From 25129d3a699477c4a6b6fd32f095cb08c3838538 Mon Sep 17 00:00:00 2001 From: Edward Park Date: Mon, 12 Aug 2024 21:56:26 -0500 Subject: [PATCH 1/4] chore(prefect-worker): add docs detail on existingConfigMap (#371) --- charts/prefect-worker/README.md | 2 +- charts/prefect-worker/README.md.gotmpl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/prefect-worker/README.md b/charts/prefect-worker/README.md index 77ef85f..2d29a9d 100644 --- a/charts/prefect-worker/README.md +++ b/charts/prefect-worker/README.md @@ -219,7 +219,7 @@ If a base job template is set through Helm (via either `.Values.worker.config.ba Any time the base job template is updated, the subsequent `initContainer` run will run `prefect work-pool update --base-job-template ` and sync this template to the API. -Please note that updating JSON inside of a `baseJobTemplate.existingConfigMapName` will require a manual restart of the `prefect-worker` Deployment in order to kick off the `initContainer`. However, updating the `baseJobTemplate.configuration` value will automatically roll the Deployment. +Please note that configuring the template via `baseJobTemplate.existingConfigMapName` will require a manual restart of the `prefect-worker` Deployment in order to kick off the `initContainer` - alternatively, you can use a tool like [reloader](https://github.com/stakater/Reloader) to automatically restart an associated Deployment. However, configuring the template via `baseJobTemplate.configuration` value will automatically roll the Deployment on any update. ## Maintainers diff --git a/charts/prefect-worker/README.md.gotmpl b/charts/prefect-worker/README.md.gotmpl index 5891e67..8937531 100644 --- a/charts/prefect-worker/README.md.gotmpl +++ b/charts/prefect-worker/README.md.gotmpl @@ -219,7 +219,7 @@ If a base job template is set through Helm (via either `.Values.worker.config.ba Any time the base job template is updated, the subsequent `initContainer` run will run `prefect work-pool update --base-job-template ` and sync this template to the API. -Please note that updating JSON inside of a `baseJobTemplate.existingConfigMapName` will require a manual restart of the `prefect-worker` Deployment in order to kick off the `initContainer`. However, updating the `baseJobTemplate.configuration` value will automatically roll the Deployment. +Please note that configuring the template via `baseJobTemplate.existingConfigMapName` will require a manual restart of the `prefect-worker` Deployment in order to kick off the `initContainer` - alternatively, you can use a tool like [reloader](https://github.com/stakater/Reloader) to automatically restart an associated Deployment. However, configuring the template via `baseJobTemplate.configuration` value will automatically roll the Deployment on any update. {{ template "chart.maintainersSection" . }} From bfe341a8706360b7dca04a39c76bbaf8b4a2b750 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 13 Aug 2024 13:40:04 -0500 Subject: [PATCH 2/4] fix(prefect-server): better support for internal and external database configs (#365) * Create PostgreSQL Secret even if postgresql.enabled=false Ensures that the PostgreSQL Secret is created, even if `postgresql.enabled=false`. This ensures that we support a use case where folks want to use an external instance of PostgreSQL, but still want the Secret to automatically be generated with the proper connection string. With a recent change, we would skip creation of this secret if PostgreSQL was disabled which forced users to create a Secret themselves. This change now allows them to continue providing the `auth` values and letting the chart build the Secret with the correct connection string. Closes https://github.com/PrefectHQ/prefect-helm/issues/358 * Remove custom config from postgresql subchart The `postgresql` key in `values.yaml` is for overriding the PostgreSQL chart's default values. It's not a good place to define custom keys because these are conflated with the actual configuration from the subchart. This changes removes those custom configs. It also removes any configured values that already matched the default from the PostgreSQL subchart, and were therefore not doing anything. * Support providing external connection string When the PostgreSQL subchart is disabled, we need a way to provide the connection string information for the external instance. This adds the required values and template helpers to calculate the connection string in this scenario. * Support setting name and creation of Secret - Supports setting the name to use for the Secret - Supports controlling whether or not to create the Secret - Supports someone providing their own existing Secret * Add helm unit tests for database configuration Uses https://github.com/helm-unittest/helm-unittest to unit test the database configuration. This is a replacement for coming up with test cases locally, running `helm template`, and manually validating the output. * Add script and CI workflow for helm-unittest - Adds script to run helm-unittest locally - Adds CI workflow to run helm-unittest in GitHub Actions * Update README for new external db configuration Updates the README to reflect the new configuration for external databases. * Add helm/chart-testing to mise Installs the helm/chart-testing binary at its latest version. Needed for the tests defined under `charts//tests/test-*.yaml`. * Mention how to run the `helm-unittest` helper --- .github/workflows/helm-unittest.yaml | 20 ++++ .mise.toml | 1 + README.md | 13 +++ charts/prefect-server/.helmignore | 2 + charts/prefect-server/README.md | 52 ++++++--- charts/prefect-server/README.md.gotmpl | 41 ++++--- charts/prefect-server/templates/_helpers.tpl | 82 +++++++++++-- charts/prefect-server/templates/secret.yaml | 2 +- .../prefect-server/tests/database_test.yaml | 108 +++++++++++++++++ charts/prefect-server/values.schema.json | 109 ------------------ charts/prefect-server/values.yaml | 40 +++---- scripts/helm_unittest.sh | 21 ++++ 12 files changed, 322 insertions(+), 169 deletions(-) create mode 100644 .github/workflows/helm-unittest.yaml create mode 100644 charts/prefect-server/tests/database_test.yaml create mode 100755 scripts/helm_unittest.sh diff --git a/.github/workflows/helm-unittest.yaml b/.github/workflows/helm-unittest.yaml new file mode 100644 index 0000000..e0f523b --- /dev/null +++ b/.github/workflows/helm-unittest.yaml @@ -0,0 +1,20 @@ +# https://github.com/marketplace/actions/helm-unit-tests + +name: Run Helm unit tests + +on: pull_request + +# Do not grant jobs any permissions by default +permissions: {} + +jobs: + unittest: + runs-on: ubuntu-latest + permissions: + # required to read from the repo + contents: read + steps: + - uses: actions/checkout@v3 + - uses: d3adb5/helm-unittest-action@v2 + with: + helm-version: v3.15.3 diff --git a/.mise.toml b/.mise.toml index 394e475..141de49 100644 --- a/.mise.toml +++ b/.mise.toml @@ -2,3 +2,4 @@ helm-docs = '1.13.1' pre-commit = '3.7.1' helm = '3.15' +helm-ct = '3.11.0' diff --git a/README.md b/README.md index 8df21a1..711888f 100644 --- a/README.md +++ b/README.md @@ -211,6 +211,19 @@ Please make sure that your changes have been linted & the chart documentation ha Make sure that any new functionality is well tested! You can do this by installing the chart locally, see [above](https://github.com/PrefectHQ/prefect-helm#installing-development-versions) for how to do this. +You can also create and run test suites via [helm-unittest](https://github.com/helm-unittest/helm-unittest). +Related test files are stored under `./charts//tests/*_test.yaml`. +Refer to the `helm-unittest` repository for more information. + +The following helper script will run the tests via the `helm-unittest` Docker image in case you don't have the binary installed locally: + +```shell +./scripts/helm_unittest.sh +``` + +When `helm-unittest` is available via the [`mise` registry](https://mise.jdx.dev/registry.html), we'll add it to `.mise.toml` +for easy local installation. + ### Opening a PR A helpful PR explains WHAT changed and WHY the change is important. Please take time to make your PR descriptions as helpful as possible. If you are opening a PR from a forked repository - please follow [these](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/allowing-changes-to-a-pull-request-branch-created-from-a-fork) docs to allow `prefect-helm` maintainers to push commits to your local branch. diff --git a/charts/prefect-server/.helmignore b/charts/prefect-server/.helmignore index 0e8a0eb..a83f666 100644 --- a/charts/prefect-server/.helmignore +++ b/charts/prefect-server/.helmignore @@ -21,3 +21,5 @@ .idea/ *.tmproj .vscode/ +# helm-unittest +tests diff --git a/charts/prefect-server/README.md b/charts/prefect-server/README.md index 70a339b..703c8a4 100644 --- a/charts/prefect-server/README.md +++ b/charts/prefect-server/README.md @@ -28,8 +28,14 @@ Note: If you choose to make modifications to either the `server.prefectApiUrl` o ### Handling Connection Secrets -If you are installing the chart as-is (and therefore installing PostgreSQL) - you'll need to update one of two fields: -1. `postgresql.auth.password`: a password you want to set for the prefect user +#### Using the bundled PostgreSQL chart + +By default, Bitnami's PostgreSQL Helm Chart will be deployed. This is **not intended for production use**, and is only +included to provide a functional proof of concept installation. + +In this scenario, you'll need to provide _either one_ of the following fields: + +1. `postgresql.auth.password`: a password you want to set for the prefect user (default: `prefect-rocks`) 2. `postgresql.auth.existingSecret`: name of an existing secret in your cluster with the following field: @@ -38,24 +44,33 @@ If you are installing the chart as-is (and therefore installing PostgreSQL) - yo - hostname = `-postgresql.:` - database = `postgresql.auth.database` +Two secrets are created when not providing an existing secret name: +1. `prefect-server-postgresql-connection`: used by the prefect-server deployment to connect to the postgresql database. + +2. `-postgresql-0`: defines the `postgresql.auth.username`'s password on the postgresql server to allow successful authentication from the prefect server. + +#### Using an external instance of PostgreSQL + If you want to disable the bundled PostgreSQL chart and use an external instance, provide the following configuration: ```yaml prefect-server: postgresql: - # Disable the objects from the bundled PostgreSQL chart enabled: false - auth: - # Provide the name of an existing secret following the instructions above. - existingSecret: -``` - -Two secrets are created when not providing an existing secret name: -1. `prefect-server-postgresql-connection`: used by the prefect-server deployment to connect to the postgresql database. - -2. `-postgresql-0`: defines the `postgresql.auth.username`'s password on the postgresql server to allow successful authentication from the prefect server. -No secrets are created when providing an existing secret. + secret: + # Option 1: provide the name of an existing secret following the instructions above. + create: false + name: + + # Option 2: provide the connection string details directly + create: true + username: myuser + password: mypass + host: myhost.com + port: 1234 + database: mydb +``` ### Connecting with SSL configured @@ -134,16 +149,19 @@ No secrets are created when providing an existing secret. | namespaceOverride | string | `""` | fully override common.names.namespace | | postgresql.auth.database | string | `"server"` | name for a custom database | | postgresql.auth.enablePostgresUser | bool | `false` | determines whether an admin user is created within postgres | -| postgresql.auth.existingSecret | string | `""` | Name of existing secret to use for PostgreSQL credentials. | | postgresql.auth.password | string | `"prefect-rocks"` | password for the custom user. Ignored if `auth.existingSecret` with key `password` is provided | | postgresql.auth.username | string | `"prefect"` | name for a custom user | -| postgresql.containerPorts | object | `{"postgresql":5432}` | PostgreSQL container port | | postgresql.enabled | bool | `true` | enable use of bitnami/postgresql subchart | -| postgresql.externalHostname | string | `""` | | | postgresql.image.tag | string | `"14.3.0"` | Version tag, corresponds to tags at https://hub.docker.com/r/bitnami/postgresql/ | | postgresql.primary.initdb.user | string | `"postgres"` | specify the PostgreSQL username to execute the initdb scripts | | postgresql.primary.persistence.enabled | bool | `false` | enable PostgreSQL Primary data persistence using PVC | -| postgresql.primary.persistence.size | string | `"8Gi"` | PVC Storage Request for PostgreSQL volume | +| secret.create | bool | `true` | whether to create a Secret containing the PostgreSQL connection string | +| secret.database | string | `""` | database for the PostgreSQL connection string | +| secret.host | string | `""` | host for the PostgreSQL connection string | +| secret.name | string | `""` | name for the Secret containing the PostgreSQL connection string To provide an existing Secret, provide a name and set `create=false` | +| secret.password | string | `""` | password for the PostgreSQL connection string | +| secret.port | string | `""` | port for the PostgreSQL connection string | +| secret.username | string | `""` | username for the PostgreSQL connection string | | server.affinity | object | `{}` | affinity for server pods assignment | | server.autoscaling.enabled | bool | `false` | enable autoscaling for server | | server.autoscaling.maxReplicas | int | `100` | maximum number of server replicas | diff --git a/charts/prefect-server/README.md.gotmpl b/charts/prefect-server/README.md.gotmpl index d8594b5..18622fe 100644 --- a/charts/prefect-server/README.md.gotmpl +++ b/charts/prefect-server/README.md.gotmpl @@ -27,8 +27,14 @@ Note: If you choose to make modifications to either the `server.prefectApiUrl` o ### Handling Connection Secrets -If you are installing the chart as-is (and therefore installing PostgreSQL) - you'll need to update one of two fields: -1. `postgresql.auth.password`: a password you want to set for the prefect user +#### Using the bundled PostgreSQL chart + +By default, Bitnami's PostgreSQL Helm Chart will be deployed. This is **not intended for production use**, and is only +included to provide a functional proof of concept installation. + +In this scenario, you'll need to provide _either one_ of the following fields: + +1. `postgresql.auth.password`: a password you want to set for the prefect user (default: `prefect-rocks`) 2. `postgresql.auth.existingSecret`: name of an existing secret in your cluster with the following field: @@ -37,24 +43,33 @@ If you are installing the chart as-is (and therefore installing PostgreSQL) - yo - hostname = `-postgresql.:` - database = `postgresql.auth.database` +Two secrets are created when not providing an existing secret name: +1. `prefect-server-postgresql-connection`: used by the prefect-server deployment to connect to the postgresql database. + +2. `-postgresql-0`: defines the `postgresql.auth.username`'s password on the postgresql server to allow successful authentication from the prefect server. + +#### Using an external instance of PostgreSQL + If you want to disable the bundled PostgreSQL chart and use an external instance, provide the following configuration: ```yaml prefect-server: postgresql: - # Disable the objects from the bundled PostgreSQL chart enabled: false - auth: - # Provide the name of an existing secret following the instructions above. - existingSecret: -``` - -Two secrets are created when not providing an existing secret name: -1. `prefect-server-postgresql-connection`: used by the prefect-server deployment to connect to the postgresql database. - -2. `-postgresql-0`: defines the `postgresql.auth.username`'s password on the postgresql server to allow successful authentication from the prefect server. -No secrets are created when providing an existing secret. + secret: + # Option 1: provide the name of an existing secret following the instructions above. + create: false + name: + + # Option 2: provide the connection string details directly + create: true + username: myuser + password: mypass + host: myhost.com + port: 1234 + database: mydb +``` ### Connecting with SSL configured diff --git a/charts/prefect-server/templates/_helpers.tpl b/charts/prefect-server/templates/_helpers.tpl index 61db366..be622a4 100644 --- a/charts/prefect-server/templates/_helpers.tpl +++ b/charts/prefect-server/templates/_helpers.tpl @@ -9,20 +9,80 @@ Create the name of the service account to use {{- end -}} {{- end -}} +// ----- Connection string templates ------ + {{/* server.postgres-hostname: Generate the hostname of the postgresql service If a subchart is used, evaluate using its fullname function - as {subchart.fullname}-{namespace} + and append the namespace at the end. Otherwise, the configured external hostname will be returned */}} {{- define "server.postgres-hostname" -}} {{- if .Values.postgresql.enabled -}} - {{- $subchart_overrides := .Values.postgresql -}} - {{- $name := include "postgresql.v1.primary.fullname" (dict "Values" $subchart_overrides "Chart" (dict "Name" "postgresql") "Release" .Release) -}} - {{- printf "%s.%s" $name .Release.Namespace -}} +{{- $subchart_overrides := .Values.postgresql -}} +{{- $name := include "postgresql.v1.primary.fullname" (dict "Values" $subchart_overrides "Chart" (dict "Name" "postgresql") "Release" .Release) -}} +{{- printf "%s.%s" $name .Release.Namespace -}} +{{- else -}} +{{- .Values.secret.host | required ".Values.secret.host is required." -}} +{{- end -}} +{{- end -}} + +{{/* + server.postgres-port: + Generate the port of the postgresql service + If a subchart is used, evaluate using its port function + Otherwise, the configured port will be returned +*/}} +{{- define "server.postgres-port" -}} +{{- if .Values.postgresql.enabled -}} +{{- $subchart_overrides := .Values.postgresql -}} +{{- include "postgresql.v1.service.port" (dict "Values" $subchart_overrides) -}} +{{- else -}} +{{- .Values.secret.port | required ".Values.secret.port is required." -}} +{{- end -}} +{{- end -}} + +{{/* + server.postgres-username: + Generate the username for postgresql + If a subchart is used, evaluate using its username function + Otherwise, the configured username will be returned +*/}} +{{- define "server.postgres-username" -}} +{{- if .Values.postgresql.enabled -}} +{{- $subchart_overrides := .Values.postgresql -}} +{{- include "postgresql.v1.username" (dict "Values" $subchart_overrides) -}} {{- else -}} - {{- .Values.postgresql.externalHostname -}} +{{- .Values.secret.username | required ".Values.secret.username is required." -}} +{{- end -}} +{{- end -}} + +{{/* + server.postgres-password: + Generate the password for postgresql + If a subchart is used, evaluate using its password value + Otherwise, the configured password will be returned +*/}} +{{- define "server.postgres-password" -}} +{{- if .Values.postgresql.enabled -}} +{{- .Values.postgresql.auth.password | required ".Values.postgresql.auth.password is required." -}} +{{- else -}} +{{- .Values.secret.password | required ".Values.secret.password is required." -}} +{{- end -}} +{{- end -}} + +{{/* + server.postgres-database: + Generate the database for postgresql + If a subchart is used, evaluate using its database value + Otherwise, the configured database will be returned +*/}} +{{- define "server.postgres-database" -}} +{{- if .Values.postgresql.enabled -}} +{{- .Values.postgresql.auth.database | required ".Values.postgresql.auth.database is required." -}} +{{- else -}} +{{- .Values.secret.database | required ".Values.secret.database is required." -}} {{- end -}} {{- end -}} @@ -31,11 +91,11 @@ Create the name of the service account to use Generates the connection string for the postgresql service */}} {{- define "server.postgres-connstr" -}} -{{- $user := .Values.postgresql.auth.username -}} -{{- $pass := .Values.postgresql.auth.password | required ".Values.postgresql.auth.password is required." -}} +{{- $user := include "server.postgres-username" . -}} +{{- $pass := include "server.postgres-password" . -}} {{- $host := include "server.postgres-hostname" . -}} -{{- $port := .Values.postgresql.containerPorts.postgresql | toString -}} -{{- $db := .Values.postgresql.auth.database -}} +{{- $port := include "server.postgres-port" . -}} +{{- $db := include "server.postgres-database" . -}} {{- printf "postgresql+asyncpg://%s:%s@%s:%s/%s" $user $pass $host $port $db -}} {{- end -}} @@ -48,12 +108,16 @@ Create the name of the service account to use {{- define "server.postgres-string-secret-name" -}} {{- if .Values.postgresql.auth.existingSecret -}} {{- .Values.postgresql.auth.existingSecret -}} +{{- else if .Values.secret.name -}} + {{- .Values.secret.name -}} {{- else -}} {{- $name := include "common.names.fullname" . -}} {{- printf "%s-%s" $name "postgresql-connection" -}} {{- end -}} {{- end -}} +// ----- End connection string templates ----- + {{- define "server.uiUrl" -}} {{- if .Values.server.uiConfig.prefectUiUrl -}} {{- .Values.server.uiConfig.prefectUiUrl -}} diff --git a/charts/prefect-server/templates/secret.yaml b/charts/prefect-server/templates/secret.yaml index 462b59d..a863efd 100644 --- a/charts/prefect-server/templates/secret.yaml +++ b/charts/prefect-server/templates/secret.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.postgresql.enabled (not .Values.postgresql.auth.existingSecret) }} +{{- if .Values.secret.create }} apiVersion: v1 kind: Secret metadata: diff --git a/charts/prefect-server/tests/database_test.yaml b/charts/prefect-server/tests/database_test.yaml new file mode 100644 index 0000000..60ed1db --- /dev/null +++ b/charts/prefect-server/tests/database_test.yaml @@ -0,0 +1,108 @@ +suite: Database configuration +release: + name: test + namespace: prefect + +# Anchors to reuse in the tests +envSecretPath: &envSecretPath .spec.template.spec.containers[?(@.name == "prefect-server")].env[?(@.name == "PREFECT_API_DATABASE_CONNECTION_URL")].valueFrom.secretKeyRef.name +defaultSecretName: &defaultSecretName prefect-server-postgresql-connection + +tests: + # Bundled PostgreSQL chart tests + + - it: Should produce the expected secret name and content with the defaults + asserts: + - template: secret.yaml + equal: + path: .metadata.name + value: *defaultSecretName + - template: secret.yaml + equal: + path: .data.connection-string + decodeBase64: true + value: postgresql+asyncpg://prefect:prefect-rocks@test-postgresql.prefect:5432/server + - template: deployment.yaml + equal: + path: *envSecretPath + value: *defaultSecretName + + - it: Should inject custom connection auth info + set: + postgresql: + primary: + service: + ports: + postgresql: 1234 + auth: + username: myuser + password: mypass + database: mydb + asserts: + - template: secret.yaml + equal: + path: .data.connection-string + decodeBase64: true + value: postgresql+asyncpg://myuser:mypass@test-postgresql.prefect:1234/mydb + + - it: Should configure an external secret name correctly + set: + postgresql: + auth: + existingSecret: my-pg-secret + asserts: + - template: secret.yaml + equal: + path: .metadata.name + value: my-pg-secret + - template: deployment.yaml + equal: + path: *envSecretPath + value: my-pg-secret + + + # External PostgreSQL instance tests + + - it: Should inject custom connection auth info + set: + postgresql: + enabled: false + secret: + username: foo + password: bar + host: mypghost.com + port: 1234 + database: mydb + asserts: + - template: secret.yaml + equal: + path: .data.connection-string + decodeBase64: true + value: postgresql+asyncpg://foo:bar@mypghost.com:1234/mydb + + - it: Should fail if connection info is incomplete + set: + postgresql: + enabled: false + secret: + username: foo + password: bar + # Not configured: + # host: + # port: + # database: + asserts: + - failedTemplate: + errorPattern: is required + + - it: Should configure an existing secret name correctly + set: + postgresql: + enabled: false + secret: + create: false + name: my-pg-secret + asserts: + - template: deployment.yaml + equal: + path: *envSecretPath + value: my-pg-secret diff --git a/charts/prefect-server/values.schema.json b/charts/prefect-server/values.schema.json index 9320ab9..cd519ab 100644 --- a/charts/prefect-server/values.schema.json +++ b/charts/prefect-server/values.schema.json @@ -613,115 +613,6 @@ } } }, - "postgresql": { - "type": "object", - "title": "PostgreSQL", - "description": "Postgresql configuration", - "properties": { - "enabled": { - "type": "boolean", - "title": "Enabled", - "description": "enable postgresql" - }, - "auth": { - "type": "object", - "title": "Auth", - "description": "postgresql authentication configuration", - "properties": { - "enablePostgresUser": { - "type": "boolean", - "title": "Enable Postgres User", - "description": "determines whether an admin user is created within postgres" - }, - "database": { - "type": "string", - "title": "Database", - "description": "name for a custom database" - }, - "username": { - "type": "string", - "title": "Username", - "description": "name for a custom user" - }, - "password": { - "type": "string", - "title": "Password", - "description": "password for the custom user" - }, - "existingSecret": { - "type": "string", - "title": "Existing Secret", - "description": "name of an existing secret containing the postgresql password" - } - } - }, - "containerPorts": { - "type": "object", - "title": "Container Ports", - "description": "PostgreSQL container port", - "properties": { - "postgresql": { - "type": ["integer","string"], - "title": "Postgres", - "description": "PostgreSQL container port" - } - } - }, - "externalHostname": { - "type": "string", - "title": "External Hostname", - "description": "external hostname for the postgresql service" - }, - "primary": { - "type": "object", - "title": "Primary", - "description": "Initdb configuration", - "properties": { - "initdb": { - "type": "object", - "title": "Initdb", - "description": "Initdb configuration", - "properties": { - "user": { - "type": "string", - "title": "User", - "description": "specify the PostgreSQL username to execute the initdb scripts" - } - } - }, - "persistence": { - "type": "object", - "title": "Persistence", - "description": "Primary persistence configuration", - "properties": { - "enabled": { - "type": "boolean", - "title": "Enabled", - "description": "enable PostgreSQL Primary data persistence using PVC" - }, - "size": { - "type": "string", - "title": "Size", - "description": "PVC Storage Request for PostgreSQL volume" - } - } - }, - "image": { - "type": "object", - "title": "Image", - "description": "Postgres image configuration", - "properties": { - "tag": { - "type": "string", - "title": "Tag", - "description": " Version tag, corresponds to tags at https://hub.docker.com/r/bitnami/postgresql/" - } - } - } - } - } - } - }, "common": { "type": "object", "title": "Common", diff --git a/charts/prefect-server/values.yaml b/charts/prefect-server/values.yaml index e10992b..1aa9a54 100644 --- a/charts/prefect-server/values.yaml +++ b/charts/prefect-server/values.yaml @@ -293,7 +293,26 @@ ingress: ## port: ## name: http -# Postgresql configuration +# Secret configuration +secret: + # -- whether to create a Secret containing the PostgreSQL connection string + create: true + # -- name for the Secret containing the PostgreSQL connection string + # To provide an existing Secret, provide a name and set `create=false` + name: "" + + # -- username for the PostgreSQL connection string + username: "" + # -- password for the PostgreSQL connection string + password: "" + # -- host for the PostgreSQL connection string + host: "" + # -- port for the PostgreSQL connection string + port: "" + # -- database for the PostgreSQL connection string + database: "" + +# PostgreSQL subchart - default overrides postgresql: # -- enable use of bitnami/postgresql subchart enabled: true @@ -310,23 +329,6 @@ postgresql: # -- password for the custom user. Ignored if `auth.existingSecret` with key `password` is provided password: prefect-rocks - ## This secret must contain two key-value pairs where the first key is `connection-string` and the value is the - ## connection string containing your password (e.g. postgresql+asyncpg://{username}:{password}@{hostname}/{database}). - ## The second key-value pair has the key `password` and the value is the {password} used in the connection string - # -- Name of existing secret to use for PostgreSQL credentials. - existingSecret: "" - - # -- PostgreSQL container port - containerPorts: - postgresql: 5432 - - # externalHostname defines the address to contact an externally - # managed postgres database instance at. This is not required if - # `internalPostgres` is `true` - externalHostname: "" - - ## postgresql configuration below here is only used if using the subchart - ## Initdb configuration ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#specifying-initdb-arguments primary: @@ -340,8 +342,6 @@ postgresql: persistence: # -- enable PostgreSQL Primary data persistence using PVC enabled: false - # -- PVC Storage Request for PostgreSQL volume - size: 8Gi image: # -- Version tag, corresponds to tags at https://hub.docker.com/r/bitnami/postgresql/ diff --git a/scripts/helm_unittest.sh b/scripts/helm_unittest.sh new file mode 100755 index 0000000..1ffa5d7 --- /dev/null +++ b/scripts/helm_unittest.sh @@ -0,0 +1,21 @@ +#!/usr/bin/env bash + +# This script uses https://github.com/helm-unittest/helm-unittest +# to run unit tests for our Helm Chart templates. +# +# It uses the Docker image to make it easier to run on local machines without +# having to manage the binary and its correct version. Note that if it ever +# appears in https://mise.jdx.dev/registry.html, we can add an entry in .mise.toml. +# +# Dependencies: +# - docker +# +# Usage: +# ./scripts/helm_unittest.sh + +version=${VERSION:-3.15.3-0.5.2} + +docker run \ + -it --rm \ + -v $(pwd):/apps \ + helmunittest/helm-unittest:${version} charts/prefect-server From 5929ef28620ad8a902e2d9f8233b3c2c8386f870 Mon Sep 17 00:00:00 2001 From: Jimi Dodd-o Date: Thu, 15 Aug 2024 13:17:49 -0400 Subject: [PATCH 3/4] chore/Enable csrf in helm chart for prometheus exporter (#372) Enable csrf in helm chart for prometheus exporter --- charts/prefect-agent/README.md | 2 +- charts/prefect-server/README.md | 2 +- charts/prefect-worker/README.md | 2 +- charts/prometheus-prefect-exporter/README.md | 3 ++- charts/prometheus-prefect-exporter/templates/deployment.yaml | 4 ++++ charts/prometheus-prefect-exporter/values.schema.json | 5 +++++ charts/prometheus-prefect-exporter/values.yaml | 3 +++ 7 files changed, 17 insertions(+), 4 deletions(-) diff --git a/charts/prefect-agent/README.md b/charts/prefect-agent/README.md index 1f2db92..90afdac 100644 --- a/charts/prefect-agent/README.md +++ b/charts/prefect-agent/README.md @@ -83,4 +83,4 @@ Prefect Agent application bundle | serviceAccount.name | string | `""` | the name of the ServiceAccount to use. if not set and create is true, a name is generated using the common.names.fullname template | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) +Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) diff --git a/charts/prefect-server/README.md b/charts/prefect-server/README.md index 703c8a4..fddf0ec 100644 --- a/charts/prefect-server/README.md +++ b/charts/prefect-server/README.md @@ -228,4 +228,4 @@ prefect-server: | serviceAccount.name | string | `""` | the name of the ServiceAccount to use. if not set and create is true, a name is generated using the common.names.fullname template | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) +Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) diff --git a/charts/prefect-worker/README.md b/charts/prefect-worker/README.md index 2d29a9d..1e7878e 100644 --- a/charts/prefect-worker/README.md +++ b/charts/prefect-worker/README.md @@ -326,4 +326,4 @@ Please note that configuring the template via `baseJobTemplate.existingConfigMap | worker.tolerations | list | `[]` | tolerations for worker pods assignment | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) +Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) diff --git a/charts/prometheus-prefect-exporter/README.md b/charts/prometheus-prefect-exporter/README.md index 192d23a..e507bd9 100644 --- a/charts/prometheus-prefect-exporter/README.md +++ b/charts/prometheus-prefect-exporter/README.md @@ -62,6 +62,7 @@ Shoutout to @ialejandro for the original work on this chart! |-----|------|---------|-------------| | affinity | object | `{}` | Affinity for pod assignment | | autoscaling | object | `{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80}` | Autoscaling with CPU or memory utilization percentage | +| csrfAuth | bool | `false` | Enable CSRF authentication (Only set to true if Prefect Server has CSRF enabled) | | env | object | `{}` | Environment variables to configure application | | fullnameOverride | string | `""` | String to fully override common.names.fullname template | | image | object | `{"pullPolicy":"IfNotPresent","repository":"prefecthq/prometheus-prefect-exporter","tag":"1.1.0"}` | Image registry | @@ -91,4 +92,4 @@ Shoutout to @ialejandro for the original work on this chart! | tolerations | list | `[]` | Tolerations for pod assignment | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) +Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) diff --git a/charts/prometheus-prefect-exporter/templates/deployment.yaml b/charts/prometheus-prefect-exporter/templates/deployment.yaml index cd49057..090ec14 100644 --- a/charts/prometheus-prefect-exporter/templates/deployment.yaml +++ b/charts/prometheus-prefect-exporter/templates/deployment.yaml @@ -63,6 +63,10 @@ spec: env: - name: PREFECT_API_URL value: {{ .Values.prefectApiUrl }} + {{- if .Values.csrfAuth }} + - name: PREFECT_CSRF_ENABLED + value: "True" + {{- end }} {{- if .Values.env }} {{- range $key, $value := .Values.env }} - name: {{ $key | upper }} diff --git a/charts/prometheus-prefect-exporter/values.schema.json b/charts/prometheus-prefect-exporter/values.schema.json index e3ccc55..0102031 100644 --- a/charts/prometheus-prefect-exporter/values.schema.json +++ b/charts/prometheus-prefect-exporter/values.schema.json @@ -72,6 +72,11 @@ "title": "Prefect API URL", "description": "Prefect API URL" }, + "csrfAuth": { + "type": "boolean", + "title": "CSRF Auth", + "description": "Enable CSRF auth" + }, "env": { "type": "object", "title": "Environment Variables", diff --git a/charts/prometheus-prefect-exporter/values.yaml b/charts/prometheus-prefect-exporter/values.yaml index c854566..c4f49d1 100644 --- a/charts/prometheus-prefect-exporter/values.yaml +++ b/charts/prometheus-prefect-exporter/values.yaml @@ -29,6 +29,9 @@ serviceAccount: # -- Prefect API URL to connect to for metrics prefectApiUrl: http://prefect-server.prefect.svc.cluster.local:4200/api + +# -- Enable CSRF authentication (Only set to true if Prefect Server has CSRF enabled) +csrfAuth: false # -- Environment variables to configure application env: {} # Plain vars From c0eef7c6f70ff0e501e3f97a747bac509e2bb454 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 19 Aug 2024 18:03:31 -0400 Subject: [PATCH 4/4] chore(deps): bump actions/checkout from 3 to 4 (#373) Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/helm-unittest.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/helm-unittest.yaml b/.github/workflows/helm-unittest.yaml index e0f523b..922830c 100644 --- a/.github/workflows/helm-unittest.yaml +++ b/.github/workflows/helm-unittest.yaml @@ -14,7 +14,7 @@ jobs: # required to read from the repo contents: read steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: d3adb5/helm-unittest-action@v2 with: helm-version: v3.15.3