diff --git a/charts/alfresco-search-service/Chart.yaml b/charts/alfresco-search-service/Chart.yaml index 1410c6f3..ed606b72 100644 --- a/charts/alfresco-search-service/Chart.yaml +++ b/charts/alfresco-search-service/Chart.yaml @@ -15,7 +15,7 @@ keywords: name: alfresco-search-service sources: - https://github.com/Alfresco/alfresco-helm-charts -version: 2.0.0-alpha.1 +version: 2.0.0-alpha.2 appVersion: 2.0.8 dependencies: - name: alfresco-insight-zeppelin diff --git a/charts/alfresco-search-service/README.md b/charts/alfresco-search-service/README.md index f9119a50..b5ede60a 100644 --- a/charts/alfresco-search-service/README.md +++ b/charts/alfresco-search-service/README.md @@ -1,6 +1,6 @@ # alfresco-search-service -![Version: 2.0.0-alpha.1](https://img.shields.io/badge/Version-2.0.0--alpha.1-informational?style=flat-square) ![AppVersion: 2.0.8](https://img.shields.io/badge/AppVersion-2.0.8-informational?style=flat-square) +![Version: 2.0.0-alpha.2](https://img.shields.io/badge/Version-2.0.0--alpha.2-informational?style=flat-square) ![AppVersion: 2.0.8](https://img.shields.io/badge/AppVersion-2.0.8-informational?style=flat-square) A Helm chart for deploying Alfresco Search Service @@ -23,13 +23,9 @@ Please refer to the [documentation](https://github.com/Alfresco/acs-deployment/b | Key | Type | Default | Description | |-----|------|---------|-------------| -| PvNodeAffinity | string | `nil` | Define PVNodeAffinity for scheduling SOLR | -| affinity | string | `nil` | Define Affinity for scheduling SOLR | | alfresco-insight-zeppelin.enabled | bool | `false` | | | environment.SOLR_CREATE_ALFRESCO_DEFAULTS | string | `"alfresco,archive"` | | | global.alfrescoRegistryPullSecrets | string | `"quay-registry-secret"` | | -| global.tracking.auth | string | `"secret"` | Select how solr and repo authenticate to each other none: work only prior to acs 7.2 (and was the default) secret: use a shared secret (to specify using `tracking.sharedsecret`) https: to use mTLS auth (require appropriate certificate configuration) | -| global.tracking.sharedsecret | string | `nil` | Shared secret to authenticate repo/solr traffic | | ingress.annotations | object | `{"nginx.ingress.kubernetes.io/auth-realm":"Authentication Required - Alfresco Search Services","nginx.ingress.kubernetes.io/auth-type":"basic","nginx.ingress.kubernetes.io/whitelist-source-range":"0.0.0.0/0"}` | nginx ingress annotations (see https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations) | | ingress.basicAuth | string | `nil` | Default solr basic auth user/password: admin / admin You can create your own with htpasswd utilility & encode it with base640. Example: `echo -n "$(htpasswd -nbm admin admin)" | base64 | tr -d '\n'` basicAuth: YWRtaW46JGFwcjEkVVJqb29uS00kSEMuS1EwVkRScFpwSHB2a3JwTDd1Lg== | | ingress.enabled | bool | `false` | Expose the solr admin console behind basic auth | @@ -61,10 +57,12 @@ Please refer to the [documentation](https://github.com/Alfresco/acs-deployment/b | readinessProbe.timeoutSeconds | int | `10` | | | repository.existingConfigMap.keys.host | string | `"SOLR_ALFRESCO_HOST"` | Key within the configmap holding the repository hostname | | repository.existingConfigMap.keys.port | string | `"SOLR_ALFRESCO_PORT"` | Key within the configmap holding the repository port | -| repository.existingConfigMap.keys.securecomms | string | `"SOLR_ALFRESCO_SECURE_COMMS"` | Key within the configmap holding the repository seucirty level | +| repository.existingConfigMap.keys.securecomms | string | `"SOLR_ALFRESCO_SECURE_COMMS"` | Key within the configmap holding the repository security level | | repository.existingConfigMap.name | string | `nil` | Name of a pre-existing configmap containing Alfresco repository URL In addition to tjhe keys mentionned bellow the configMap may contain any solr property translated as an env variable (e.g SOLR_ALFRESCO_BASEURL). | -| repository.existingSecret.keys.password | string | `"SOLR_SECRET"` | Key within the secret holding the repository shared secret | +| repository.existingSecret.keys.sharedSecret | string | `"SOLR_ALFRESCO_SECURECOMMS_SECRET"` | Key within the secret holding the repository shared secret | | repository.existingSecret.name | string | `nil` | Name of a pre-existing secret containing message broker credentials | +| repository.securecomms | string | `"secret"` | repository security level to use when tracking the repo ('none' or 'secret') | +| repository.sharedSecret | string | `nil` | Secret shared with the repository when securecomms is set to 'secret' | | repository.url | string | `"http://alfresco-search-service/solr"` | Alfresco repository URL | | resources.limits.cpu | string | `"4"` | | | resources.limits.memory | string | `"2000Mi"` | | @@ -76,5 +74,4 @@ Please refer to the [documentation](https://github.com/Alfresco/acs-deployment/b | searchServicesImage.tag | string | `"2.0.8"` | | | service.name | string | `"solr"` | | | service.type | string | `"ClusterIP"` | | -| tolerations | string | `nil` | Define Tolerations for scheduling SOLR | | type | string | `"search-services"` | set alfresco-insight-zeppelin.enabled=true As the Docker Image for Insight Engine is not publicly available the alfrescoRegistryPullSecrets has to be set More information can be found on https://github.com/Alfresco/acs-deployment/blob/master/docs/helm/registry-authentication.md | diff --git a/charts/alfresco-search-service/ci/default-values.yaml b/charts/alfresco-search-service/ci/default-values.yaml index 33da59f6..2e0fdc99 100644 --- a/charts/alfresco-search-service/ci/default-values.yaml +++ b/charts/alfresco-search-service/ci/default-values.yaml @@ -2,6 +2,5 @@ alfresco-insight-zeppelin: nameOverride: zeppelin enabled: true -global: - tracking: - sharedsecret: dummy +repository: + sharedSecret: dummy diff --git a/charts/alfresco-search-service/templates/NOTES.txt b/charts/alfresco-search-service/templates/NOTES.txt old mode 100755 new mode 100644 diff --git a/charts/alfresco-search-service/templates/_helpers.tpl b/charts/alfresco-search-service/templates/_helpers.tpl old mode 100755 new mode 100644 index 694d2e89..9ef21d5d --- a/charts/alfresco-search-service/templates/_helpers.tpl +++ b/charts/alfresco-search-service/templates/_helpers.tpl @@ -1,3 +1,10 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "alfresco-search-service.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). @@ -67,3 +74,41 @@ Get Alfresco Search Docker Image {{- printf "%s:%s" .Values.searchServicesImage.repository .Values.searchServicesImage.tag }} {{- end }} {{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "alfresco-search-service.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "alfresco-search-service.labels" -}} +helm.sh/chart: {{ include "alfresco-search-service.chart" . }} +{{ include "alfresco-search-service.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "alfresco-search-service.selectorLabels" -}} +app.kubernetes.io/name: {{ include "alfresco-search-service.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "alfresco-search-service.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "alfresco-search-service.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/alfresco-search-service/templates/config.yaml b/charts/alfresco-search-service/templates/config.yaml old mode 100755 new mode 100644 index 32549436..b86c95a0 --- a/charts/alfresco-search-service/templates/config.yaml +++ b/charts/alfresco-search-service/templates/config.yaml @@ -17,5 +17,5 @@ data: {{ template "alfresco-common.url.port" .url }} {{- end }} SOLR_ALFRESCO_SECURE_COMMS: >- - {{ .Values.global.tracking.auth | default "secret" }} + {{ .Values.repository.securecomms }} {{- end }} diff --git a/charts/alfresco-search-service/templates/deployment.yaml b/charts/alfresco-search-service/templates/deployment.yaml old mode 100755 new mode 100644 index c837c11c..28e80fa6 --- a/charts/alfresco-search-service/templates/deployment.yaml +++ b/charts/alfresco-search-service/templates/deployment.yaml @@ -43,10 +43,18 @@ spec: image: {{ template "alfresco-search.dockerImage" . }} imagePullPolicy: {{ template "alfresco-search.pullPolicy" . }} {{- include "component-security-context" .Values | indent 8 }} - {{- $cmCtx := dict "Values" (dict "nameOverride" (printf "%s-repository" $.Chart.Name )) "Chart" $.Chart "Release" $.Release }} - {{- $cm := coalesce .Values.repository.existingConfigMap.name (include "alfresco-search-service.fullname" $cmCtx) }} + {{- $repoCtx := dict "Values" (dict "nameOverride" (printf "%s-repository" $.Chart.Name )) "Chart" $.Chart "Release" $.Release }} + {{- $cm := coalesce .Values.repository.existingConfigMap.name (include "alfresco-search-service.fullname" $repoCtx) }} + {{- $secret := coalesce .Values.repository.existingSecret.name (include "alfresco-search-service.fullname" $repoCtx) }} env: {{- with .Values.repository }} + {{- if eq .securecomms "secret" }} + - name: SOLR_ALFRESCO_SECURECOMMS_SECRET + valueFrom: + secretKeyRef: + name: {{ $secret }} + key: {{ index .existingSecret.keys "sharedSecret" }} + {{- end }} - name: SOLR_ALFRESCO_HOST valueFrom: configMapKeyRef: @@ -77,10 +85,6 @@ spec: envFrom: - configMapRef: name: {{ $cm }} - {{- if eq .Values.global.tracking.auth "secret" }} - - secretRef: - name: {{ template "alfresco-search-service.fullname" . }}-solr-jtoolopts - {{- end }} ports: - containerPort: {{ template "alfresco-search.containerPort" . }} resources: {{- toYaml .Values.resources | nindent 12 }} @@ -89,26 +93,32 @@ spec: mountPath: {{ .Values.persistence.search.data.mountPath }} subPath: {{ .Values.persistence.search.data.subPath }} readinessProbe: - httpGet: - path: /solr/alfresco/admin/ping - port: {{ template "alfresco-search.containerPort" . }} - {{- if eq .Values.global.tracking.auth "secret" }} - httpHeaders: - - name: X-Alfresco-Search-Secret - value: "{{ .Values.global.tracking.sharedsecret }}" - {{- end }} + exec: + command: + - sh + - -c + - >- + [ + $( + curl -sH "X-Alfresco-Search-Secret: $SOLR_ALFRESCO_SECURECOMMS_SECRET" http://localhost:{{ template "alfresco-search.containerPort" . }}/solr/alfresco/admin/ping + | xmllint --xpath '/response/str[@name="status"]/text()' - + ) + = "OK" ] initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.readinessProbe.periodSeconds }} timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} livenessProbe: - httpGet: - path: /solr/admin/info/system - port: {{ template "alfresco-search.containerPort" . }} - {{- if eq .Values.global.tracking.auth "secret" }} - httpHeaders: - - name: X-Alfresco-Search-Secret - value: "{{ .Values.global.tracking.sharedsecret }}" - {{- end }} + exec: + command: + - sh + - -c + - >- + [ + $( + curl -sH "X-Alfresco-Search-Secret: $SOLR_ALFRESCO_SECURECOMMS_SECRET" http://localhost:{{ template "alfresco-search.containerPort" . }}/solr/admin/info/system + | xmllint --xpath '/response/lst/int[@name="status"]/text()' - + ) + -eq 0 ] initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.livenessProbe.periodSeconds }} failureThreshold: 1 diff --git a/charts/alfresco-search-service/templates/ingress.yaml b/charts/alfresco-search-service/templates/ingress.yaml old mode 100755 new mode 100644 diff --git a/charts/alfresco-search-service/templates/pvc.yaml b/charts/alfresco-search-service/templates/pvc.yaml old mode 100755 new mode 100644 diff --git a/charts/alfresco-search-service/templates/secret-ingress.yaml b/charts/alfresco-search-service/templates/secret-ingress.yaml old mode 100755 new mode 100644 diff --git a/charts/alfresco-search-service/templates/secret-repository.yaml b/charts/alfresco-search-service/templates/secret-repository.yaml new file mode 100644 index 00000000..ccf31a87 --- /dev/null +++ b/charts/alfresco-search-service/templates/secret-repository.yaml @@ -0,0 +1,15 @@ +{{- if (not .Values.repository.existingSecret.name) }} +{{- if and (eq "secret" .Values.repository.securecomms) (not .Values.repository.existingConfigMap.name) }} +apiVersion: v1 +kind: Secret +metadata: {{- $ctx := dict "Values" (dict "nameOverride" (printf "%s-repository" $.Chart.Name )) "Chart" $.Chart "Release" $.Release }} + name: {{ template "alfresco-search-service.fullname" $ctx }} + labels: + {{ template "alfresco-search-service.labels" . }} +type: Opaque +data: + {{- $reqmsg := "Please provide a shared secret for solr and repository in value repository.sharedSecret" }} + {{- $shared_secret := required $reqmsg (index .Values.repository "sharedSecret") }} + SOLR_ALFRESCO_SECURECOMMS_SECRET: {{ $shared_secret | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/charts/alfresco-search-service/templates/secret-solr-jtoolopt.yaml b/charts/alfresco-search-service/templates/secret-solr-jtoolopt.yaml deleted file mode 100644 index 43759569..00000000 --- a/charts/alfresco-search-service/templates/secret-solr-jtoolopt.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if eq .Values.global.tracking.auth "secret" }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "alfresco-search-service.fullname" . }}-solr-jtoolopts - labels: - app: {{ template "alfresco-search-service.fullname" . }}-solr - release: {{ .Release.Name }} -type: Opaque -data: - JAVA_TOOL_OPTIONS: {{ printf "-Dalfresco.secureComms.secret=%s " (include "tracking-shared-secret" .) | b64enc | quote }} -{{- end }} diff --git a/charts/alfresco-search-service/templates/service.yaml b/charts/alfresco-search-service/templates/service.yaml old mode 100755 new mode 100644 diff --git a/charts/alfresco-search-service/tests/secret-ingress_test.yaml b/charts/alfresco-search-service/tests/secret-ingress_test.yaml deleted file mode 100644 index eaf250ec..00000000 --- a/charts/alfresco-search-service/tests/secret-ingress_test.yaml +++ /dev/null @@ -1,36 +0,0 @@ ---- -suite: test solr ingress secret -templates: - - secret-ingress.yaml -tests: - - it: should have credentials in the default ingress secret - values: &testvalues - - values/test_values.yaml - - values/ingress.yaml - set: - ingress.existingSecretName: null - asserts: - - equal: - path: data.auth - value: YWRtaW46JGFwcjEkVVJqb29uS00kSEMuS1EwVkRScFpwSHB2a3JwTDd1Lg== - template: secret-ingress.yaml - - - it: should not render ingress secret when ingress is disabled - values: *testvalues - set: - ingress: - enabled: false - asserts: - - hasDocuments: - count: 0 - template: secret-ingress.yaml - - - it: should not render ingress secret when and existing secret name is set - values: *testvalues - set: - ingress: - existingSecretName: my-custom-secret - asserts: - - hasDocuments: - count: 0 - template: secret-ingress.yaml diff --git a/charts/alfresco-search-service/tests/secret-solr-jtoolopt_test.yaml b/charts/alfresco-search-service/tests/secret-solr-jtoolopt_test.yaml deleted file mode 100644 index afa188f3..00000000 --- a/charts/alfresco-search-service/tests/secret-solr-jtoolopt_test.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -suite: test solr java_tool_options secret -templates: - - secret-solr-jtoolopt.yaml -tests: - - it: should have credentials in the ingress secret - values: &testvalues - - values/test_values.yaml - asserts: - - equal: - path: data.JAVA_TOOL_OPTIONS - value: LURhbGZyZXNjby5zZWN1cmVDb21tcy5zZWNyZXQ9ZHVtbXkg - template: secret-solr-jtoolopt.yaml - - - it: should not render ingress secret when ingress is disabled - values: *testvalues - set: - global.tracking.auth: none - asserts: - - hasDocuments: - count: 0 - template: secret-solr-jtoolopt.yaml diff --git a/charts/alfresco-search-service/tests/secrets_test.yaml b/charts/alfresco-search-service/tests/secrets_test.yaml new file mode 100644 index 00000000..baf6fa9d --- /dev/null +++ b/charts/alfresco-search-service/tests/secrets_test.yaml @@ -0,0 +1,66 @@ +--- +suite: test solr secrets +templates: + - secret-ingress.yaml + - secret-repository.yaml +tests: + - it: should have credentials in the default ingress secret + values: &testvalues + - values/test_values.yaml + - values/ingress.yaml + set: + ingress.existingSecretName: null + template: secret-ingress.yaml + asserts: + - equal: + path: data.auth + value: YWRtaW46JGFwcjEkVVJqb29uS00kSEMuS1EwVkRScFpwSHB2a3JwTDd1Lg== + + - it: should not render ingress secret when ingress is disabled + values: *testvalues + set: + ingress: + enabled: false + template: secret-ingress.yaml + asserts: + - hasDocuments: + count: 0 + + - it: should not render ingress secret when and existing secret name is set + values: *testvalues + set: + ingress: + existingSecretName: my-custom-secret + template: secret-ingress.yaml + asserts: + - hasDocuments: + count: 0 + + - it: should render the shared secret from values + values: *testvalues + template: secret-repository.yaml + asserts: + - equal: + path: data.SOLR_ALFRESCO_SECURECOMMS_SECRET + value: "ZHVtbXk=" + + - it: should not render a shared secret if securecomms is not set to "secret" + values: *testvalues + set: + repository: + securecomms: none + template: secret-repository.yaml + asserts: + - hasDocuments: + count: 0 + - it: should not render a shared secret if securecomms is not set to "secret" + values: *testvalues + set: + repository: + securecomms: secret + existingSecret: + name: mysecret + template: secret-repository.yaml + asserts: + - hasDocuments: + count: 0 diff --git a/charts/alfresco-search-service/tests/values/test_values.yaml b/charts/alfresco-search-service/tests/values/test_values.yaml index 6968a5a1..0c2fdbd7 100644 --- a/charts/alfresco-search-service/tests/values/test_values.yaml +++ b/charts/alfresco-search-service/tests/values/test_values.yaml @@ -1,5 +1,3 @@ --- -global: - tracking: - sharedsecret: dummy - alfrescoRegistryPullSecrets: secretsecret +repository: + sharedSecret: dummy diff --git a/charts/alfresco-search-service/values.yaml b/charts/alfresco-search-service/values.yaml index 426d14b1..9116340b 100644 --- a/charts/alfresco-search-service/values.yaml +++ b/charts/alfresco-search-service/values.yaml @@ -64,12 +64,16 @@ ingress: repository: # -- Alfresco repository URL url: http://alfresco-search-service/solr + # -- repository security level to use when tracking the repo ('none' or 'secret') + securecomms: secret + # -- Secret shared with the repository when securecomms is set to 'secret' + sharedSecret: null existingSecret: # -- Name of a pre-existing secret containing message broker credentials name: null keys: # -- Key within the secret holding the repository shared secret - password: SOLR_SECRET + sharedSecret: SOLR_ALFRESCO_SECURECOMMS_SECRET existingConfigMap: # -- Name of a pre-existing configmap containing Alfresco repository URL # In addition to tjhe keys mentionned bellow the configMap may contain any @@ -80,7 +84,7 @@ repository: host: SOLR_ALFRESCO_HOST # -- Key within the configmap holding the repository port port: SOLR_ALFRESCO_PORT - # -- Key within the configmap holding the repository seucirty level + # -- Key within the configmap holding the repository security level securecomms: SOLR_ALFRESCO_SECURE_COMMS environment: SOLR_CREATE_ALFRESCO_DEFAULTS: alfresco,archive @@ -124,38 +128,6 @@ initContainer: memory: "5Mi" limits: memory: "10Mi" + global: - tracking: - # -- Select how solr and repo authenticate to each other - # none: work only prior to acs 7.2 (and was the default) - # secret: use a shared secret (to specify using `tracking.sharedsecret`) - # https: to use mTLS auth (require appropriate certificate configuration) - auth: secret - # -- Shared secret to authenticate repo/solr traffic - sharedsecret: null alfrescoRegistryPullSecrets: quay-registry-secret -# -- Define Affinity for scheduling SOLR -affinity: -# nodeAffinity: -# requiredDuringSchedulingIgnoredDuringExecution: -# nodeSelectorTerms: -# - matchExpressions: -# - key: "SolrMasterOnly" -# operator: In -# values: -# - "true" -# -- Define Tolerations for scheduling SOLR -tolerations: -# - key: "SolrMasterOnly" -# operator: "Equal" -# value: "true" -# effect: "NoSchedule" -# -- Define PVNodeAffinity for scheduling SOLR -PvNodeAffinity: -# required: -# nodeSelectorTerms: -# - matchExpressions: -# - key: "SolrMasterOnly" -# operator: In -# values: -# - "true"