAM_STATIC_STORAGE_PROVIDER "gcp"}} + - name: service-account-credentials-volume + secret: + secretName: gcp-service-account-credentials + items: + - key: sa_json + path: sa_credentials.json + {{ end }} + initContainers: + - name: check-db-ready + image: postgres:11 + {{ if eq .Values.dbSettings.dbProvider "local"}} + command: ['sh', '-c', + 'until pg_isready -h diffgram-postgres -p 5432; + do echo waiting for database; sleep 2; done;'] + {{ end }} + {{ if eq .Values.dbSettings.dbProvider "rds"}} + command: ['sh', '-c', 'until pg_isready -h postgres-rds-service -p 5432; do echo waiting for database; sleep 2; done;'] + {{ end }} + {{ if eq .Values.dbSettings.dbProvider "azure"}} + command: ['sh', '-c', 'until pg_isready -h postgres-azure-service -p 5432; do echo waiting for database; sleep 2; done;'] + {{ end }} + containers: + {{ if eq .Values.diffgramEdition "enterprise"}} + - image: gcr.io/diffgram-enterprise/eventhandlers:{{ .Values.diffgramVersion }} + {{ end }} + {{ if eq .Values.diffgramEdition "opencore"}} + - image: gcr.io/diffgram-open-core/eventhandlers:{{ .Values.diffgramVersion }} + {{ end }} + imagePullPolicy: Always + name: diffgram-default + ports: + - containerPort: 8080 + {{ if eq .Values.diffgramSettings.DIFFGRAM_STATIC_STORAGE_PROVIDER "gcp"}} + volumeMounts: + - name: service-account-credentials-volume + mountPath: /etc/gcp + readOnly: true + {{ end }} + envFrom: + - configMapRef: + name: diffgram-eventhandlers-configmap + - secretRef: + name: diffgram-eventhandlers-secrets + resources: + requests: + cpu: {{ .Values.eventHandlersService.requests.cpu }} + memory: {{ .Values.eventHandlersService.requests.memory }} + limits: + cpu: {{ .Values.eventHandlersService.limits.cpu }} + memory: {{ .Values.eventHandlersService.limits.memory }} \ No newline at end of file diff --git a/templates/eventhandlers/secrets.yaml b/templates/eventhandlers/secrets.yaml new file mode 100644 index 0000000..62060c0 --- /dev/null +++ b/templates/eventhandlers/secrets.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: diffgram-eventhandlers-secrets +type: Opaque +stringData: +{{- template "diffgram.secrets" . }} \ No newline at end of file diff --git a/templates/eventhandlers/service.yaml b/templates/eventhandlers/service.yaml new file mode 100644 index 0000000..f441802 --- /dev/null +++ b/templates/eventhandlers/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: diffgram-eventhandlers + name: diffgram-eventhandlers + namespace: {{ .Release.Namespace }} +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + selector: + app: diffgram-eventhandlers + type: ClusterIP \ No newline at end of file diff --git a/templates/hooks/configmap_db_migrations.yaml b/templates/hooks/configmap_db_migrations.yaml index 43279c6..acdeb72 100644 --- a/templates/hooks/configmap_db_migrations.yaml +++ b/templates/hooks/configmap_db_migrations.yaml @@ -7,29 +7,4 @@ metadata: "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded name: db-migrations-configmap data: - USERDOMAIN: {{ .Values.diffgramSettings.USERDOMAIN }} - DIFFGRAM_SYSTEM_MODE: {{ .Values.diffgramSettings.DIFFGRAM_SYSTEM_MODE }} - DIFFGRAM_STATIC_STORAGE_PROVIDER: {{ .Values.diffgramSettings.DIFFGRAM_STATIC_STORAGE_PROVIDER }} - DIFFGRAM_S3_BUCKET_NAME: {{ .Values.diffgramSettings.DIFFGRAM_S3_BUCKET_NAME }} - ML__DIFFGRAM_S3_BUCKET_NAME: {{ .Values.diffgramSettings.ML__DIFFGRAM_S3_BUCKET_NAME }} - GOOGLE_APPLICATION_CREDENTIALS: /etc/gcp/sa_credentials.json # Check the volume in deployment.yaml and service_account_secret.yaml - CLOUD_STORAGE_BUCKET: {{ .Values.diffgramSettings.CLOUD_STORAGE_BUCKET }} - ML__CLOUD_STORAGE_BUCKET: {{ .Values.diffgramSettings.ML__CLOUD_STORAGE_BUCKET }} - URL_BASE: {{ .Values.diffgramDomain }} - WALRUS_SERVICE_URL_BASE: {{ .Values.diffgramSettings.WALRUS_SERVICE_URL_BASE }} - SERVICE_ACCOUNT_FULL_PATH: {{ .Values.diffgramSettings.SERVICE_ACCOUNT_FULL_PATH }} - DIFFGRAM_AZURE_CONTAINER_NAME: {{ .Values.diffgramSettings.DIFFGRAM_AZURE_CONTAINER_NAME }} - ML__DIFFGRAM_AZURE_CONTAINER_NAME: {{ .Values.diffgramSettings.ML__DIFFGRAM_AZURE_CONTAINER_NAME }} - DIFFGRAM_INSTALL_FINGERPRINT: {{ .Values.diffgramSettings.DIFFGRAM_INSTALL_FINGERPRINT }} - DIFFGRAM_VERSION_TAG: {{ .Values.diffgramVersion }} - DIFFGRAM_HOST_OS: {{ .Values.diffgramSettings.DIFFGRAM_HOST_OS }} - DATABASE_CONNECTION_POOL_SIZE: {{ .Values.diffgramSettings.DATABASE_CONNECTION_POOL_SIZE }} - PYTHONPATH: /app - PROCESS_MEDIA_NUM_VIDEO_THREADS: {{ .Values.diffgramSettings.PROCESS_MEDIA_NUM_VIDEO_THREADS }} - PROCESS_MEDIA_NUM_FRAME_THREADS: {{ .Values.diffgramSettings.PROCESS_MEDIA_NUM_FRAME_THREADS }} - NEW_RELIC_LICENSE_KEY: {{ .Values.diffgramSettings.NEW_RELIC_LICENSE_KEY }} - EMAIL_DOMAIN_NAME: {{ .Values.diffgramSettings.EMAIL_DOMAIN_NAME }} - ALLOW_EVENTHUB: {{ .Values.diffgramSettings.ALLOW_EVENTHUB }} - EMAIL_VALIDATION: {{ .Values.diffgramSettings.EMAIL_VALIDATION }} - ALLOW_STRIPE_BILLING: {{ .Values.diffgramSettings.ALLOW_STRIPE_BILLING }} - IS_OPEN_SOURCE: {{ .Values.diffgramSettings.IS_OPEN_SOURCE }} \ No newline at end of file + {{- template "diffgram.settings" . }} \ No newline at end of file diff --git a/templates/hooks/secrets_db_migrations.yaml b/templates/hooks/secrets_db_migrations.yaml index d1f8c1b..ba08793 100644 --- a/templates/hooks/secrets_db_migrations.yaml +++ b/templates/hooks/secrets_db_migrations.yaml @@ -9,23 +9,4 @@ metadata: name: db-migrations-secret type: Opaque stringData: - STRIPE_API_KEY: {{ .Values.diffgramSecrets.STRIPE_API_KEY }} - DIFFGRAM_AWS_ACCESS_KEY_ID: {{ .Values.diffgramSecrets.DIFFGRAM_AWS_ACCESS_KEY_ID }} - DIFFGRAM_AWS_ACCESS_KEY_SECRET: {{ .Values.diffgramSecrets.DIFFGRAM_AWS_ACCESS_KEY_SECRET }} - _ANALYTICS_WRITE_KEY: {{ .Values.diffgramSecrets._ANALYTICS_WRITE_KEY }} - MAILGUN_KEY: {{ .Values.diffgramSecrets.MAILGUN_KEY }} - HUB_SPOT_KEY: {{ .Values.diffgramSecrets.HUB_SPOT_KEY }} - SECRET_KEY: {{ .Values.diffgramSecrets.SECRET_KEY }} - FERNET_KEY: {{ .Values.diffgramSecrets.FERNET_KEY }} - INTER_SERVICE_SECRET: {{ .Values.diffgramSecrets.INTER_SERVICE_SECRET }} - {{ if eq .Values.dbSettings.dbProvider "local"}} - DATABASE_URL: "postgresql+psycopg2://{{ .Values.dbSettings.dbUser }}:{{ .Values.dbSettings.dbPassword }}@diffgram-postgres-hook/{{ .Values.dbSettings.dbName }}" - {{ end }} - {{ if eq .Values.dbSettings.dbProvider "rds"}} - DATABASE_URL: "postgresql+psycopg2://{{ .Values.dbSettings.dbUser }}:{{ .Values.dbSettings.dbPassword }}@{{ .Values.dbSettings.rdsEndpoint }}/{{ .Values.dbSettings.dbName }}" - {{ end }} - {{ if eq .Values.dbSettings.dbProvider "azure"}} - DATABASE_URL: "postgresql+psycopg2://{{ .Values.dbSettings.dbUser }}:{{ .Values.dbSettings.dbPassword }}@{{ .Values.dbSettings.azureSqlEndpoint }}/{{ .Values.dbSettings.dbName }}" - {{ end }} - USER_PASSWORDS_SECRET: {{ .Values.diffgramSecrets.USER_PASSWORDS_SECRET }} - DIFFGRAM_AZURE_CONNECTION_STRING: {{ .Values.diffgramSecrets.DIFFGRAM_AZURE_CONNECTION_STRING }} +{{- template "diffgram.secrets" . }} \ No newline at end of file diff --git a/templates/ingress.yaml b/templates/ingress.yaml index 8ad2d24..08c9aac 100644 --- a/templates/ingress.yaml +++ b/templates/ingress.yaml @@ -7,11 +7,10 @@ metadata: kubernetes.io/ingress.class: "nginx" ingressclass.kubernetes.io/is-default-class: "true" nginx.ingress.kubernetes.io/use-regex: "true" - {{ if eq .Values.useTls false}} nginx.ingress.kubernetes.io/enable-cors: "true" + {{ if eq .Values.useTls false}} nginx.ingress.kubernetes.io/hsts: "false" hsts: "false" - nginx.ingress.kubernetes.io/ssl-redirect: "false" nginx.ingress.kubernetes.io/configuration-snippet: | add_header Access-Control-Allow-Methods "POST, GET, PUT, PATCH, DELETE, OPTIONS"; add_header Access-Control-Allow-Credentials true; @@ -24,50 +23,55 @@ metadata: } {{ end }} {{ if eq .Values.useTls true}} - nginx.ingress.kubernetes.io/enable-cors: "true" + cert-manager.io/issuer: {{ .Values.tlsIssuer }} nginx.ingress.kubernetes.io/configuration-snippet: | proxy_pass_header directory_id; {{ end }} - nginx.org/proxy-pass-headers: directory_id - {{ if eq .Values.useTls true}} - cert-manager.io/issuer: "letsencrypt-prod" - {{ end }} watch-namespace: {{ .Release.Namespace }} -# nginx.ingress.kubernetes.io/force-ssl-redirect: "false" # Limit uploads to 8TB nginx.ingress.kubernetes.io/proxy-body-size: 800000m spec: {{ if eq .Values.useTls true}} tls: - - secretName: diffgram-cert-tls-{{ .Values.diffgramDomain }} - hosts: + - hosts: - {{ .Values.diffgramDomain }} - www.{{ .Values.diffgramDomain }} + secretName: diffgram-cert-tls-{{ .Values.diffgramDomain }} {{ end }} rules: - - host: {{ .Values.diffgramDomain }} - http: - paths: - - path: /api/walrus(/|$)(.*) - pathType: ImplementationSpecific - backend: - service: - name: diffgram-walrus - port: - number: 8080 - - path: /api(/|$)(.*) - pathType: ImplementationSpecific - backend: - service: - name: diffgram-default - port: - number: 8080 - - path: /(.*) - pathType: ImplementationSpecific - backend: - service: - name: frontend - port: - number: 8080 \ No newline at end of file + - host: rabbitmq.{{ .Values.diffgramDomain}} + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: diffgram-rabbitmq + port: + number: 15672 + - host: {{ .Values.diffgramDomain }} + http: + paths: + - path: /api/walrus(/|$)(.*) + pathType: ImplementationSpecific + backend: + service: + name: diffgram-walrus + port: + number: 8080 + - path: /api(/|$)(.*) + pathType: ImplementationSpecific + backend: + service: + name: diffgram-default + port: + number: 8080 + - path: /(.*) + pathType: ImplementationSpecific + backend: + service: + name: frontend + port: + number: 8080 \ No newline at end of file diff --git a/templates/ingress_configmap.yaml b/templates/ingress_configmap.yaml deleted file mode 100644 index 3c00a06..0000000 --- a/templates/ingress_configmap.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -data: - {{ if eq .Values.useTls false}} - hsts: "false" - ssl-redirect: "false" - {{ end }} - enable-underscores-in-headers: "true" - ignore-invalid-headers: "false" - use-gzip: "true" # ENABLE GZIP COMPRESSION - gzip-types: "*" # SPECIFY MIME TYPES TO COMPRESS ("*" FOR ALL) -metadata: - name: ingress-nginx-controller - namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/templates/postgres/azure_postgres_service.yaml b/templates/postgres/azure_postgres_service.yaml index 396bb53..aacabee 100644 --- a/templates/postgres/azure_postgres_service.yaml +++ b/templates/postgres/azure_postgres_service.yaml @@ -5,6 +5,11 @@ metadata: labels: app: postgres-azure-service name: postgres-azure-service + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "-2" spec: externalName: {{ .Values.dbSettings.azureSqlEndpoint }} selector: diff --git a/templates/postgres/deployment.yaml b/templates/postgres/deployment.yaml index 7f13be6..10a64f6 100644 --- a/templates/postgres/deployment.yaml +++ b/templates/postgres/deployment.yaml @@ -13,7 +13,6 @@ metadata: # job is considered part of the release. "helm.sh/hook": pre-install "helm.sh/hook-weight": "-3" - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded spec: replicas: 1 selector: diff --git a/templates/postgres/rds_postgres_service.yaml b/templates/postgres/rds_postgres_service.yaml index 88fd4e4..323e925 100644 --- a/templates/postgres/rds_postgres_service.yaml +++ b/templates/postgres/rds_postgres_service.yaml @@ -5,6 +5,11 @@ metadata: labels: app: postgres-rds-service name: postgres-rds-service + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "-2" spec: externalName: {{ .Values.dbSettings.rdsEndpoint }} selector: diff --git a/templates/postgres/service.yaml b/templates/postgres/service.yaml index 49c6cc8..87af75d 100644 --- a/templates/postgres/service.yaml +++ b/templates/postgres/service.yaml @@ -4,6 +4,11 @@ kind: Service metadata: name: diffgram-postgres namespace: {{ .Release.Namespace }} + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "-2" spec: ports: - port: 5432 diff --git a/templates/tls/issuer_local.yaml b/templates/tls/issuer_local.yaml new file mode 100644 index 0000000..0db7dbf --- /dev/null +++ b/templates/tls/issuer_local.yaml @@ -0,0 +1,9 @@ +{{ if eq .Values.tlsIssuer "issuer-local" }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: issuer-local +spec: + ca: + secretName: {{ .Values.localCaSecretName }} +{{ end }} \ No newline at end of file diff --git a/templates/tls/issuer_prod.yaml b/templates/tls/issuer_prod.yaml index 7a77510..b9cdd85 100644 --- a/templates/tls/issuer_prod.yaml +++ b/templates/tls/issuer_prod.yaml @@ -8,7 +8,7 @@ spec: # The ACME server URL server: https://acme-v02.api.letsencrypt.org/directory # Email address used for ACME registration - email: pablo.estrada@diffgram.com + email: {{ .Values.issuerEmail }} # Name of a secret used to store the ACME account private key privateKeySecretRef: name: letsencrypt-prod diff --git a/templates/tls/issuer_staging.yaml b/templates/tls/issuer_staging.yaml index 86b34f6..510d825 100644 --- a/templates/tls/issuer_staging.yaml +++ b/templates/tls/issuer_staging.yaml @@ -8,7 +8,7 @@ spec: # The ACME server URL server: https://acme-staging-v02.api.letsencrypt.org/directory # Email address used for ACME registration - email: pablo.estrada@diffgram.com + email: {{ .Values.issuerEmail }} # Name of a secret used to store the ACME account private key privateKeySecretRef: name: letsencrypt-staging diff --git a/templates/walrus/configmap.yaml b/templates/walrus/configmap.yaml index 792b7e7..3d24155 100644 --- a/templates/walrus/configmap.yaml +++ b/templates/walrus/configmap.yaml @@ -3,33 +3,4 @@ kind: ConfigMap metadata: name: diffgram-walrus-configmap data: - USERDOMAIN: {{ .Values.diffgramSettings.USERDOMAIN }} - DIFFGRAM_SYSTEM_MODE: {{ .Values.diffgramSettings.DIFFGRAM_SYSTEM_MODE }} - DIFFGRAM_STATIC_STORAGE_PROVIDER: {{ .Values.diffgramSettings.DIFFGRAM_STATIC_STORAGE_PROVIDER }} - DIFFGRAM_S3_BUCKET_NAME: {{ .Values.diffgramSettings.DIFFGRAM_S3_BUCKET_NAME }} - ML__DIFFGRAM_S3_BUCKET_NAME: {{ .Values.diffgramSettings.ML__DIFFGRAM_S3_BUCKET_NAME }} - GOOGLE_APPLICATION_CREDENTIALS: /etc/gcp/sa_credentials.json # Check the volume in deployment.yaml and service_account_secret.yaml - CLOUD_STORAGE_BUCKET: {{ .Values.diffgramSettings.CLOUD_STORAGE_BUCKET }} - ML__CLOUD_STORAGE_BUCKET: {{ .Values.diffgramSettings.ML__CLOUD_STORAGE_BUCKET }} - PYTHONPATH: /app - URL_BASE: {{ .Values.diffgramDomain }} - WALRUS_SERVICE_URL_BASE: {{ .Values.diffgramSettings.WALRUS_SERVICE_URL_BASE }} - SERVICE_ACCOUNT_FULL_PATH: {{ .Values.diffgramSettings.SERVICE_ACCOUNT_FULL_PATH }} - DIFFGRAM_AZURE_CONTAINER_NAME: {{ .Values.diffgramSettings.DIFFGRAM_AZURE_CONTAINER_NAME }} - ML__DIFFGRAM_AZURE_CONTAINER_NAME: {{ .Values.diffgramSettings.ML__DIFFGRAM_AZURE_CONTAINER_NAME }} - DIFFGRAM_INSTALL_FINGERPRINT: {{ .Values.diffgramSettings.DIFFGRAM_INSTALL_FINGERPRINT }} - DIFFGRAM_VERSION_TAG: {{ .Values.diffgramVersion }} - DIFFGRAM_HOST_OS: {{ .Values.diffgramSettings.DIFFGRAM_HOST_OS }} - DATABASE_CONNECTION_POOL_SIZE: {{ .Values.diffgramSettings.DATABASE_CONNECTION_POOL_SIZE }} - PROCESS_MEDIA_NUM_VIDEO_THREADS: {{ .Values.diffgramSettings.PROCESS_MEDIA_NUM_VIDEO_THREADS }} - PROCESS_MEDIA_NUM_FRAME_THREADS: {{ .Values.diffgramSettings.PROCESS_MEDIA_NUM_FRAME_THREADS }} - NEW_RELIC_LICENSE_KEY: {{ .Values.diffgramSettings.NEW_RELIC_LICENSE_KEY }} - EMAIL_DOMAIN_NAME: {{ .Values.diffgramSettings.EMAIL_DOMAIN_NAME }} - ALLOW_EVENTHUB: {{ .Values.diffgramSettings.ALLOW_EVENTHUB }} - EMAIL_VALIDATION: {{ .Values.diffgramSettings.EMAIL_VALIDATION }} - ALLOW_STRIPE_BILLING: {{ .Values.diffgramSettings.ALLOW_STRIPE_BILLING }} - IS_OPEN_SOURCE: {{ .Values.diffgramSettings.IS_OPEN_SOURCE }} - DIFFGRAM_MINIO_ENDPOINT_URL: {{.Values.diffgramSettings.DIFFGRAM_MINIO_ENDPOINT_URL}} - DIFFGRAM_MINIO_ACCESS_KEY_ID: {{.Values.diffgramSettings.DIFFGRAM_MINIO_ACCESS_KEY_ID}} - DIFFGRAM_MINIO_ACCESS_KEY_SECRET: {{.Values.diffgramSettings.DIFFGRAM_MINIO_ACCESS_KEY_SECRET}} - DIFFGRAM_MINIO_DISABLED_SSL_VERIFY: {{.Values.diffgramSettings.DIFFGRAM_MINIO_DISABLED_SSL_VERIFY}} \ No newline at end of file +{{- template "diffgram.settings" . }} \ No newline at end of file diff --git a/templates/walrus/secrets.yaml b/templates/walrus/secrets.yaml index 7094e60..f2595cc 100644 --- a/templates/walrus/secrets.yaml +++ b/templates/walrus/secrets.yaml @@ -4,23 +4,4 @@ metadata: name: diffgram-walrus-secrets type: Opaque stringData: - STRIPE_API_KEY: {{ .Values.diffgramSecrets.STRIPE_API_KEY }} - DIFFGRAM_AWS_ACCESS_KEY_SECRET: {{ .Values.diffgramSecrets.DIFFGRAM_AWS_ACCESS_KEY_SECRET }} - DIFFGRAM_AWS_ACCESS_KEY_ID: {{ .Values.diffgramSecrets.DIFFGRAM_AWS_ACCESS_KEY_ID }} - _ANALYTICS_WRITE_KEY: {{ .Values.diffgramSecrets._ANALYTICS_WRITE_KEY }} - MAILGUN_KEY: {{ .Values.diffgramSecrets.MAILGUN_KEY }} - HUB_SPOT_KEY: {{ .Values.diffgramSecrets.HUB_SPOT_KEY }} - FERNET_KEY: {{ .Values.diffgramSecrets.FERNET_KEY }} - SECRET_KEY: {{ .Values.diffgramSecrets.SECRET_KEY }} - INTER_SERVICE_SECRET: {{ .Values.diffgramSecrets.INTER_SERVICE_SECRET }} - {{ if eq .Values.dbSettings.dbProvider "local"}} - DATABASE_URL: "postgresql+psycopg2://{{ .Values.dbSettings.dbUser }}:{{ .Values.dbSettings.dbPassword }}@diffgram-postgres/{{ .Values.dbSettings.dbName }}" - {{ end }} - {{ if eq .Values.dbSettings.dbProvider "rds"}} - DATABASE_URL: "postgresql+psycopg2://{{ .Values.dbSettings.dbUser }}:{{ .Values.dbSettings.dbPassword }}@postgres-rds-service/{{ .Values.dbSettings.dbName }}" - {{ end }} - {{ if eq .Values.dbSettings.dbProvider "azure"}} - DATABASE_URL: "postgresql+psycopg2://{{ .Values.dbSettings.dbUser }}:{{ .Values.dbSettings.dbPassword }}@postgres-azure-service/{{ .Values.dbSettings.dbName }}" - {{ end }} - USER_PASSWORDS_SECRET: {{ .Values.diffgramSecrets.USER_PASSWORDS_SECRET }} - DIFFGRAM_AZURE_CONNECTION_STRING: {{ .Values.diffgramSecrets.DIFFGRAM_AZURE_CONNECTION_STRING }} \ No newline at end of file +{{- template "diffgram.secrets" . }} \ No newline at end of file diff --git a/values.yaml b/values.yaml index 6d4d971..6910083 100644 --- a/values.yaml +++ b/values.yaml @@ -3,7 +3,7 @@ # Declare variables to be passed into your templates. # The Diffgram Version. Whenever a new update arrives, this will be changed. -diffgramVersion: 0.14.1 +diffgramVersion: 1.0.0 # Either 'opencore' or 'enterprise'. Please note that selecting 'enterprise' # requires that you also set imagePullCredentials.gcrCredentials. @@ -16,8 +16,12 @@ diffgramDomain: example.com # Set this to true if you want to use cert manager for TLS certificates generation. useCertManager: true + # Use it to activate TLS on the nginx ingress useTls: true +tlsIssuer: issuer-local # One of: "issuer-local", "letsencrypt-staging", or "letsencrypt-prod" +localCaSecretName: my-local-ca-key-pair +issuerEmail: pablo.estrada@diffgram.com dbSettings: # Specify How the DB Service should be created @@ -38,14 +42,14 @@ dbSettings: # All the Secrets Used in Diffgram. diffgramSecrets: STRIPE_API_KEY: none - DIFFGRAM_AWS_ACCESS_KEY_ID: write_your_aws_access_key - DIFFGRAM_AWS_ACCESS_KEY_SECRET: write_your_aws_access_key_secret + DIFFGRAM_AWS_ACCESS_KEY_ID: none + DIFFGRAM_AWS_ACCESS_KEY_SECRET: none _ANALYTICS_WRITE_KEY: provided_by_diffgram_team MAILGUN_KEY: provided_by_diffgram_team HUB_SPOT_KEY: provided_by_diffgram_team SECRET_KEY: provided_by_diffgram_team FERNET_KEY: NeL_RED6zZ1XF3XT7Yd1hzFPYyebrg6UdkECTOLHEdI= # Please change this for production usage - INTER_SERVICE_SECRET: provided_by_diffgram_team + INTER_SERVICE_SECRET: interservicesecret_please_replace_with_secure_value # Use diffgram-postgres, postgres-rds-service depending on which DB service you set on dbSettings USER_PASSWORDS_SECRET: provided_by_diffgram_team # The service account JSON for GCP Static Storage Encoded in Base64. @@ -56,12 +60,11 @@ diffgramSecrets: diffgramSettings: USERDOMAIN: kubernetes - WALRUS_SERVICE_URL_BASE: example.com DIFFGRAM_SYSTEM_MODE: production DIFFGRAM_STATIC_STORAGE_PROVIDER: aws - DIFFGRAM_S3_BUCKET_NAME: none - DIFFGRAM_AZURE_CONTAINER_NAME: none - ML__DIFFGRAM_AZURE_CONTAINER_NAME: none + DIFFGRAM_S3_BUCKET_NAME: diffgram-testing + DIFFGRAM_AZURE_CONTAINER_NAME: diffgram-testing + ML__DIFFGRAM_AZURE_CONTAINER_NAME: diffgram-testing ML__DIFFGRAM_S3_BUCKET_NAME: diffgram-testing CLOUD_STORAGE_BUCKET: diffgram-testing ML__CLOUD_STORAGE_BUCKET: diffgram-testing @@ -85,15 +88,38 @@ diffgramSettings: EMAIL_VALIDATION: '"False"' ALLOW_STRIPE_BILLING: '"False"' IS_OPEN_SOURCE: '"True"' + Iwe can add S_OPEN_SOURCE: '"True"' DIFFGRAM_MINIO_ENDPOINT_URL: none DIFFGRAM_MINIO_ACCESS_KEY_ID: none DIFFGRAM_MINIO_ACCESS_KEY_SECRET: none - DIFFGRAM_MINIO_DISABLED_SSL_VERIFY: none + DIFFGRAM_MINIO_DISABLED_SSL_VERIFY: '"False"' + RABBITMQ_PORT: "'5672'" + RABBITMQ_HOST: "diffgram-rabbitmq" imagePullCredentials: # The service account with permissions to pull from the GCR Repository. [Should be Provided by Diffgram Team.] gcrCredentials: provided_by_diffgram_team + +####### Dependencies +# Read: https://github.com/bitnami/charts/tree/master/bitnami/rabbitmq for further configs +useRabbitMq: true +rabbitmq: + auth: + username: "diffgram" + password: "diffgram" + tls: + enabled: true + autoGenerated: true + resources: + requests: + cpu: "1.0" + memory: "1G" + limits: + cpu: "1.0" + memory: "1G" +####### End Dependencies + nodeGroupLabel: null # The service for API calls. @@ -106,6 +132,17 @@ defaultService: limits: cpu: "2.0" memory: "2G" + +# The service for Event Handlers. +# This are minimal defaults. Please feel free to change them as you start having more usage +eventHandlersService: + numReplicas: 1 + requests: + cpu: "1.0" + memory: "1G" + limits: + cpu: "1.0" + memory: "1G" # The service for the UI frontend. # This are minimal defaults. Please feel free to change them as you start having more usage frontendService: