OPSEXP-1862: misc improvements (#90)

charts/alfresco-repository/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: alfresco-repository
 description: Alfresco content repository Helm chart
 type: application
-version: 0.1.0-alpha.3
+version: 0.1.0-alpha.4
 appVersion: 23.1.0-A21
 dependencies:
   - name: alfresco-common

charts/alfresco-repository/README.md

@@ -1,6 +1,6 @@
 # alfresco-repository
 
-![Version: 0.1.0-alpha.3](https://img.shields.io/badge/Version-0.1.0--alpha.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 23.1.0-A21](https://img.shields.io/badge/AppVersion-23.1.0--A21-informational?style=flat-square)
+![Version: 0.1.0-alpha.4](https://img.shields.io/badge/Version-0.1.0--alpha.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 23.1.0-A21](https://img.shields.io/badge/AppVersion-23.1.0--A21-informational?style=flat-square)
 
 Alfresco content repository Helm chart
 
@@ -18,6 +18,15 @@ Alfresco content repository Helm chart
 | affinity | object | `{}` |  |
 | args | list | `[]` |  |
 | command | list | `[]` |  |
+| configuration.db.driver | string | `nil` | JDBC driver class of the driver if none is provided the it is guessed from the URL provided |
+| configuration.db.existingSecret | object | `{"keys":{"password":"DATABASE_PASSWORD","username":"DATABASE_USERNAME"},"name":null}` | Existing secret and their keys where to find the database username & password. |
+| configuration.db.existingSecret.keys.password | string | `"DATABASE_PASSWORD"` | Key within the secret holding the database password |
+| configuration.db.existingSecret.keys.username | string | `"DATABASE_USERNAME"` | Key within the secret holding the database username |
+| configuration.db.existingSecret.name | string | `nil` | Name of a pre-existing secret containing database credentials |
+| configuration.db.password | string | `nil` | Password to authentication to the repository database |
+| configuration.db.url | string | `nil` | JDBC url of the database WITHOUT the "jdbc:" prefix This is a mandatory parameter |
+| configuration.db.username | string | `nil` | Username to authentication to the repository database |
+| configuration.hz.port | int | `5701` | Hazelcast listener port Only change it if you use a custom image where the port has been changed from default |
 | configuration.messageBroker.existingConfigMap.keys.url | string | `"BROKER_URL"` | Key within the configmap  holding the message broker URL. It MUST be a failover URL as per the spec below: https://activemq.apache.org/failover-transport-reference.html |
 | configuration.messageBroker.existingConfigMap.name | string | `nil` | Name of a pre-existing configmap containing the meesage broker URL |
 | configuration.messageBroker.existingSecret.keys.password | string | `"BROKER_PASSWORD"` | Key within the secret holding the message broker password |
@@ -28,14 +37,6 @@ Alfresco content repository Helm chart
 | configuration.messageBroker.username | string | `nil` | Username to authenticate to the message broker |
 | configuration.repository.existingConfigMap | string | `nil` | a configmap containing the "alfresco-global.properties" key populated with actual Alfresco repository properties |
 | configuration.repository.existingSecrets | list | `[{"key":"license.lic","name":"repository-secrets","purpose":"acs-license"}]` | A list of secrets to make available to the repo as env vars. It's also used to pass the Alfresco license which will be mounted as a file when the secret as the `purpose` value set to `acs-license`. Other secrets will be used as env variables. |
-| db.driver | string | `nil` | JDBC driver class of the driver if none is provided the it is guessed from the URL provided |
-| db.existingSecret | object | `{"keys":{"password":"DATABASE_PASSWORD","username":"DATABASE_USERNAME"},"name":null}` | Existing secret and their keys where to find the database username & password. |
-| db.existingSecret.keys.password | string | `"DATABASE_PASSWORD"` | Key within the secret holding the database password |
-| db.existingSecret.keys.username | string | `"DATABASE_USERNAME"` | Key within the secret holding the database username |
-| db.existingSecret.name | string | `nil` | Name of a pre-existing secret containing database credentials |
-| db.password | string | `nil` | Password to authentication to the repository database |
-| db.url | string | `nil` | JDBC url of the database WITHOUT the "jdbc:" prefix This is a mandatory parameter |
-| db.username | string | `nil` | Username to authentication to the repository database |
 | environment.CATALINA_OPTS | string | `nil` | Java or Tomcat system properties. These properties must be provided as a single string following the pattern "-Dproperty=value -Dmoreprop=morevalue". They override the content of the global properties file but you should prefer providing configuration.repository.existingConfigMap. |
 | environment.JAVA_OPTS | string | `"-XX:MaxRAMPercentage=80"` | Set JVM options |
 | extraInitContainers | list | `[]` |  |
@@ -100,6 +101,7 @@ Alfresco content repository Helm chart
 | strategy.rollingUpdate.maxSurge | int | `1` |  |
 | strategy.rollingUpdate.maxUnavailable | int | `0` |  |
 | strategy.type | string | `"RollingUpdate"` |  |
+| terminationGracePeriod | int | `60` | How long to wait for tomcat to complete shutdown before killing it |
 | tolerations | list | `[]` |  |
 
 ----------------------------------------------

charts/alfresco-repository/ci/default-values.yaml

@@ -1,8 +1,8 @@
-db:
-  url: postgresql://pg-postgresql-acs/alfresco
-  username: &pguser pguser
-  password: &pgpass pgpass
 configuration:
+  db:
+    url: postgresql://pg-postgresql-acs/alfresco
+    username: &pguser pguser
+    password: &pgpass pgpass
   messageBroker:
     url: failover:(tcp://localhost:61616)
 postgresql:

charts/alfresco-repository/templates/_helpers-checksums.tpl

@@ -0,0 +1,13 @@
+{{/*
+Compute Resource checksum given a path
+*/}}
+{{- define "alfresco-repository.secret-checksum" -}}
+{{- $release := required "alfresco-repository.secret-checksum needs to be given the release name" .release }}
+{{- with (index .context "Values" "configuration" .configKey) }}
+checksum.config.alfresco.org/{{ $.configKey }}-values: {{ omit . "existingSecret" | toJson | sha256sum }}
+checksum.config.alfresco.org/{{ $.configKey }}-existing:
+  {{- $defaultLookup := (dict "existingSecret" (dict "keys" dict)) }}
+  {{- $lookup := ((lookup "v1" "Secret" $release ( .existingSecret.name | default "")).data | default $defaultLookup) }}
+  {{- pick $lookup .existingSecret.keys.username .existingSecret.keys.password | toJson | sha256sum | indent 1}}
+{{- end }}
+{{- end -}}

charts/alfresco-repository/templates/configmap.yaml

@@ -9,10 +9,10 @@ metadata:
 data:
   CATALINA_OPTS: >-
     -Ddeployment.method=HELM_CHART
-    -Ddb.url=jdbc:{{ .Values.db.url }}
+    -Ddb.url=jdbc:{{ .Values.configuration.db.url }}
     -Ddb.username=${DATABASE_USERNAME}
     -Ddb.password=${DATABASE_PASSWORD}
-    -Ddb.driver={{ include "alfresco-repository.db.driver" .Values.db }}
+    -Ddb.driver={{ include "alfresco-repository.db.driver" .Values.configuration.db }}
     -Dencryption.keystore.type=JCEKS
     -Dencryption.cipherAlgorithm=DESede/CBC/PKCS5Padding
     -Dencryption.keyAlgorithm=DESede

charts/alfresco-repository/templates/deployment.yaml

@@ -13,8 +13,10 @@ spec:
     {{- toYaml (.Values.strategy | default .Values.global.strategy) | nindent 4 }}
   template:
     metadata:
-      {{- with .Values.podAnnotations }}
       annotations:
+        {{- include "alfresco-repository.secret-checksum" (dict "release" $.Release.Name "context" . "configKey" "db") | indent 8 }}
+        {{- include "alfresco-repository.secret-checksum" (dict "release" $.Release.Name "context" . "configKey" "messageBroker") | indent 8 }}
+      {{- with .Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:
@@ -38,33 +40,48 @@ spec:
             - sh
             - -c
             - |
-              {{ $dbsocket := printf "%s:%s" (include "alfresco-repository.db.hostname" .Values.db ) (include "alfresco-repository.db.port" .Values.db) -}}
-              until nc -w1 {{ $dbsocket }}
-              do echo "waiting for {{  template "alfresco-repository.db.rdbms" .Values.db }} database on {{ $dbsocket }}"
+              {{- $dbhost := "" }}
+              {{- $dbport := "" }}
+              {{- $dbrdbms := "" }}
+              {{- with .Values.configuration.db }}
+              {{- $dbhost = include "alfresco-repository.db.hostname" . }}
+              {{- $dbport = include "alfresco-repository.db.port" . }}
+              {{- $dbrdbms = include "alfresco-repository.db.rdbms" . }}
+              {{- end }}
+              until nc -w1 {{ $dbhost }}:{{ $dbport }}
+              do echo 'waiting for {{ $dbrdbms }} database on {{ $dbhost }}:{{ $dbport }}'
                 sleep 2
               done
       containers:
         - name: {{ .Chart.Name }}
           {{- include "component-security-context" .Values | indent 8 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          {{- $dbsecretCtx := dict "Values" (dict "nameOverride" "secret-database") "Chart" .Chart "Release" .Release }}
-          {{- $dbsecret := coalesce .Values.db.existingSecret.name (include "alfresco-repository.fullname" $dbsecretCtx) }}
-          {{- $mqsecretCtx := dict "Values" (dict "nameOverride" "secret-mq") "Chart" .Chart "Release" .Release }}
-          {{- $mqsecret := coalesce .Values.configuration.messageBroker.existingSecret.name (include "alfresco-repository.fullname" $mqsecretCtx) }}
-          {{- $mqconfigCtx := dict "Values" (dict "nameOverride" "configmap-mq") "Chart" .Chart "Release" .Release }}
-          {{- $mqconfig := coalesce .Values.configuration.messageBroker.existingConfigMap.name (include "alfresco-repository.fullname" $mqconfigCtx) }}
+          {{- $dbsecretCtx := dict }}
+          {{- $dbsecret := "" }}
+          {{- $mqsecretCtx := dict }}
+          {{- $mqsecret := "" }}
+          {{- $mqconfigCtx := dict }}
+          {{- $mqconfig := "" }}
+          {{- with .Values.configuration }}
+            {{- $dbsecretCtx = dict "Values" (dict "nameOverride" "secret-database") "Chart" $.Chart "Release" $.Release }}
+            {{- $dbsecret = coalesce .db.existingSecret.name (include "alfresco-repository.fullname" $dbsecretCtx) }}
+            {{- $mqsecretCtx = dict "Values" (dict "nameOverride" "secret-mq") "Chart" $.Chart "Release" $.Release }}
+            {{- $mqsecret = coalesce .messageBroker.existingSecret.name (include "alfresco-repository.fullname" $mqsecretCtx) }}
+            {{- $mqconfigCtx = dict "Values" (dict "nameOverride" "configmap-mq") "Chart" $.Chart "Release" $.Release }}
+            {{- $mqconfig = coalesce .messageBroker.existingConfigMap.name (include "alfresco-repository.fullname" $mqconfigCtx) }}
+          {{- end }}
           env:
             - name: DATABASE_USERNAME
               valueFrom:
                 secretKeyRef:
                   name: {{ $dbsecret }}
-                  key: {{ .Values.db.existingSecret.keys.username }}
+                  key: {{ .Values.configuration.db.existingSecret.keys.username }}
             - name: DATABASE_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: {{ $dbsecret }}
-                  key: {{ .Values.db.existingSecret.keys.password }}
+                  key: {{ .Values.configuration.db.existingSecret.keys.password }}
           {{- range .Values.configuration.repository.existingSecrets }}
            {{- if not (eq "acs-license" .purpose) }}
              {{- $repoSecretsKeyRef := dict "name" .name "key" .key }}
@@ -103,6 +120,9 @@ spec:
             - name: http
               containerPort: {{ .Values.image.port }}
               protocol: TCP
+            - name: hazelcast
+              containerPort: {{ .Values.configuration.hz.port }}
+              protocol: TCP
           startupProbe:
             {{- toYaml .Values.startupProbe | nindent 12 }}
           livenessProbe:
@@ -155,6 +175,7 @@ spec:
         {{- if .Values.extraVolumes }}
         {{- tpl (.Values.extraVolumes | toYaml) . | nindent 8 }}
         {{- end }}
+      terminationGracePeriodSeconds: {{ .Values.terminationGracePeriod }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | indent 8 }}

charts/alfresco-repository/templates/secret-database.yaml

@@ -1,4 +1,4 @@
-{{- if not .Values.db.existingSecret.name }}
+{{- if not .Values.configuration.db.existingSecret.name }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -10,6 +10,6 @@ metadata:
 type: Opaque
 {{- $reqmsg := "Either provide database credentiasl as values, or provide a secret that contains them." }}
 data:
-  DATABASE_USERNAME: {{ required $reqmsg .Values.db.username | b64enc | quote }}
-  DATABASE_PASSWORD: {{ required $reqmsg .Values.db.password | b64enc | quote }}
+  DATABASE_USERNAME: {{ required $reqmsg .Values.configuration.db.username | b64enc | quote }}
+  DATABASE_PASSWORD: {{ required $reqmsg .Values.configuration.db.password | b64enc | quote }}
 {{- end }}

charts/alfresco-repository/tests/configmap_test.yaml

@@ -59,8 +59,9 @@ tests:
 
   - it: should render PostgreSQL properties
     set:
-      db:
-        url: postgresql://pghost/alfdb
+      configuration:
+        db:
+          url: postgresql://pghost/alfdb
     asserts:
       - matchRegex:
           path: data.CATALINA_OPTS
@@ -73,8 +74,9 @@ tests:
 
   - it: should render MS SQL server properties
     set:
-      db:
-        url: sqlserver://sqlservrhost;databaseName=alfdb;lockTimeout=1000;
+      configuration:
+        db:
+          url: sqlserver://sqlservrhost;databaseName=alfdb;lockTimeout=1000;
     asserts:
       - matchRegex:
           path: data.CATALINA_OPTS
@@ -87,8 +89,9 @@ tests:
 
   - it: should render Oracle properties
     set:
-      db:
-        url: oracle:thin:@tcp://mydbhost:1521/mydbservice
+      configuration:
+        db:
+          url: oracle:thin:@tcp://mydbhost:1521/mydbservice
     asserts:
       - matchRegex:
           path: data.CATALINA_OPTS
@@ -101,8 +104,9 @@ tests:
 
   - it: should fail without proper db URL
     set:
-      db:
-        url: jdbc:mysql://myhost/db
+      configuration:
+        db:
+          url: jdbc:mysql://myhost/db
     asserts:
       - failedTemplate:
           errorMessage: >-

charts/alfresco-repository/tests/deployment_test.yaml

@@ -70,35 +70,37 @@ tests:
           path: spec.template.spec.initContainers[0].command
           content: |
             until nc -w1 myhost1:1111
-            do echo "waiting for mysql database on myhost1:1111"
+            do echo 'waiting for mysql database on myhost1:1111'
               sleep 2
             done
         template: deployment.yaml
 
   - it: should render MSSQL sockets
     set:
-      db:
-        url: sqlserver://localhost;encrypt=true;databaseName=AdventureWorks;integratedSecurity=true;
+      configuration:
+        db:
+          url: sqlserver://localhost;encrypt=true;databaseName=AdventureWorks;integratedSecurity=true;
     asserts:
       - contains:
           path: spec.template.spec.initContainers[0].command
           content: |
             until nc -w1 localhost:1434
-            do echo "waiting for sqlserver database on localhost:1434"
+            do echo 'waiting for sqlserver database on localhost:1434'
               sleep 2
             done
         template: deployment.yaml
 
   - it: should render Oracle sockets
     set:
-      db:
-        url: oracle:thin:@tcp://mydbhost:1521/mydbservice
+      configuration:
+        db:
+          url: oracle:thin:@tcp://mydbhost:1521/mydbservice
     asserts:
       - contains:
           path: spec.template.spec.initContainers[0].command
           content: |
             until nc -w1 mydbhost:1521
-            do echo "waiting for oracle database on mydbhost:1521"
+            do echo 'waiting for oracle database on mydbhost:1521'
               sleep 2
             done
         template: deployment.yaml

charts/alfresco-repository/tests/secrets_test.yaml

@@ -12,21 +12,23 @@ tests:
             Either provide database credentiasl as values, or provide a secret that contains them.
   - it: should not render template
     set:
-      db:
-        existingSecret:
-          name: pgsecrets
-        username: pguser
-        password: pgpass
+      configuration:
+        db:
+          existingSecret:
+            name: pgsecrets
+          username: pguser
+          password: pgpass
     asserts:
       - hasDocuments:
           count: 0
   - it: should not render template
     set:
-      db:
-        existingSecret:
-          name: null
-        username: alfresco
-        password: alfresco
+      configuration:
+        db:
+          existingSecret:
+            name: null
+          username: alfresco
+          password: alfresco
     asserts:
       - equal:
           path: data.DATABASE_USERNAME

charts/alfresco-repository/tests/values/test_values.yaml

@@ -1,5 +1,5 @@
-db:
-  url: mysql://sandy:secret@myhost1:1111
 configuration:
   messageBroker:
     url: failover:(tcp://localhost:61616)
+  db:
+    url: mysql://sandy:secret@myhost1:1111