OPSEXP-1862: add search config (#94)

Alfresco · Aug 8, 2023 · 78fa089 · 78fa089
1 parent 3de646e
commit 78fa089
Show file tree

Hide file tree

Showing 13 changed files with 421 additions and 36 deletions.
diff --git a/.checkov-values.yml b/.checkov-values.yml
@@ -4,10 +4,13 @@ activemq:
   enabled: true
 elasticsearch:
   enabled: true
-db:
-  url: postgresql://pg-postgresql-acs/alfresco
-  username: pguser
-  password: pgpass
+configuration:
+  db:
+    url: postgresql://pg-postgresql-acs/alfresco
+    username: pguser
+    password: pgpass
+  messageBroker:
+    url: nio://activemq:61616
 global:
   tracking:
     sharedsecret: dummy
diff --git a/charts/alfresco-repository/Chart.lock b/charts/alfresco-repository/Chart.lock
@@ -1,9 +1,9 @@
 dependencies:
 - name: alfresco-common
   repository: https://alfresco.github.io/alfresco-helm-charts/
-  version: 2.1.0-alpha.2
+  version: 2.1.0-alpha.4
 - name: postgresql
   repository: oci://registry-1.docker.io/bitnamicharts
   version: 12.5.6
-digest: sha256:2fc15d92a0fa85b0f7b7b5fa3340fa881b3dfc9c64afe0433afd5ebe374158c6
-generated: "2023-07-31T13:57:22.409425+02:00"
+digest: sha256:fc198ff15a70999cb84eae6ea08e68f73168a0f6495c127efb0f1b9f7b1ebb69
+generated: "2023-08-07T21:24:10.004093+02:00"
diff --git a/charts/alfresco-repository/Chart.yaml b/charts/alfresco-repository/Chart.yaml
@@ -2,11 +2,11 @@ apiVersion: v2
 name: alfresco-repository
 description: Alfresco content repository Helm chart
 type: application
-version: 0.1.0-alpha.4
+version: 0.1.0-alpha.5
 appVersion: 23.1.0-A21
 dependencies:
   - name: alfresco-common
-    version: 2.1.0-alpha.2
+    version: 2.1.0-alpha.4
     repository: https://alfresco.github.io/alfresco-helm-charts/
   - name: postgresql
     version: 12.5.6

diff --git a/charts/alfresco-repository/README.md b/charts/alfresco-repository/README.md
@@ -1,14 +1,14 @@
 # alfresco-repository
 
-![Version: 0.1.0-alpha.4](https://img.shields.io/badge/Version-0.1.0--alpha.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 23.1.0-A21](https://img.shields.io/badge/AppVersion-23.1.0--A21-informational?style=flat-square)
+![Version: 0.1.0-alpha.5](https://img.shields.io/badge/Version-0.1.0--alpha.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 23.1.0-A21](https://img.shields.io/badge/AppVersion-23.1.0--A21-informational?style=flat-square)
 
 Alfresco content repository Helm chart
 
 ## Requirements
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://alfresco.github.io/alfresco-helm-charts/ | alfresco-common | 2.1.0-alpha.2 |
+| https://alfresco.github.io/alfresco-helm-charts/ | alfresco-common | 2.1.0-alpha.4 |
 | oci://registry-1.docker.io/bitnamicharts | postgresql | 12.5.6 |
 
 ## Values
@@ -19,6 +19,8 @@ Alfresco content repository Helm chart
 | args | list | `[]` |  |
 | command | list | `[]` |  |
 | configuration.db.driver | string | `nil` | JDBC driver class of the driver if none is provided the it is guessed from the URL provided |
+| configuration.db.existingConfigMap.keys | object | `{}` |  |
+| configuration.db.existingConfigMap.name | string | `nil` |  |
 | configuration.db.existingSecret | object | `{"keys":{"password":"DATABASE_PASSWORD","username":"DATABASE_USERNAME"},"name":null}` | Existing secret and their keys where to find the database username & password. |
 | configuration.db.existingSecret.keys.password | string | `"DATABASE_PASSWORD"` | Key within the secret holding the database password |
 | configuration.db.existingSecret.keys.username | string | `"DATABASE_USERNAME"` | Key within the secret holding the database username |
@@ -37,6 +39,18 @@ Alfresco content repository Helm chart
 | configuration.messageBroker.username | string | `nil` | Username to authenticate to the message broker |
 | configuration.repository.existingConfigMap | string | `nil` | a configmap containing the "alfresco-global.properties" key populated with actual Alfresco repository properties |
 | configuration.repository.existingSecrets | list | `[{"key":"license.lic","name":"repository-secrets","purpose":"acs-license"}]` | A list of secrets to make available to the repo as env vars. It's also used to pass the Alfresco license which will be mounted as a file when the secret as the `purpose` value set to `acs-license`. Other secrets will be used as env variables. |
+| configuration.search.existingConfigMap.keys.flavor | string | `"SEARCH_FLAVOR"` |  |
+| configuration.search.existingConfigMap.keys.url | string | `"SEARCH_URL"` | Key within the configmap  holding the search service URL. |
+| configuration.search.existingConfigMap.name | string | `nil` | Optional configmap containing the search service URL |
+| configuration.search.existingSecret.keys.password | string | `"ELASTICSEARCH_PASSWORD"` | Key within the secret holding the search service password |
+| configuration.search.existingSecret.keys.solr-secret | string | `"SOLR_SECRET"` | Key within the secret holding the index shared secret |
+| configuration.search.existingSecret.keys.username | string | `"ELASTICSEARCH_USERNAME"` | Key within the secret holding the search service username |
+| configuration.search.existingSecret.name | string | `nil` | Optional secret containing search service credentials |
+| configuration.search.flavor | string | `"noindex"` | Can be either `solr`, `elasticsearch` or `noindex` |
+| configuration.search.password | string | `nil` | Password to authenticate to the search service |
+| configuration.search.solr-secret | string | `nil` | Solr inter process shared secret |
+| configuration.search.url | string | `nil` | URL where the search service can be found |
+| configuration.search.username | string | `nil` | Username to authenticate to the search service |
 | environment.CATALINA_OPTS | string | `nil` | Java or Tomcat system properties. These properties must be provided as a single string following the pattern "-Dproperty=value -Dmoreprop=morevalue". They override the content of the global properties file but you should prefer providing configuration.repository.existingConfigMap. |
 | environment.JAVA_OPTS | string | `"-XX:MaxRAMPercentage=80"` | Set JVM options |
 | extraInitContainers | list | `[]` |  |

diff --git a/charts/alfresco-repository/templates/_helpers-checksums.tpl b/charts/alfresco-repository/templates/_helpers-checksums.tpl
diff --git a/charts/alfresco-repository/templates/_helpers-search.tpl b/charts/alfresco-repository/templates/_helpers-search.tpl
@@ -0,0 +1,61 @@
+{{/*
+Validate search flavor by checking it is set to either "noindex", "solr6" or "elasticsearch"
+
+Usage: include "alfresco-repository.search.flavor.valid" "FLAVOR"
+
+*/}}
+{{- define "alfresco-repository.search.flavor.valid" -}}
+{{- if not (mustHas . (list "noindex" "solr6" "elasticsearch")) }}
+  {{- fail "Search Service flavor MUST be one of 'noindex', 'solr6' or 'elasticsearch'" }}
+{{- else -}}
+  {{- . }}
+{{- end }}
+{{- end -}}
+
+{{/*
+Check whether a Solr shared secret was provided
+
+Usage: include "alfresco-repository.solr.security" (dict "ns" "" "search" (dict "existingConfigMap" (dict "name" "" "keys" (dict "solr-secret" ""))))
+
+*/}}
+{{- define "alfresco-repository.solr.security" -}}
+{{ $ns := .ns }}
+{{- with .search }}
+  {{- if .existingSecret.name }}
+    {{- $defaultLookup := (dict "data" dict) }}
+    {{- $lookup := lookup "v1" "Secret" $ns .existingSecret.name | default $defaultLookup }}
+    {{- hasKey $lookup.data (index .existingSecret.keys "solr-secret") | ternary "secret" "none" }}
+  {{- else -}}
+    {{- not (empty (index . "solr-secret")) | ternary "secret" "none" }}
+  {{- end }}
+{{- end }}
+{{- end -}}
+
+{{/*
+Alfresco Repository search configuration
+
+Usage: include "alfresco-repository.search.config" $
+
+*/}}
+{{- define "alfresco-repository.search.config" -}}
+{{- with .Values.configuration.search }}
+  {{- $search_url := include "alfresco-common.read.cm.then.value" (dict "ns" $.Release.Namespace "key" "url" "context" .) }}
+  {{- if eq "solr6" (include "alfresco-repository.search.flavor.valid" .flavor) }}
+  -Dsolr.host={{ template "alfresco-common.url.host" $search_url }}
+  -Dsolr.port={{ template "alfresco-common.url.port" $search_url }}
+  -Dsolr.base.url={{ include "alfresco-common.url.path" $search_url | default "/solr" }}
+  {{- $solr_comms := include "alfresco-repository.solr.security" (dict "ns" $.Release.Namespace "search" . ) }}
+  -Dsolr.secureComms={{ $solr_comms }}
+  {{- if eq "secret" $solr_comms }}
+  -Dsolr.sharedSecret=$SOLR_SECRET
+  {{- end }}
+  {{- else if eq "elasticsearch" (include "alfresco-repository.search.flavor.valid" .flavor) }}
+  -Delasticsearch.host={{ template "alfresco-common.url.host" $search_url }}
+  -Delasticsearch.port={{ template "alfresco-common.url.port" $search_url }}
+  -Delasticsearch.secureComms={{ eq "https" (include "alfresco-common.url.scheme" $search_url) | ternary "https" "none"  }}
+  -Delasticsearch.user=$ELASTICSEARCH_USERNAME
+  -Delasticsearch.password=$ELASTICSEARCH_PASSWORD
+  -Delasticsearch.createIndexIfNotExists=true
+  {{- end }}
+{{- end }}
+{{- end -}}
diff --git a/charts/alfresco-repository/templates/configmap.yaml b/charts/alfresco-repository/templates/configmap.yaml
@@ -8,11 +8,12 @@ metadata:
     {{- include "alfresco-repository.labels" . | nindent 4 }}
 data:
   CATALINA_OPTS: >-
+    {{- with .Values.configuration }}
     -Ddeployment.method=HELM_CHART
-    -Ddb.url=jdbc:{{ .Values.configuration.db.url }}
+    -Ddb.url=jdbc:{{ .db.url }}
     -Ddb.username=${DATABASE_USERNAME}
     -Ddb.password=${DATABASE_PASSWORD}
-    -Ddb.driver={{ include "alfresco-repository.db.driver" .Values.configuration.db }}
+    -Ddb.driver={{ include "alfresco-common.db.driver" .db }}
     -Dencryption.keystore.type=JCEKS
     -Dencryption.cipherAlgorithm=DESede/CBC/PKCS5Padding
     -Dencryption.keyAlgorithm=DESede
@@ -24,6 +25,12 @@ data:
     -Dmessaging.broker.url="$BROKER_URL"
     -Dmessaging.broker.username="$BROKER_USERNAME"
     -Dmessaging.broker.password="$BROKER_PASSWORD"
+    {{- $search_flavor := include "alfresco-common.read.cm.then.value" (dict "ns" $.Release.Namespace "key" "flavor" "context" .search) }}
+    -Dindex.subsystem.name={{ template "alfresco-repository.search.flavor.valid" $search_flavor }}
+    {{- if not (eq "noindex" .search.flavor) }}
+      {{- include "alfresco-repository.search.config" $ | indent 2 }}
+    {{- end }}
+    {{- end }}
     {{ .Values.environment.CATALINA_OPTS | default "" }}
   JAVA_OPTS: >-
     {{ .Values.environment.JAVA_OPTS | default "" }}
diff --git a/charts/alfresco-repository/templates/deployment.yaml b/charts/alfresco-repository/templates/deployment.yaml
@@ -14,8 +14,12 @@ spec:
   template:
     metadata:
       annotations:
-        {{- include "alfresco-repository.secret-checksum" (dict "release" $.Release.Name "context" . "configKey" "db") | indent 8 }}
-        {{- include "alfresco-repository.secret-checksum" (dict "release" $.Release.Name "context" . "configKey" "messageBroker") | indent 8 }}
+        {{- with .Values.configuration }}
+          {{- $context := . }}
+          {{- range $k := (omit . "repository" "hz" | keys) }}
+            {{- include "alfresco-common.checksum.config" (dict "ns" $.Release.Namespace "context" $context "configKey" $k) | indent 8 }}
+          {{- end }}
+        {{- end }}
       {{- with .Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
@@ -44,9 +48,9 @@ spec:
               {{- $dbport := "" }}
               {{- $dbrdbms := "" }}
               {{- with .Values.configuration.db }}
-              {{- $dbhost = include "alfresco-repository.db.hostname" . }}
-              {{- $dbport = include "alfresco-repository.db.port" . }}
-              {{- $dbrdbms = include "alfresco-repository.db.rdbms" . }}
+              {{- $dbhost = include "alfresco-common.db.hostname" .url }}
+              {{- $dbport = include "alfresco-common.db.port" . }}
+              {{- $dbrdbms = include "alfresco-common.db.rdbms" .url }}
               {{- end }}
               until nc -w1 {{ $dbhost }}:{{ $dbport }}
               do echo 'waiting for {{ $dbrdbms }} database on {{ $dbhost }}:{{ $dbport }}'
@@ -63,13 +67,17 @@ spec:
           {{- $mqsecret := "" }}
           {{- $mqconfigCtx := dict }}
           {{- $mqconfig := "" }}
+          {{- $searchsecretCtx := dict }}
+          {{- $searchsecret := "" }}
           {{- with .Values.configuration }}
             {{- $dbsecretCtx = dict "Values" (dict "nameOverride" "secret-database") "Chart" $.Chart "Release" $.Release }}
             {{- $dbsecret = coalesce .db.existingSecret.name (include "alfresco-repository.fullname" $dbsecretCtx) }}
             {{- $mqsecretCtx = dict "Values" (dict "nameOverride" "secret-mq") "Chart" $.Chart "Release" $.Release }}
             {{- $mqsecret = coalesce .messageBroker.existingSecret.name (include "alfresco-repository.fullname" $mqsecretCtx) }}
             {{- $mqconfigCtx = dict "Values" (dict "nameOverride" "configmap-mq") "Chart" $.Chart "Release" $.Release }}
             {{- $mqconfig = coalesce .messageBroker.existingConfigMap.name (include "alfresco-repository.fullname" $mqconfigCtx) }}
+            {{- $searchsecretCtx = dict "Values" (dict "nameOverride" "secret-search") "Chart" $.Chart "Release" $.Release }}
+            {{- $searchsecret = coalesce .search.existingSecret.name (include "alfresco-repository.fullname" $searchsecretCtx) }}
           {{- end }}
           env:
             - name: DATABASE_USERNAME
@@ -89,6 +97,24 @@ spec:
              {{- list $repoSecretsEnv | toYaml | nindent 12 }}
            {{- end }}
           {{- end }}
+            - name: ELASTICSEARCH_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $searchsecret }}
+                  key: {{ .Values.configuration.search.existingSecret.keys.username }}
+                  optional: true
+            - name: ELASTICSEARCH_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $searchsecret }}
+                  key: {{ .Values.configuration.search.existingSecret.keys.password }}
+                  optional: true
+            - name: SOLR_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $searchsecret }}
+                  key: {{ index .Values.configuration.search.existingSecret.keys "solr-secret" }}
+                  optional: true
             - name: BROKER_USERNAME
               valueFrom:
                 secretKeyRef:

diff --git a/charts/alfresco-repository/templates/secret-search.yaml b/charts/alfresco-repository/templates/secret-search.yaml
@@ -0,0 +1,20 @@
+{{- with .Values.configuration.search }}
+{{- if and (not (eq .flavor "noindex")) (not .existingSecret.name) (or (index . "solr-secret") (and .username .password)) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  {{- $searchsecretCtx := dict "Values" (dict "nameOverride" "secret-search") "Chart" $.Chart "Release" $.Release }}
+  name: {{ template "alfresco-repository.fullname" $searchsecretCtx }}
+  labels:
+    {{- include "alfresco-repository.labels" $ | nindent 4 }}
+type: Opaque
+data:
+  {{- if eq .flavor "solr6" }}
+  SOLR_SECRET: {{ index . "solr-secret" | b64enc | quote }}
+  {{- end }}
+  {{- if eq .flavor "elasticsearch" }}
+  ELASTICSEARCH_USERNAME: {{ .username | b64enc | quote }}
+  ELASTICSEARCH_PASSWORD: {{ .password | b64enc | quote }}
+  {{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/alfresco-repository/templates/volumeclaim.yaml b/charts/alfresco-repository/templates/volumeclaim.yaml
@@ -0,0 +1,3 @@
+{{- if and (not .Values.persistence.existingClaim) .Values.persistence.enabled }}
+  {{- include "alfresco-common.component_pvc" .Values }}
+{{- end }}
diff --git a/charts/alfresco-repository/tests/message-broker_test.yaml b/charts/alfresco-repository/tests/message-broker_test.yaml
@@ -4,10 +4,10 @@ templates:
   - secret-message-broker.yaml
   - deployment.yaml
   - configmap-message-broker.yaml
+values:
+  - values/test_values.yaml
 tests:
   - it: should render ActiveMQ minimal config
-    values: &testvalues
-      - values/test_values.yaml
     asserts:
       - contains:
           path: spec.template.spec.containers[0].env
@@ -22,10 +22,12 @@ tests:
           path: data.BROKER_URL
           value: failover:(tcp://localhost:61616)
         template: configmap-message-broker.yaml
+      - equal:
+          path: spec.template.metadata.annotations['checksum.config.alfresco.org/messageBroker']
+          value: &cfgsum c2939932894f879e156e0ccaebb43552058663dbbedd75c74afd20a86662e054
+        template: deployment.yaml
 
-  - it: should render custom secret
-    values:
-      - values/test_values.yaml
+  - it: should render custom secret with modified checksum
     set:
       configuration:
         messageBroker:
@@ -51,3 +53,7 @@ tests:
       - hasDocuments:
           count: 0
         template: secret-message-broker.yaml
+      - notEqual:
+          path: spec.template.metadata.annotations['checksum.config.alfresco.org/db']
+          value: *cfgsum
+        template: deployment.yaml