From cd444d913236c48a9455673865ee73987dd651cb Mon Sep 17 00:00:00 2001 From: Jannik Badenhop Date: Fri, 22 Nov 2024 15:11:07 +0100 Subject: [PATCH] Dbp 000 Hotfixes 3 (#82) * rename scripts consistently * change operation to "replace" (from "add") when restoring moodle probes, so that there is only one probe * change var release_name to more appropriate deployment_name * rename value update_migration.enabled to moodleUpdatePreparationJob.enabled, since that value already exists * rename scripts consistently * split up value for image into repository, image and tag where possible * change values for postregs and mariadb password & admin password (each) to be the same value now called database_password and database_root_password. (still refered to as mariadb-password in secret key). Also added a note in the secret specifying why that is * add helper for cronjob name * change etherpad_api_key helper to default to random alpha numeric string instead of moodle * add value dbpMoodle.backup.s3_certificate_path & dbpMoodle.backup.s3_certificate_key to be able to include a certificate for s3 endpoints with self signed certificates for backup/restore jobs * add value dbpMoodle.backup.s3_certificate_path & dbpMoodle.backup.s3_certificate_key to be able to include a certificate for s3 endpoints with self signed certificates for backup/restore jobs * bump version so 0.0.13 * update values and insert cert for restore --- charts/dbp-moodle/Chart.yaml | 2 +- charts/dbp-moodle/README.md | 19 ++++++------ charts/dbp-moodle/scripts/backup.sh | 25 +++++++++------ .../{moodleCronjobScript.sh => cronjob.sh} | 0 .../{moodleRestoreScript.sh => restore.sh} | 19 +++++++----- ...e-preparation.sh => update-preparation.sh} | 16 +++++++--- charts/dbp-moodle/templates/_helpers.tpl | 19 +++++++----- .../chart-hooks/moodle-restore-job.yaml | 12 ++++++- .../moodle-update-preparation-job.yaml | 8 ++--- .../configmaps/moodle-cronjob-configmap.yaml | 2 +- .../moodle-restore-script-configmap.yaml | 2 +- ...dle-update-preparation-hook-configmap.yaml | 2 +- .../templates/secrets/moodle-secret.yaml | 8 ++--- charts/dbp-moodle/values.yaml | 31 ++++++++++++------- 14 files changed, 102 insertions(+), 63 deletions(-) rename charts/dbp-moodle/scripts/{moodleCronjobScript.sh => cronjob.sh} (100%) rename charts/dbp-moodle/scripts/{moodleRestoreScript.sh => restore.sh} (77%) rename charts/dbp-moodle/scripts/{hook/moodle-update-preparation.sh => update-preparation.sh} (65%) diff --git a/charts/dbp-moodle/Chart.yaml b/charts/dbp-moodle/Chart.yaml index 9f7dc34..220668f 100644 --- a/charts/dbp-moodle/Chart.yaml +++ b/charts/dbp-moodle/Chart.yaml @@ -6,7 +6,7 @@ description: | The Chart can be deployed without any modification but it is advised to set own secrets acccording to this readme. type: application home: https://dbildungsplattform.github.io/dbp-moodle/ -version: 0.0.12 +version: 0.0.13 appVersion: "4.1.14" dependencies: - name: moodle diff --git a/charts/dbp-moodle/README.md b/charts/dbp-moodle/README.md index 67fa9a4..54a0490 100644 --- a/charts/dbp-moodle/README.md +++ b/charts/dbp-moodle/README.md @@ -1,6 +1,6 @@ # dbp-moodle -![Version: 0.0.12](https://img.shields.io/badge/Version-0.0.12-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 4.1.14](https://img.shields.io/badge/AppVersion-4.1.14-informational?style=flat-square) +![Version: 0.0.13](https://img.shields.io/badge/Version-0.0.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 4.1.14](https://img.shields.io/badge/AppVersion-4.1.14-informational?style=flat-square) This is a Helm Chart bundling some of the bitnami resources to deploy Moodle for DBildungsplattform. Extending them with features such as MariaDB and PostgreSQL support, Horizontal Autoscaling capabilities, Redis Session Store, Etherpad-Lite. @@ -72,7 +72,7 @@ The Chart can be deployed without any modification but it is advised to set own | backup-cronjob.extraVolumes[2].projected.sources[0].configMap.name | string | `"moodle-backup-duply"` | | | backup-cronjob.extraVolumes[2].projected.sources[1].secret.name | string | `"moodle-backup-gpg-keys"` | | | backup-cronjob.image.repository | string | `"ghcr.io/dbildungsplattform/moodle-tools"` | | -| backup-cronjob.image.tag | string | `"1.0.7"` | | +| backup-cronjob.image.tag | string | `"1.0.8"` | | | backup-cronjob.jobs[0].args[0] | string | `"/scripts/backup-script"` | | | backup-cronjob.jobs[0].command[0] | string | `"/bin/sh"` | | | backup-cronjob.jobs[0].command[1] | string | `"-c"` | | @@ -96,10 +96,12 @@ The Chart can be deployed without any modification but it is advised to set own | backup-cronjob.serviceAccount.name | string | `"moodle-backup-job"` | | | backup-cronjob.tolerations | list | `[]` | | | dbpMoodle.allowInternalNetworkingOnly | bool | `false` | disallows all egress from release namespace for the moodle deployment | -| dbpMoodle.backup | object | `{"cluster_name":"","enabled":false,"endpoint":"","gpg_key_names":"","gpgkeys":{"existingSecret":"","gpgkey.dbpinfra.pub.asc":"","gpgkey.dbpinfra.sec.asc":""},"max_full_backup_age":"1W","retention_time":"6M","rules":[{"apiGroups":["apps"],"resources":["deployments"],"verbs":["get","patch","list","watch"]},{"apiGroups":["batch"],"resources":["cronjobs","jobs"],"verbs":["get","patch"]}],"s3_bucket_name":"","secrets":{"existingSecret":"","s3_access_key":"","s3_access_secret":"","s3_endpoint_url":""}}` | Backup configuration. Set enabled=true to enable the backup-cronjob. Also set s3 location credentials | +| dbpMoodle.backup | object | `{"cluster_name":"","enabled":false,"endpoint":"","gpg_key_names":"","gpgkeys":{"existingSecret":"","gpgkey.dbpinfra.pub.asc":"","gpgkey.dbpinfra.sec.asc":""},"max_full_backup_age":"1W","retention_time":"6M","rules":[{"apiGroups":["apps"],"resources":["deployments"],"verbs":["get","patch","list","watch"]},{"apiGroups":["batch"],"resources":["cronjobs","jobs"],"verbs":["get","patch"]}],"s3_bucket_name":"","s3_certificate_secret":{"enabled":false,"key":"certificate.crt","mountpath":"/certs","name":"s3-certificate"},"secrets":{"existingSecret":"","s3_access_key":"","s3_access_secret":"","s3_endpoint_url":""}}` | Backup configuration. Set enabled=true to enable the backup-cronjob. Also set s3 location credentials | | dbpMoodle.backup.gpgkeys.existingSecret | string | `""` | Existing secret for gpg keys | | dbpMoodle.backup.max_full_backup_age | string | `"1W"` | Defines the maximum age of a full backup before a new full backup is created. The backups in between are incremental | | dbpMoodle.backup.retention_time | string | `"6M"` | Defines the maximum age of a backup before it is deleted | +| dbpMoodle.backup.s3_certificate_secret | object | `{"enabled":false,"key":"certificate.crt","mountpath":"/certs","name":"s3-certificate"}` | Secret key of a certificate for duply to connect to s3 endpoint using SSL, useful to trust self-signed certificates -- certificate has to mounted "manually" under values backup-cronjob | +| dbpMoodle.backup.s3_certificate_secret.key | string | `"certificate.crt"` | Path where the certificate is mounted | | dbpMoodle.backup.secrets | object | `{"existingSecret":"","s3_access_key":"","s3_access_secret":"","s3_endpoint_url":""}` | Either provide an existing secret, or set each secret value here. If both are set the existingSecret is used | | dbpMoodle.backup.secrets.existingSecret | string | `""` | Existing secret for s3 endpoint | | dbpMoodle.external_pvc.accessModes[0] | string | `"ReadWriteMany"` | | @@ -125,8 +127,8 @@ The Chart can be deployed without any modification but it is advised to set own | dbpMoodle.moodleUpdatePreparationHook.rules[1].verbs[2] | string | `"create"` | | | dbpMoodle.moodleUpdatePreparationHook.rules[1].verbs[3] | string | `"patch"` | | | dbpMoodle.moodleUpdatePreparationHook.rules[1].verbs[4] | string | `"watch"` | | -| dbpMoodle.moodleUpdatePreparationJob | object | `{"affinity":{},"kubectlImage":"bitnami/kubectl:1.30.4-debian-12-r3","resources":{},"tolerations":[]}` | A preperation job which disables the php-cronjob, scales down the deployment and creates a backup if dbpMoodle.backup.enabled=true | -| dbpMoodle.moodleUpdatePreparationJob.kubectlImage | string | `"bitnami/kubectl:1.30.4-debian-12-r3"` | Which kubectl image to use | +| dbpMoodle.moodleUpdatePreparationJob | object | `{"affinity":{},"enabled":false,"image":"moodle-tools","repository":"ghcr.io/dbildungsplattform","resources":{},"tag":"1.0.8","tolerations":[]}` | A preperation job which disables the php-cronjob, scales down the deployment and creates a backup if dbpMoodle.backup.enabled=true | +| dbpMoodle.moodleUpdatePreparationJob.repository | string | `"ghcr.io/dbildungsplattform"` | Which kubectl image to use | | dbpMoodle.moodlecronjob | object | `{"rules":[{"apiGroups":[""],"resources":["pods","pods/exec"],"verbs":["get","list","create","watch"]}],"wait_timeout":"15m"}` | Configuration for the moodle-cronjob which runs moodles cron.php. This is required since moodle does not run as root | | dbpMoodle.name | string | `"infra"` | | | dbpMoodle.phpConfig.additional | string | `""` | Any additional text to be included into the config.php | @@ -134,10 +136,9 @@ The Chart can be deployed without any modification but it is advised to set own | dbpMoodle.phpConfig.existingConfig | string | `""` | Provide an existing secret containing the config.php instead of generating it from chart -- Remember to adjust moodle.extraVolumes & moodle.extraVolumeMounts when setting this. -- Secret key is by default expected to be config.php | | dbpMoodle.phpConfig.extendedLogging | bool | `false` | Extended php logging | | dbpMoodle.redis | object | `{"host":"moodle-redis-master","password":"","port":6379}` | Configurations for the optional redis | -| dbpMoodle.restore | object | `{"affinity":{},"enabled":false,"existingSecretDatabaseConfig":"moodle-database","existingSecretDatabasePassword":"moodle","existingSecretGPG":"","existingSecretKeyDatabasePassword":"","existingSecretKeyS3Access":"","existingSecretKeyS3Secret":"","existingSecretS3":"","image":"ghcr.io/dbildungsplattform/moodle-tools:1.0.7","resources":{"limits":{"cpu":"2000m","memory":"16Gi"},"requests":{"cpu":"1000m","memory":"8Gi"}},"rules":[{"apiGroups":["apps"],"resources":["deployments/scale","deployments"],"verbs":["get","list","scale","patch"]}],"tolerations":[]}` | This restores moodle to the latest snapshot. Requires an existing s3 backup. ONLY USE FOR ROLLBACK | -| dbpMoodle.secrets | object | `{"etherpad_api_key":"","etherpad_postgresql_password":"","mariadb_password":"","mariadb_root_password":"","moodle_password":"","pgsql_admin_password":"","useChartSecret":true}` | Creates a secret with all relevant credentials for moodle -- Set useChartSecret: false to provide your own secret -- If you create your own secret, also set moodle.existingSecret (and moodle.externalDatabase.existingSecret if you bring your own DB) | +| dbpMoodle.restore | object | `{"affinity":{},"enabled":false,"existingSecretDatabaseConfig":"moodle-database","existingSecretDatabasePassword":"moodle","existingSecretGPG":"","existingSecretKeyDatabasePassword":"","existingSecretKeyS3Access":"","existingSecretKeyS3Secret":"","existingSecretS3":"","image":"moodle-tools","repository":"ghcr.io/dbildungsplattform","resources":{"limits":{"cpu":"2000m","memory":"16Gi"},"requests":{"cpu":"1000m","memory":"8Gi"}},"rules":[{"apiGroups":["apps"],"resources":["deployments/scale","deployments"],"verbs":["get","list","scale","patch"]}],"tag":"1.0.8","tolerations":[]}` | This restores moodle to the latest snapshot. Requires an existing s3 backup. ONLY USE FOR ROLLBACK | +| dbpMoodle.secrets | object | `{"database_password":"","database_root_password":"","etherpad_api_key":"","etherpad_postgresql_password":"","moodle_password":"","useChartSecret":true}` | Creates a secret with all relevant credentials for moodle -- Set useChartSecret: false to provide your own secret -- If you create your own secret, also set moodle.existingSecret (and moodle.externalDatabase.existingSecret if you bring your own DB) | | dbpMoodle.stage | string | `"infra"` | | -| dbpMoodle.update_migration | object | `{"enabled":false}` | The dbp update process to migrate moodle data when moodle versions are increased | | etherpad-postgresql.auth.database | string | `"etherpad"` | | | etherpad-postgresql.auth.enablePostgresUser | bool | `false` | | | etherpad-postgresql.auth.existingSecret | string | `"moodle"` | | @@ -281,7 +282,7 @@ The Chart can be deployed without any modification but it is advised to set own | moodlecronjob.affinity | object | `{}` | | | moodlecronjob.clusterRole.create | bool | `false` | | | moodlecronjob.image.repository | string | `"ghcr.io/dbildungsplattform/moodle-tools"` | | -| moodlecronjob.image.tag | string | `"1.0.7"` | | +| moodlecronjob.image.tag | string | `"1.0.8"` | | | moodlecronjob.jobs[0].args[0] | string | `"/scripts/cronjob-script"` | | | moodlecronjob.jobs[0].backoffLimit | int | `1` | | | moodlecronjob.jobs[0].command[0] | string | `"/bin/bash"` | | diff --git a/charts/dbp-moodle/scripts/backup.sh b/charts/dbp-moodle/scripts/backup.sh index df5614e..28af88c 100644 --- a/charts/dbp-moodle/scripts/backup.sh +++ b/charts/dbp-moodle/scripts/backup.sh @@ -54,18 +54,18 @@ function clean_up() { # Careful, format the string with tabs only! restore_probe_patch=$(cat <<-EOF [{ - "op": "add", + "op": "replace", "path": "/spec/template/spec/containers/0/readinessProbe", "value": $(cat ${readiness_bckp}) }, { - "op": "add", + "op": "replace", "path": "/spec/template/spec/containers/0/livenessProbe", "value": $(cat ${liveness_bckp}) }] EOF ) - kubectl patch "deployment/${release_name}" -n "{{ .Release.Namespace }}" --type=json -p="$restore_probe_patch" + kubectl patch "deployment/${deployment_name}" -n "{{ .Release.Namespace }}" --type=json -p="$restore_probe_patch" else echo "Unable to turn on liveness and readiness probes. Either the readiness_bckp or the liveness_bckp does not exist or is empty." fi @@ -91,10 +91,15 @@ trap "clean_up" EXIT # Create liveness probe file touch "${health_file}" +{{ if and .Values.dbpMoodle.backup.s3_certificate_secret.enabled }} +printf "Appendending custom certificate (%s/%s) to /etc/ssl/certs/ca-certificates.crt\n" "{{ .Values.dbpMoodle.backup.s3_certificate_secret.mountpath }}" "{{ .Values.dbpMoodle.backup.s3_certificate_secret.key }}" +cat "{{ .Values.dbpMoodle.backup.s3_certificate_secret.mountpath }}/{{ .Values.dbpMoodle.backup.s3_certificate_secret.key }}" >> /etc/ssl/certs/ca-certificates.crt +{{ end }} + # Deployment has "-moodle" appended if the Release.Name does not contain "moodle" -release_name="{{ .Release.Name }}" -if [[ $release_name != "moodle" && $release_name != *"moodle"* ]]; then - release_name="${release_name}-moodle" +deployment_name="{{ .Release.Name }}" +if [[ $deployment_name != "moodle" && $deployment_name != *"moodle"* ]]; then + deployment_name="${deployment_name}-moodle" fi # Create destination dir if not exists @@ -109,11 +114,11 @@ if ! [ -a /mountData/moodledata/CliUpdate ]; then kubectl patch cronjobs "{{ .Release.Name }}-moodlecronjob-{{ include "moodlecronjob.job_name" . }}" -n "{{ .Release.Namespace }}" -p '{"spec" : {"suspend" : true }}' echo "=== Turn off liveness and readiness probe ===" - kubectl get "deployment/${release_name}" -n "{{ .Release.Namespace }}" -o jsonpath="{.spec.template.spec.containers[0].readinessProbe}" > ${readiness_bckp} - kubectl get "deployment/${release_name}" -n "{{ .Release.Namespace }}" -o jsonpath="{.spec.template.spec.containers[0].livenessProbe}" > ${liveness_bckp} - kubectl patch "deployment/${release_name}" -n "{{ .Release.Namespace }}" --type=json -p="$dummy_probe_patch" + kubectl get "deployment/${deployment_name}" -n "{{ .Release.Namespace }}" -o jsonpath="{.spec.template.spec.containers[0].readinessProbe}" > ${readiness_bckp} + kubectl get "deployment/${deployment_name}" -n "{{ .Release.Namespace }}" -o jsonpath="{.spec.template.spec.containers[0].livenessProbe}" > ${liveness_bckp} + kubectl patch "deployment/${deployment_name}" -n "{{ .Release.Namespace }}" --type=json -p="$dummy_probe_patch" - kubectl rollout status "deployment/${release_name}" -n "{{ .Release.Namespace }}" + kubectl rollout status "deployment/${deployment_name}" -n "{{ .Release.Namespace }}" # Wait for running jobs to finish to avoid errors echo "=== Waiting for jobs to finish ===" diff --git a/charts/dbp-moodle/scripts/moodleCronjobScript.sh b/charts/dbp-moodle/scripts/cronjob.sh similarity index 100% rename from charts/dbp-moodle/scripts/moodleCronjobScript.sh rename to charts/dbp-moodle/scripts/cronjob.sh diff --git a/charts/dbp-moodle/scripts/moodleRestoreScript.sh b/charts/dbp-moodle/scripts/restore.sh similarity index 77% rename from charts/dbp-moodle/scripts/moodleRestoreScript.sh rename to charts/dbp-moodle/scripts/restore.sh index 2c71c69..179a543 100644 --- a/charts/dbp-moodle/scripts/moodleRestoreScript.sh +++ b/charts/dbp-moodle/scripts/restore.sh @@ -20,20 +20,25 @@ health_file="/tmp/healthy" # Create liveness probe file touch "${health_file}" +{{ if and .Values.dbpMoodle.backup.s3_certificate_secret.mountpath .Values.dbpMoodle.backup.s3_certificate_secret.key }} +printf "Appendending custom certificate (%s/%s) to /etc/ssl/certs/ca-certificates.crt\n" "{{ .Values.dbpMoodle.backup.s3_certificate_secret.mountpath }}" "{{ .Values.dbpMoodle.backup.s3_certificate_secret.key }}" +cat "{{ .Values.dbpMoodle.backup.s3_certificate_secret.mountpath }}/{{ .Values.dbpMoodle.backup.s3_certificate_secret.key }}" >> /etc/ssl/certs/ca-certificates.crt +{{ end }} + # Deployment has "-moodle" appended if the Release.Name does not contain "moodle" -release_name="{{ .Release.Name }}" -if [[ "$release_name" != "moodle" && "$release_name" != *"moodle"* ]]; then - release_name="${release_name}-moodle" +deployment_name="{{ .Release.Name }}" +if [[ "$deployment_name" != "moodle" && "$deployment_name" != *"moodle"* ]]; then + deployment_name="${deployment_name}-moodle" fi # Get current replicas and scale down deployment -replicas=$(kubectl get "deployment/${release_name}" -n {{ .Release.Namespace }} -o=jsonpath='{.status.replicas}') +replicas=$(kubectl get "deployment/${deployment_name}" -n {{ .Release.Namespace }} -o=jsonpath='{.status.replicas}') echo "=== Current replicas detected: $replicas ===" if [ -z "$replicas" ] || [ "$replicas" -eq 0 ]; then replicas=1 fi echo "=== Scale moodle deployment to 0 replicas for restore operation ===" -kubectl scale "deployment/${release_name}" --replicas=0 -n {{ .Release.Namespace }} +kubectl scale "deployment/${deployment_name}" --replicas=0 -n {{ .Release.Namespace }} echo "=== After restore operation is completed will scale back to: $replicas replicas ===" # Restore @@ -96,7 +101,7 @@ PGPASSWORD="$DATABASE_PASSWORD" psql -h "$DATABASE_HOST" -p "$DATABASE_PORT" -U echo "=== Finished DB restore ===" echo "=== Scaling deployment replicas to $replicas ===" -kubectl scale "deployment/${release_name}" --replicas=$replicas -n {{ .Release.Namespace }} +kubectl scale "deployment/${deployment_name}" --replicas=$replicas -n {{ .Release.Namespace }} sleep 2 -scaledTo=$(kubectl get "deployment/${release_name}" -n {{ .Release.Namespace }} -o=jsonpath='{.status.replicas}') +scaledTo=$(kubectl get "deployment/${deployment_name}" -n {{ .Release.Namespace }} -o=jsonpath='{.status.replicas}') echo "=== Deployment scaled to: $scaledTo ===" \ No newline at end of file diff --git a/charts/dbp-moodle/scripts/hook/moodle-update-preparation.sh b/charts/dbp-moodle/scripts/update-preparation.sh similarity index 65% rename from charts/dbp-moodle/scripts/hook/moodle-update-preparation.sh rename to charts/dbp-moodle/scripts/update-preparation.sh index 60be4db..cd65bab 100644 --- a/charts/dbp-moodle/scripts/hook/moodle-update-preparation.sh +++ b/charts/dbp-moodle/scripts/update-preparation.sh @@ -6,8 +6,14 @@ set -o pipefail health_file="/tmp/healthy" +# Deployment has "-moodle" appended if the Release.Name does not contain "moodle" +deployment_name="{{ .Release.Name }}" +if [[ "$deployment_name" != "moodle" && "$deployment_name" != *"moodle"* ]]; then + deployment_name="${deployment_name}-moodle" +fi + get_current_deployment_image() { - kubectl get "deploy/{{ .Release.Name }}" -n "{{ .Release.Namespace }}" -o jsonpath='{..image}' |\ + kubectl get "deploy/${deployment_name}" -n "{{ .Release.Namespace }}" -o jsonpath='{..image}' |\ tr -s '[:space:]' '\n' |\ grep '{{- .Values.moodle.image.repository -}}' } @@ -30,14 +36,16 @@ printf 'Image change detected\n' printf 'Disabling regular cronjob to prevent failing runs\n' kubectl patch cronjobs "{{ .Release.Name }}"-moodlecronjob-"{{ include "moodlecronjob.job_name" . }}" -n "{{ .Release.Namespace }}" -p '{"spec" : {"suspend" : true }}' -printf 'Scaling deployment "{{ .Release.Name }}" to 0 replicas\n' -kubectl patch "deploy/{{ .Release.Name }}" -n "{{ .Release.Namespace }}" -p '{"spec":{"replicas": 0}}' +printf 'Scaling deployment "%s" to 0 replicas\n' "$deployment_name" +kubectl patch "deploy/${deployment_name}" -n "{{ .Release.Namespace }}" -p '{"spec":{"replicas": 0}}' {{ if .Values.dbpMoodle.backup.enabled }} if [ "$BACKUP_ENABLED" = true ]; then printf 'Starting pre-update backup\n' - kubectl create job moodle-pre-update-backup-job -n "{{ .Release.Namespace }}" --from=cronjob.batch/moodle-backup-cronjob-backup + kubectl create job moodle-pre-update-backup-job -n "{{ .Release.Namespace }}" --from="cronjob.batch/{{ include "backup-cronjob.job_name" . }}" printf 'Waiting for backup to finish...\n' kubectl wait --for=condition=complete --timeout=10m job/moodle-pre-update-backup-job fi {{ end }} + +printf 'Preparations completed successfully, exting...' \ No newline at end of file diff --git a/charts/dbp-moodle/templates/_helpers.tpl b/charts/dbp-moodle/templates/_helpers.tpl index b5cea28..eb8036e 100644 --- a/charts/dbp-moodle/templates/_helpers.tpl +++ b/charts/dbp-moodle/templates/_helpers.tpl @@ -19,19 +19,22 @@ {{- end -}} {{- end -}} -{{- define "dbpMoodle.secrets.moodle_password" -}} -{{- default (randAlphaNum 16) .Values.dbpMoodle.secrets.moodle_password }} +{{- define "backup-cronjob.job_name" -}} +{{- $releasename := .Release.Name -}} +{{- with (index .Values "backup-cronjob" "jobs") -}} +{{- printf "%s-backup-cronjob-%s" $releasename (index . 0).name -}} +{{- end -}} {{- end -}} -{{- define "dbpMoodle.secrets.pgsql_admin_password" -}} -{{- default (randAlphaNum 16) .Values.dbpMoodle.secrets.pgsql_admin_password }} +{{- define "dbpMoodle.secrets.moodle_password" -}} +{{- default (randAlphaNum 16) .Values.dbpMoodle.secrets.moodle_password }} {{- end -}} -{{- define "dbpMoodle.secrets.db_password" -}} -{{- default (randAlphaNum 16) .Values.dbpMoodle.secrets.mariadb_password }} +{{- define "dbpMoodle.secrets.database_password" -}} + {{- default (randAlphaNum 16) .Values.dbpMoodle.secrets.database_password }} {{- end -}} -{{- define "dbpMoodle.secrets.mariadb_root_password" -}} +{{- define "dbpMoodle.secrets.database_root_password" -}} {{- default (randAlphaNum 16) .Values.dbpMoodle.secrets.mariadb_root_password }} {{- end -}} @@ -44,7 +47,7 @@ {{- end -}} {{- define "dbpMoodle.secrets.etherpad_api_key" -}} -{{- default "moodle" .Values.dbpMoodle.secrets.etherpad_api_key }} +{{- default (randAlphaNum 16) .Values.dbpMoodle.secrets.etherpad_api_key }} {{- end -}} {{- define "dbpMoodle.backup.retention_time" -}} diff --git a/charts/dbp-moodle/templates/chart-hooks/moodle-restore-job.yaml b/charts/dbp-moodle/templates/chart-hooks/moodle-restore-job.yaml index bb5b28e..1ff0318 100644 --- a/charts/dbp-moodle/templates/chart-hooks/moodle-restore-job.yaml +++ b/charts/dbp-moodle/templates/chart-hooks/moodle-restore-job.yaml @@ -33,11 +33,17 @@ spec: - secret: name: {{ .Values.dbpMoodle.restore.existingSecretGPG }} defaultMode: 0644 + {{ if and .Values.dbpMoodle.backup.s3_certificate_secret.mountpath .Values.dbpMoodle.backup.s3_certificate_secret.key }} + - name: "{{ .Values.dbpMoodle.backup.s3_certificate_secret.name }}" + secret: + secretName: "{{ .Values.dbpMoodle.backup.s3_certificate_secret.name }}" + defaultMode: 0644 + {{ end }} serviceAccountName: "moodle-restore-job" serviceAccount: "moodle-restore-job" containers: - name: moodle-restore-job - image: {{ .Values.dbpMoodle.restore.image }} + image: "{{ .Values.dbpMoodle.restore.repository }}/{{ .Values.dbpMoodle.restore.image }}:{{ .Values.dbpMoodle.restore.tag }}" command: - /bin/sh - -c @@ -65,6 +71,10 @@ spec: mountPath: /scripts/ - name: duply mountPath: /etc/duply/default/ + {{ if .Values.dbpMoodle.backup.s3_certificate_secret.enabled }} + - name: "{{ .Values.dbpMoodle.backup.s3_certificate_secret.name }}" + mountPath: {{ .Values.dbpMoodle.backup.s3_certificate_secret.mountpath }} + {{ end }} env: - name: DATABASE_HOST valueFrom: diff --git a/charts/dbp-moodle/templates/chart-hooks/moodle-update-preparation-job.yaml b/charts/dbp-moodle/templates/chart-hooks/moodle-update-preparation-job.yaml index 851a872..09ee60a 100644 --- a/charts/dbp-moodle/templates/chart-hooks/moodle-update-preparation-job.yaml +++ b/charts/dbp-moodle/templates/chart-hooks/moodle-update-preparation-job.yaml @@ -1,4 +1,4 @@ -{{ if and .Values.dbpMoodle.update_migration.enabled (not .Values.dbpMoodle.restore.enabled) }} +{{ if and .Values.dbpMoodle.moodleUpdatePreparationJob.enabled (not .Values.dbpMoodle.restore.enabled) }} apiVersion: batch/v1 kind: Job metadata: @@ -12,17 +12,17 @@ spec: spec: containers: - name: moodle-update-preparation - image: {{ .Values.dbpMoodle.moodleUpdatePreparationJob.kubectlImage }} + image: "{{ .Values.dbpMoodle.moodleUpdatePreparationJob.repository }}/{{ .Values.dbpMoodle.moodleUpdatePreparationJob.image }}:{{ .Values.dbpMoodle.moodleUpdatePreparationJob.tag }}" securityContext: privileged: false - command: ["/bin/bash", "/moodle-update-preparation.sh"] + command: ["/bin/bash", "/update-preparation.sh"] resources: {{ .Values.dbpMoodle.moodleUpdatePreparationJob.resources | toYaml }} env: - name: BACKUP_ENABLED value: '{{ .Values.dbpMoodle.backup.enabled }}' volumeMounts: - name: script-volume - mountPath: /moodle-update-preparation.sh + mountPath: /update-preparation.sh subPath: moodle-update-preparation.sh livenessProbe: exec: diff --git a/charts/dbp-moodle/templates/configmaps/moodle-cronjob-configmap.yaml b/charts/dbp-moodle/templates/configmaps/moodle-cronjob-configmap.yaml index b58063b..9fa23db 100644 --- a/charts/dbp-moodle/templates/configmaps/moodle-cronjob-configmap.yaml +++ b/charts/dbp-moodle/templates/configmaps/moodle-cronjob-configmap.yaml @@ -5,4 +5,4 @@ metadata: namespace: {{ .Release.Namespace }} data: cronjob-script: |- -{{ tpl ( .Files.Get "scripts/moodleCronjobScript.sh" ) . | nindent 4 }} \ No newline at end of file +{{ tpl ( .Files.Get "scripts/cronjob.sh" ) . | nindent 4 }} \ No newline at end of file diff --git a/charts/dbp-moodle/templates/configmaps/moodle-restore-script-configmap.yaml b/charts/dbp-moodle/templates/configmaps/moodle-restore-script-configmap.yaml index 42e9e63..5a90817 100644 --- a/charts/dbp-moodle/templates/configmaps/moodle-restore-script-configmap.yaml +++ b/charts/dbp-moodle/templates/configmaps/moodle-restore-script-configmap.yaml @@ -10,5 +10,5 @@ metadata: "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed data: restore-script: |- -{{- tpl ( .Files.Get "scripts/moodleRestoreScript.sh" ) . | nindent 4 -}} +{{- tpl ( .Files.Get "scripts/restore.sh" ) . | nindent 4 -}} {{- end }} \ No newline at end of file diff --git a/charts/dbp-moodle/templates/configmaps/moodle-update-preparation-hook-configmap.yaml b/charts/dbp-moodle/templates/configmaps/moodle-update-preparation-hook-configmap.yaml index b4873db..806c734 100644 --- a/charts/dbp-moodle/templates/configmaps/moodle-update-preparation-hook-configmap.yaml +++ b/charts/dbp-moodle/templates/configmaps/moodle-update-preparation-hook-configmap.yaml @@ -9,5 +9,5 @@ metadata: "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed data: moodle-update-preparation.sh: |- -{{ tpl ( .Files.Get "scripts/hook/moodle-update-preparation.sh" ) . | nindent 4 }} +{{ tpl ( .Files.Get "scripts/update-preparation.sh" ) . | nindent 4 }} {{ end }} \ No newline at end of file diff --git a/charts/dbp-moodle/templates/secrets/moodle-secret.yaml b/charts/dbp-moodle/templates/secrets/moodle-secret.yaml index c5fe038..202534b 100644 --- a/charts/dbp-moodle/templates/secrets/moodle-secret.yaml +++ b/charts/dbp-moodle/templates/secrets/moodle-secret.yaml @@ -7,13 +7,13 @@ metadata: namespace: "{{ .Release.Namespace }}" stringData: moodle-password: {{ include "dbpMoodle.secrets.moodle_password" . }} + database-password-note: "Due to technical constraints, the database password key is always \"mariadb-password\" even if using PostgreSQL" + mariadb-password: {{ include "dbpMoodle.secrets.database_password" . }} {{- if .Values.postgresql.enabled }} - mariadb-password: {{ include "dbpMoodle.secrets.db_password" . }} - pgsql-admin-password: {{ include "dbpMoodle.secrets.pgsql_admin_password" . }} + pgsql-admin-password: {{ include "dbpMoodle.secrets.database_root_password" . }} {{- end }} {{- if .Values.mariadb.enabled }} - mariadb-password: {{ include "dbpMoodle.secrets.db_password" . }} - mariadb-root-password: {{ include "dbpMoodle.secrets.mariadb_root_password" . }} + mariadb-root-password: {{ include "dbpMoodle.secrets.database_root_password" . }} {{- end }} {{- if .Values.redis.enabled }} redis-password: {{ include "dbpMoodle.secrets.redis_password" . }} diff --git a/charts/dbp-moodle/values.yaml b/charts/dbp-moodle/values.yaml index 24c619a..5754d0e 100644 --- a/charts/dbp-moodle/values.yaml +++ b/charts/dbp-moodle/values.yaml @@ -71,10 +71,6 @@ dbpMoodle: name: infra stage: infra - # -- The dbp update process to migrate moodle data when moodle versions are increased - update_migration: - enabled: false - # -- disallows all egress from release namespace for the moodle deployment allowInternalNetworkingOnly: false @@ -111,19 +107,21 @@ dbpMoodle: secrets: useChartSecret: true moodle_password: "" - pgsql_admin_password: "" - mariadb_password: "" - mariadb_root_password: "" + database_password: "" + database_root_password: "" etherpad_postgresql_password: "" etherpad_api_key: "" # -- A preperation job which disables the php-cronjob, scales down the deployment and creates a backup if dbpMoodle.backup.enabled=true moodleUpdatePreparationJob: + enabled: false affinity: {} tolerations: [] resources: {} # -- Which kubectl image to use - kubectlImage: bitnami/kubectl:1.30.4-debian-12-r3 + repository: "ghcr.io/dbildungsplattform" + image: moodle-tools + tag: "1.0.8" moodleUpdatePreparationHook: rules: @@ -157,7 +155,14 @@ dbpMoodle: s3_endpoint_url: "" # -- Existing secret for s3 endpoint existingSecret: "" - + # -- Secret key of a certificate for duply to connect to s3 endpoint using SSL, useful to trust self-signed certificates + # -- certificate has to mounted "manually" under values backup-cronjob + s3_certificate_secret: + enabled: false + name: "s3-certificate" + # -- Path where the certificate is mounted + key: "certificate.crt" + mountpath: "/certs" rules: - apiGroups: ["apps"] resources: ["deployments"] @@ -169,7 +174,9 @@ dbpMoodle: # -- This restores moodle to the latest snapshot. Requires an existing s3 backup. ONLY USE FOR ROLLBACK restore: enabled: false - image: ghcr.io/dbildungsplattform/moodle-tools:1.0.7 + repository: ghcr.io/dbildungsplattform + image: moodle-tools + tag: 1.0.8 resources: limits: cpu: 2000m @@ -506,7 +513,7 @@ etherpad-postgresql: moodlecronjob: image: repository: "ghcr.io/dbildungsplattform/moodle-tools" - tag: "1.0.7" + tag: "1.0.8" clusterRole: create: false serviceAccount: @@ -554,7 +561,7 @@ moodlecronjob: backup-cronjob: image: repository: "ghcr.io/dbildungsplattform/moodle-tools" - tag: "1.0.7" + tag: "1.0.8" clusterRole: create: false serviceAccount: