Merge pull request #141 from neicnordic/Update-DB-chart

Update db chart
neicnordic · Nov 1, 2022 · d8c1731 · d8c1731
2 parents 0373b87 + a2c28f3
commit d8c1731
Show file tree

Hide file tree

Showing 6 changed files with 40 additions and 24 deletions.
diff --git a/charts/sda-db/Chart.yaml b/charts/sda-db/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: sda-db
-version: "0.4.1"
+version: "0.4.2"
 description: Database component for Sensitive Data Archive (SDA) installation
 home: https://neic-sda.readthedocs.io
 icon: https://neic.no/assets/images/logo.png

diff --git a/charts/sda-db/README.md b/charts/sda-db/README.md
@@ -13,7 +13,7 @@ Parameter | Description | Default
 `global.tls.enabled` | Enable TLS for all connections. |`true`
 `global.tls.issuer` | Issuer for TLS certificate creation. |`""`
 `global.tls.clusterIssuer` | ClusterIssuer for TLS certificate creation. |`""`
-`global.tls.secretName` | Name of the secret holding the certificates. |``
+`global.tls.secretName` | Name of the secret holding the certificates. |`""`
 `global.tls.certName` | Server certificate. |`tls.crt`
 `global.tls.keyName` | Server private key. |`tls.key`
 `global.tls.CAFile` | CA root certificate. |`ca.crt`
@@ -25,7 +25,7 @@ Parameter | Description | Default
 `networkPolicy.create` | Use network isolation. | `false`
 `networkPolicy.matchLabels` | App labels that are allowed to connect to the database. | `app: sda-svc`
 `persistence.enabled` | Enable persistence. | `true`
-`persistence.mountPath` | Mountpoint for persistent volume. | `/var/lib/postgresql`
+`persistence.mountPath` | Custom mountpoint for persistent volume. | `"/var/lib/postgresql/data/"`
 `persistence.storageSize` | Volume size. | `8Gi`
 `persistence.storageClass` | Use specific storage class, by default dynamic provisioning enabled. | `null`
 `persistence.existingClaim` | Use existing claim. | `null`

diff --git a/charts/sda-db/templates/_helpers.tpl b/charts/sda-db/templates/_helpers.tpl
@@ -39,32 +39,38 @@ Create chart name and version as used by the chart label.
 {{- end -}}
 
 {{- define "pgCert" -}}
-    {{- if .Values.externalPkiService.tlsPath }}
-        {{- printf "%s" (regexReplaceAll "^/*|/+" (printf "%s/%s" .Values.externalPkiService.tlsPath .Values.global.tls.certName) "/")}}
-    {{- else if or .Values.global.tls.clusterIssuer .Values.global.tls.issuer }}
+    {{- if .Values.externalPkiService.tlsPath -}}
+        {{- printf "%s" (regexReplaceAll "^/*|/+" (printf "%s/tls.crt" .Values.externalPkiService.tlsPath) "/") -}}
+    {{- else if and .Values.externalPkiService.tlsPath .Values.global.tls.certName -}}
+        {{- printf "%s" (regexReplaceAll "^/*|/+" (printf "%s/%s" .Values.externalPkiService.tlsPath .Values.global.tls.certName) "/") -}}
+    {{- else if and .Values.global.tls.secretName .Values.global.tls.certName -}}
+        {{- printf "%s/tls/%s" .Values.persistence.mountPath (required "name of tls certificate is required" .Values.global.tls.certName) -}}
+    {{- else -}}
         {{- printf "%s/tls/tls.crt" .Values.persistence.mountPath -}}
-    {{- else }}
-        {{- printf "%s/tls/%s" .Values.persistence.mountPath (required "name of tls certificate is required" .Values.global.tls.certName) }}
     {{- end -}}
 {{- end -}}
 
 {{- define "pgKey" -}}
-    {{- if .Values.externalPkiService.tlsPath }}
-        {{- printf "%s" (regexReplaceAll "^/*|/+" (printf "%s/%s" .Values.externalPkiService.tlsPath .Values.global.tls.keyName) "/")}}
-    {{- else if or .Values.global.tls.clusterIssuer .Values.global.tls.issuer }}
+    {{- if .Values.externalPkiService.tlsPath -}}
+        {{- printf "%s" (regexReplaceAll "^/*|/+" (printf "%s/tls.key" .Values.externalPkiService.tlsPath) "/") -}}
+    {{- else if and .Values.externalPkiService.tlsPath .Values.global.tls.keyName -}}
+        {{- printf "%s" (regexReplaceAll "^/*|/+" (printf "%s/%s" .Values.externalPkiService.tlsPath .Values.global.tls.keyName) "/") -}}
+    {{- else if and .Values.global.tls.secretname .Values.global.tls.keyName -}}
+        {{- printf "%s/tls/%s" .Values.persistence.mountPath (required "name of tls key is required" .Values.global.tls.keyName) -}}
+    {{- else -}}
         {{- printf "%s/tls/tls.key" .Values.persistence.mountPath -}}
-    {{- else }}
-        {{- printf "%s/tls/%s" .Values.persistence.mountPath (required "name of tls key is required" .Values.global.tls.keyName) }}
     {{- end -}}
 {{- end -}}
 
 {{- define "caCert" -}}
-    {{- if .Values.externalPkiService.tlsPath }}
-        {{- printf "%s" (regexReplaceAll "^/*|/+" (printf "%s/%s" .Values.externalPkiService.tlsPath .Values.global.tls.CAFile) "/")}}
-    {{- else if or .Values.global.tls.clusterIssuer .Values.global.tls.issuer }}
+    {{- if .Values.externalPkiService.tlsPath -}}
+        {{- printf "%s" (regexReplaceAll "^/*|/+" (printf "%s/ca.crt" .Values.externalPkiService.tlsPath "/")) -}}
+    {{- else if and .Values.externalPkiService.tlsPath .Values.global.tls.CAFile -}}
+        {{- printf "%s" (regexReplaceAll "^/*|/+" (printf "%s/%s" .Values.externalPkiService.tlsPath .Values.global.tls.CAFile) "/") -}}
+    {{- else if and .Values.global.tls.secretname .Values.global.tls.CAFile -}}
+        {{- printf "%s/tls/%s" .Values.persistence.mountPath (required "name of ca file is required" .Values.global.tls.CAFile)  -}}
+    {{- else -}}
         {{- printf "%s/tls/ca.crt" .Values.persistence.mountPath -}}
-    {{- else }}
-        {{- printf "%s/tls/%s" .Values.persistence.mountPath (required "name of ca file is required" .Values.global.tls.CAFile) }}
     {{- end -}}
 {{- end -}}
 
@@ -99,3 +105,11 @@ Create chart name and version as used by the chart label.
         {{- end -}}
     {{- end -}}
 {{- end -}}
+
+{{- define "pgData" -}}
+    {{- if .Values.persistence.mountPath }}
+        {{ printf "%s/pgdata" .Values.persistence.mountPath }}
+    {{- else }}
+            {{- "/var/lib/postgresql/data/pgdata/" }}
+    {{- end -}}
+{{- end -}}
diff --git a/charts/sda-db/templates/certificate.yaml b/charts/sda-db/templates/certificate.yaml
@@ -6,8 +6,8 @@ metadata:
 spec:
   # Secret names are always required.
   secretName: {{ template "sda.fullname" . }}-certs
-
-  duration: 2160h # 90d
+  # postgres can not hot reload a new certificate, hence the 1y timelimit
+  duration: 8760h
 
   # The use of the common name field has been deprecated since 2000 and is
   # discouraged from being used.

diff --git a/charts/sda-db/templates/statefulset.yaml b/charts/sda-db/templates/statefulset.yaml
@@ -46,8 +46,8 @@ spec:
           - -cx
           - |
             {{- if and  .Values.persistence.volumePermissions .Values.persistence.enabled }}
-            mkdir -p /psql/data
-            chmod 700 /psql/data
+            mkdir -p /psql/pgdata
+            chmod 700 /psql/pgdata
             find /psql -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs chown -R 70:70
             {{- end }}
             {{- if and .Values.global.tls.enabled (not .Values.externalPkiService.tlsPath) }}
@@ -109,6 +109,8 @@ spec:
         - name: NOTLS
           value: "true"
       {{- end }}
+        - name: PGDATA
+          value: {{ template "pgData" }}
         ports:
         - containerPort: 5432
           name: postgres

diff --git a/charts/sda-db/values.yaml b/charts/sda-db/values.yaml
@@ -26,7 +26,7 @@ extraSecurityContext: {}
 
 image:
   repository: ghcr.io/neicnordic/sda-db
-  tag: v1.4.0
+  tag: v1.4.14
   pullPolicy: IfNotPresent
 
 # utilize network isolation
@@ -48,7 +48,7 @@ networkPolicy:
 ##   set, choosing the default provisioner.
 persistence: 
   enabled: true
-  mountPath: /var/lib/postgresql
+  mountPath: "/var/lib/postgresql/data/"
   storageSize: 8Gi
   storageClass:
   existingClaim: