diff --git a/share/Chart.yaml b/share/Chart.yaml index 767827a4..1fcdf17e 100644 --- a/share/Chart.yaml +++ b/share/Chart.yaml @@ -1,7 +1,8 @@ -apiVersion: v1 +apiVersion: v2 description: SHARE name: share -version: 0.6.3 +type: application +version: 1.0.0 keywords: - open - science @@ -17,5 +18,10 @@ maintainers: - name: Uditi Mehta email: uditi@cos.io url: https://github.com/uditijmehta -engine: gotpl -tillerVersion: '>=2.7.0' +dependencies: + # - name: cos-common + # version: 1.0.1 + # repository: "file://../cos-common" + - name: cos-common + version: 1.0.1 + repository: https://centerforopenscience.github.io/helm-charts/ diff --git a/share/files/nginx.conf b/share/files/nginx.conf new file mode 100644 index 00000000..fe008011 --- /dev/null +++ b/share/files/nginx.conf @@ -0,0 +1,111 @@ +user nginx; +worker_processes 1; + +pid /var/run/nginx.pid; + +error_log /var/log/nginx/error.log warn; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $upstream_cache_status $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" "$http_x_forwarded_for" ' + 'rt=$request_time uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"'; + access_log /var/log/nginx/access.log main; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 620s; + keepalive_requests 10000; + types_hash_max_size 2048; + server_tokens off; + + gzip on; + gzip_disable "MSIE [1-6]\.(?!.*SV1)"; + gzip_comp_level 2; + gzip_min_length 512; + gzip_proxied any; + gzip_vary on; + gzip_types text/plain + text/css + image/svg+xml + application/javascript + application/x-javascript + text/xml + application/xml + text/javascript + application/json + application/xml+rss + application/vnd.api+json; + + server { + listen {{ .Values.web.http.internalPort }}; + keepalive_timeout 620s; + root /static/code; + client_max_body_size 25M; + server_name _; + + if ($http_x_forwarded_proto = "http") { + return 301 https://$host$request_uri; + } + + location = /healthz { + access_log off; + return 200; + } + + location = /robots.txt { + alias /usr/share/nginx/html/robots.txt; + } + + {{- if .Values.web.mediaUrl }} + location /media/ { + proxy_redirect off; + proxy_buffering off; + proxy_pass {{ .Values.web.mediaUrl }}; + } + {{- else }} + # location /media/ { + # alias /media/; + # } + {{- end }} + + location = /favicon.ico { + rewrite ^/(.*)$ /static/$1; + } + + {{- if .Values.web.staticUrl }} + location /static/ { + proxy_redirect off; + proxy_buffering off; + proxy_pass {{ .Values.web.staticUrl }}; + } + {{- else }} + location /static/ { + alias /static/; + } + {{- end }} + + location / { + # Disable caching of application requests + add_header Cache-Control "no-cache, no-store, max-age=0, must-revalidate"; + add_header Expires "-1"; + add_header Pragma "no-cache"; + add_header Strict-Transport-Security "max-age=31536000"; + + # Pass requests to uwsgi application + include /etc/nginx/uwsgi_params; + uwsgi_buffering off; + uwsgi_request_buffering off; + uwsgi_pass uwsgi://127.0.0.1:{{ .Values.web.http.externalPort }}; + } + + } +} diff --git a/share/requirements.lock b/share/requirements.lock deleted file mode 100644 index 8e8ffbb8..00000000 --- a/share/requirements.lock +++ /dev/null @@ -1,12 +0,0 @@ -dependencies: -- name: elasticsearch - repository: https://centerforopenscience.github.io/helm-charts/ - version: 0.5.3 -- name: postgresql - repository: https://centerforopenscience.github.io/helm-charts/ - version: 0.11.1 -- name: rabbitmq - repository: https://centerforopenscience.github.io/helm-charts/ - version: 6.9.1 -digest: sha256:132d7b16cdef4c1c08b670ad6021bdef0dd5a52f8f16cd2ae65b42b884e563d3 -generated: 2023-01-24T17:13:01.347186-05:00 diff --git a/share/requirements.yaml b/share/requirements.yaml deleted file mode 100644 index bfd3c890..00000000 --- a/share/requirements.yaml +++ /dev/null @@ -1,13 +0,0 @@ -dependencies: - - name: elasticsearch - version: 0.5.3 - repository: https://centerforopenscience.github.io/helm-charts/ - condition: elasticsearch.enabled, global.elasticsearch.enabled - - name: postgresql - version: 0.11.1 - repository: https://centerforopenscience.github.io/helm-charts/ - condition: postgresql.enabled, global.postgresql.enabled - - name: rabbitmq - version: 6.9.1 - repository: https://centerforopenscience.github.io/helm-charts/ - condition: rabbitmq.enabled, global.rabbitmq.enabled diff --git a/share/templates/NOTES.txt b/share/templates/NOTES.txt index 30404ce4..f098cd62 100644 --- a/share/templates/NOTES.txt +++ b/share/templates/NOTES.txt @@ -1 +1,7 @@ -TODO \ No newline at end of file +SHARE chart deployed. + +Web service name: + {{ include "cos-common.fullname" (dict "root" . "name" "web" "values" .Values.web) | trim }} + +Port-forward (web): + kubectl -n {{ .Release.Namespace }} port-forward svc/{{ include "cos-common.fullname" (dict "root" . "name" "web" "values" .Values.web) | trim }} 8080:{{ .Values.web.http.externalPort }} diff --git a/share/templates/_helpers.tpl b/share/templates/_helpers.tpl deleted file mode 100644 index 60725f5e..00000000 --- a/share/templates/_helpers.tpl +++ /dev/null @@ -1,164 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "share.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "share.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified migration name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "share.migration.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- printf "%s-%s-%s" .Release.Name $name .Values.migration.name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified beat name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "share.beat.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- printf "%s-%s-%s" .Release.Name $name .Values.beat.name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified indexer name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "share.indexer.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- printf "%s-%s-%s" .Release.Name $name .Values.indexer.name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified web name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "share.web.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- printf "%s-%s-%s" .Release.Name $name .Values.web.name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified certificate name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "share.web.certificate.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- printf "%s-%s-%s" .Release.Name $name .Values.web.certificate.name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified worker name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "share.worker.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- printf "%s-%s-%s" .Release.Name $name .Values.worker.name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified postgresql name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "share.postgresql.fullname" -}} -{{- $name := "postgresql" -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified psotgresql master name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "share.postgresql.master.fullname" -}} -{{- $name := "postgresql-master" -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified rabbitmq name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "share.rabbitmq.fullname" -}} -{{- $name := "rabbitmq" -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Overridable deployment annotations -*/}} -{{- define "share.deploymentAnnotations" }} -checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} -checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} -{{- end -}} - -{{- define "share.environment" }} -{{- if .Values.postgresql.enabled }} -- name: DATABASE_HOST - value: {{ template "share.postgresql.master.fullname" . }} -- name: DATABASE_NAME - valueFrom: - secretKeyRef: - name: {{ template "share.postgresql.fullname" . }} - key: POSTGRES_DB -- name: DATABASE_USER - valueFrom: - secretKeyRef: - name: {{ template "share.postgresql.fullname" . }} - key: POSTGRES_USER -- name: DATABASE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "share.postgresql.fullname" . }} - key: POSTGRES_PASSWORD -{{- end }} -{{- if .Values.rabbitmq.enabled }} -- name: RABBITMQ_HOST - value: {{ template "share.rabbitmq.fullname" . }} -- name: RABBITMQ_PORT - value: {{ .Values.rabbitmq.service.port | quote }} -- name: RABBITMQ_VHOST - valueFrom: - configMapKeyRef: - name: {{ template "share.rabbitmq.fullname" . }} - key: RABBITMQ_VHOST -- name: username - valueFrom: - secretKeyRef: - name: {{ template "share.rabbitmq.fullname" . }} - key: RABBITMQ_DEFAULT_USER - value: {{ .Values.rabbitmq.rabbitmqUsername | quote }} -- name: password - valueFrom: - secretKeyRef: - name: {{ template "share.rabbitmq.fullname" . }} - key: RABBITMQ_DEFAULT_PASS -{{- end }} -{{- $fullname := include "share.fullname" . -}} -{{- range $key, $value := .Values.configEnvs }} -- name: {{ $key }} - valueFrom: - configMapKeyRef: - name: {{ $fullname }} - key: {{ $key }} -{{- end }} -{{- range $key, $value := .Values.secretEnvs }} -- name: {{ $key }} - valueFrom: - secretKeyRef: - name: {{ $fullname }} - key: {{ $key }} -{{- end }} -{{- end -}} diff --git a/share/templates/beat-deployment.yaml b/share/templates/beat-deployment.yaml deleted file mode 100644 index a01a3cc3..00000000 --- a/share/templates/beat-deployment.yaml +++ /dev/null @@ -1,77 +0,0 @@ -{{- if .Values.beat.enabled -}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "share.beat.fullname" . }} - labels: - app: {{ template "share.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - component: "{{ .Values.beat.name }}" - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - selector: - matchLabels: - app: {{ template "share.name" . }} - component: "{{ .Values.beat.name }}" - release: {{ .Release.Name }} - replicas: 1 - strategy: - type: Recreate - template: - metadata: - labels: - app: {{ template "share.name" . }} - component: "{{ .Values.beat.name }}" - release: {{ .Release.Name }} - annotations: - {{- include "share.deploymentAnnotations" . | nindent 8 }} - spec: - affinity: - {{- if .Values.beat.additionalAffinities }} - {{- toYaml .Values.beat.additionalAffinities | nindent 8 }} - {{- end }} - containers: - - name: {{ .Values.beat.name }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - /bin/sh - - -c - - |- - PREFIX='' - if [ -f /code/newrelic.ini ]; then - PREFIX='newrelic-admin run-program' - fi - $PREFIX gosu www-data celery --app project beat \ - --loglevel "{{ .Values.beat.logLevel }}" --pidfile= - env: - {{- include "share.environment" . | nindent 12 }} - {{- range $key, $value := .Values.beat.env }} - - name: {{ $key }} - value: {{ $value | quote }} - {{- end }} - volumeMounts: - {{- if .Values.volumeMounts }} - {{- toYaml .Values.volumeMounts | nindent 12 }} - {{- end }} - {{- if .Values.beat.volumeMounts }} - {{- toYaml .Values.beat.volumeMounts | nindent 12 }} - {{- end }} - {{- if .Values.beat.resources }} - resources: - {{- toYaml .Values.beat.resources | nindent 12 }} - {{- end }} - volumes: - - name: config - configMap: - name: {{ template "share.fullname" . }} - - name: secret - secret: - secretName: {{ template "share.fullname" . }} - {{- if .Values.postgresqlCertificateSecret }} - - name: postgresql-certs - secret: - secretName: {{ .Values.postgresqlCertificateSecret }} - {{- end }} -{{- end -}} diff --git a/share/templates/beat.yaml b/share/templates/beat.yaml new file mode 100644 index 00000000..6354d577 --- /dev/null +++ b/share/templates/beat.yaml @@ -0,0 +1,3 @@ +{{- include "cos-common.configmap" (dict "root" . "name" "beat" "values" .Values.beat) }} +{{- include "cos-common.secret" (dict "root" . "name" "beat" "values" .Values.beat) }} +{{- include "cos-common.deployment" (dict "root" . "name" "beat" "values" .Values.beat) }} diff --git a/share/templates/certificate.yaml b/share/templates/certificate.yaml deleted file mode 100644 index 2aa9137b..00000000 --- a/share/templates/certificate.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{- if .Values.web.certificate.enabled -}} -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: "{{ template "share.web.certificate.fullname" . }}" - labels: - app: {{ template "share.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - secretName: "{{ template "share.web.certificate.fullname" . }}" - issuerRef: - name: {{ .Values.web.certificate.issuerRef.name }} - kind: {{ .Values.web.certificate.issuerRef.kind }} - commonName: {{ .Values.web.certificate.commonName }} - dnsNames: - {{- range .Values.web.certificate.dnsNames }} - - {{ . }} - {{- end }} - acme: - config: - - http01: - {{- if hasKey .Values.web.certificate.acmeConfig.http01 "ingress" }} - ingress: {{ .Values.web.certificate.acmeConfig.http01.ingress }} - {{- else }} - ingress: {{ template "share.web.fullname" . }} - {{- end }} - domains: - {{- range .Values.web.certificate.acmeConfig.domains }} - - {{ . }} - {{- end }} -{{- end -}} diff --git a/share/templates/common.yaml b/share/templates/common.yaml new file mode 100644 index 00000000..952eddf2 --- /dev/null +++ b/share/templates/common.yaml @@ -0,0 +1,2 @@ +{{- include "cos-common.configmap" (dict "root" . "name" "" "values" .Values.common) }} +{{- include "cos-common.secret" (dict "root" . "name" "" "values" .Values.common) }} diff --git a/share/templates/configmap.yaml b/share/templates/configmap.yaml deleted file mode 100644 index 0a048f3d..00000000 --- a/share/templates/configmap.yaml +++ /dev/null @@ -1,131 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "share.fullname" . }} - labels: - app: {{ template "share.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -data: -{{- define "share.inlineconfigs" }} -nginx.conf: |- - user nginx; - worker_processes 1; - - pid /var/run/nginx.pid; - - error_log /var/log/nginx/error.log warn; - - events { - worker_connections 1024; - } - - http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - - log_format main '$remote_addr - $upstream_cache_status $remote_user [$time_local] ' - '"$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent" "$http_x_forwarded_for" ' - 'rt=$request_time uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"'; - access_log /var/log/nginx/access.log main; - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 620s; - keepalive_requests 10000; - types_hash_max_size 2048; - server_tokens off; - - gzip on; - gzip_disable "MSIE [1-6]\.(?!.*SV1)"; - gzip_comp_level 2; - gzip_min_length 512; - gzip_proxied any; - gzip_vary on; - gzip_types text/plain - text/css - image/svg+xml - application/javascript - application/x-javascript - text/xml - application/xml - text/javascript - application/json - application/xml+rss - application/vnd.api+json; - - server { - listen {{ .Values.web.service.internalPort }}; - keepalive_timeout 620s; - root /static/code; - client_max_body_size 25M; - server_name _; - - if ($http_x_forwarded_proto = "http") { - return 301 https://$host$request_uri; - } - - location = /healthz { - access_log off; - return 200; - } - - location = /robots.txt { - alias /usr/share/nginx/html/robots.txt; - } - - {{- if .Values.configEnvs.MEDIA_URL }} - location /media/ { - proxy_redirect off; - proxy_buffering off; - proxy_pass {{ .Values.configEnvs.MEDIA_URL }}; - } - {{- else }} - # location /media/ { - # alias /media/; - # } - {{- end }} - - location = /favicon.ico { - rewrite ^/(.*)$ /static/$1; - } - - {{- if .Values.configEnvs.STATIC_URL }} - location /static/ { - proxy_redirect off; - proxy_buffering off; - proxy_pass {{ .Values.configEnvs.STATIC_URL }}; - } - {{- else }} - location /static/ { - alias /static/; - } - {{- end }} - - location / { - # Disable caching of application requests - add_header Cache-Control "no-cache, no-store, max-age=0, must-revalidate"; - add_header Expires "-1"; - add_header Pragma "no-cache"; - add_header Strict-Transport-Security "max-age=31536000"; - - # Pass requests to uwsgi application - include /etc/nginx/uwsgi_params; - uwsgi_buffering off; - uwsgi_request_buffering off; - uwsgi_pass uwsgi://127.0.0.1:{{ .Values.web.service.externalPort }}; - } - - } - } -{{- end -}} -{{- range $key, $value := .Values.configEnvs }} - {{ $key }}: {{ $value | quote }} -{{- end }} -{{- range $key, $value := merge .Values.configFiles (include "share.inlineconfigs" . | fromYaml) ((.Files.Glob "files/*").AsConfig | fromYaml) }} - {{ $key }}: |- - {{- $value | nindent 4 }} -{{- end }} diff --git a/share/templates/indexer-deployment.yaml b/share/templates/indexer-deployment.yaml deleted file mode 100644 index 5f1625f1..00000000 --- a/share/templates/indexer-deployment.yaml +++ /dev/null @@ -1,98 +0,0 @@ -{{- if .Values.indexer.enabled -}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "share.indexer.fullname" . }} - labels: - app: {{ template "share.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - component: "{{ .Values.indexer.name }}" - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - selector: - matchLabels: - app: {{ template "share.name" . }} - component: "{{ .Values.indexer.name }}" - release: {{ .Release.Name }} - replicas: {{ .Values.indexer.replicaCount }} - template: - metadata: - labels: - app: {{ template "share.name" . }} - component: "{{ .Values.indexer.name }}" - release: {{ .Release.Name }} - annotations: - {{- include "share.deploymentAnnotations" . | nindent 8 }} - spec: - affinity: - {{- if .Values.indexer.additionalAffinities }} - {{- toYaml .Values.indexer.additionalAffinities | nindent 8 }} - {{- end }} - {{- if eq .Values.indexer.antiAffinity "hard" }} - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - topologyKey: kubernetes.io/hostname - labelSelector: - matchLabels: - app: {{ template "share.name" . }} - release: "{{ .Release.Name }}" - component: "{{ .Values.indexer.name }}" - {{- else if eq .Values.indexer.antiAffinity "soft" }} - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - podAffinityTerm: - topologyKey: kubernetes.io/hostname - labelSelector: - matchLabels: - app: {{ template "share.name" . }} - release: "{{ .Release.Name }}" - component: "{{ .Values.indexer.name }}" - {{- end }} - containers: - - name: {{ .Values.indexer.name }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - /bin/sh - - -c - - |- - PREFIX='' - if [ -f /code/newrelic.ini ]; then - PREFIX='newrelic-admin run-program' - fi - $PREFIX gosu www-data python manage.py shtrove_indexer_run - env: - {{- include "share.environment" . | nindent 12 }} - {{- range $key, $value := .Values.indexer.env }} - - name: {{ $key }} - value: {{ $value | quote }} - {{- end }} - volumeMounts: - {{- if .Values.volumeMounts }} - {{- toYaml .Values.volumeMounts | nindent 12 }} - {{- end }} - {{- if .Values.indexer.volumeMounts }} - {{- toYaml .Values.indexer.volumeMounts | nindent 12 }} - {{- end }} - {{- if .Values.indexer.resources }} - resources: - {{- toYaml .Values.indexer.resources | nindent 12 }} - {{- end }} - volumes: - - name: config - configMap: - name: {{ template "share.fullname" . }} - - name: secret - secret: - secretName: {{ template "share.fullname" . }} - - name: elasticsearch-certs - secret: - secretName: {{ .Values.elasticsearchCertificateSecret }} - {{- if .Values.postgresqlCertificateSecret }} - - name: postgresql-certs - secret: - secretName: {{ .Values.postgresqlCertificateSecret }} - {{- end }} -{{- end -}} diff --git a/share/templates/indexer-hpa.yaml b/share/templates/indexer-hpa.yaml deleted file mode 100644 index 74664eef..00000000 --- a/share/templates/indexer-hpa.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.indexer.horizontalPodAutoscaler.enabled -}} -apiVersion: autoscaling/v1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ template "share.indexer.fullname" . }} - labels: - app: {{ template "share.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - component: "{{ .Values.indexer.name }}" - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ template "share.indexer.fullname" . }} - minReplicas: {{ .Values.indexer.replicaCount }} - maxReplicas: {{ .Values.indexer.horizontalPodAutoscaler.maxReplicas }} - targetCPUUtilizationPercentage: {{ .Values.indexer.horizontalPodAutoscaler.targetCPUUtilizationPercentage }} -{{- end -}} diff --git a/share/templates/indexer-pdb.yaml b/share/templates/indexer-pdb.yaml deleted file mode 100644 index 2525a1c6..00000000 --- a/share/templates/indexer-pdb.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.indexer.budget.minAvailable -}} -{{- if .Capabilities.APIVersions.Has "policy/v1" -}} -apiVersion: policy/v1 -{{- else}} -apiVersion: policy/v1beta1 -{{- end }} -kind: PodDisruptionBudget -metadata: - name: "{{ template "share.indexer.fullname" . }}" - labels: - app: {{ template "share.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - component: "{{ .Values.indexer.name }}" - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - selector: - matchLabels: - app: {{ template "share.name" . }} - component: "{{ .Values.indexer.name }}" - release: {{ .Release.Name }} - minAvailable: {{ .Values.indexer.budget.minAvailable }} -{{- end -}} diff --git a/share/templates/indexer.yaml b/share/templates/indexer.yaml new file mode 100644 index 00000000..2e48d3d3 --- /dev/null +++ b/share/templates/indexer.yaml @@ -0,0 +1,5 @@ +{{- include "cos-common.configmap" (dict "root" . "name" "indexer" "values" .Values.indexer) }} +{{- include "cos-common.secret" (dict "root" . "name" "indexer" "values" .Values.indexer) }} +{{- include "cos-common.deployment" (dict "root" . "name" "indexer" "values" .Values.indexer) }} +{{- include "cos-common.hpa" (dict "root" . "name" "indexer" "values" .Values.indexer) }} +{{- include "cos-common.pdb" (dict "root" . "name" "indexer" "values" .Values.indexer) }} diff --git a/share/templates/migration-job.yaml b/share/templates/migration-job.yaml deleted file mode 100644 index 04275b2e..00000000 --- a/share/templates/migration-job.yaml +++ /dev/null @@ -1,63 +0,0 @@ -{{- if .Values.migration.enabled -}} -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ template "share.migration.fullname" . }}-{{ .Release.Revision }} - labels: - app: {{ template "share.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - component: "{{ .Values.migration.name }}" - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - annotations: - "helm.sh/hook": post-install,post-upgrade -spec: - activeDeadlineSeconds: 900 - template: - metadata: - name: "{{ .Release.Name }}" - labels: - app: {{ template "share.name" . }} - component: "{{ .Values.migration.name }}" - release: {{ .Release.Name }} - spec: - restartPolicy: Never - containers: - - name: {{ .Values.migration.name }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - /bin/sh - - -c - - |- - PREFIX='' - if [ -f /code/newrelic.ini ]; then - PREFIX='newrelic-admin run-program' - fi - $PREFIX python manage.py migrate - env: - {{- include "share.environment" . | nindent 12 }} - {{- range $key, $value := .Values.migration.env }} - - name: {{ $key }} - value: {{ $value | quote }} - {{- end }} - volumeMounts: - {{- if .Values.volumeMounts }} - {{- toYaml .Values.volumeMounts | nindent 12 }} - {{- end }} - {{- if .Values.migration.volumeMounts }} - {{- toYaml .Values.migration.volumeMounts | nindent 12 }} - {{- end }} - volumes: - - name: config-volume - configMap: - name: {{ template "share.fullname" . }} - - name: secret-volume - secret: - secretName: {{ template "share.fullname" . }} - {{- if .Values.postgresqlCertificateSecret }} - - name: postgresql-certs - secret: - secretName: {{ .Values.postgresqlCertificateSecret }} - {{- end }} -{{- end -}} diff --git a/share/templates/migration.yaml b/share/templates/migration.yaml new file mode 100644 index 00000000..ac06bd2b --- /dev/null +++ b/share/templates/migration.yaml @@ -0,0 +1,3 @@ +{{- include "cos-common.configmap" (dict "root" . "name" "migration" "values" .Values.migration) }} +{{- include "cos-common.secret" (dict "root" . "name" "migration" "values" .Values.migration) }} +{{- include "cos-common.job" (dict "root" . "name" "migration" "values" .Values.migration) }} diff --git a/share/templates/pg-secret.yaml b/share/templates/pg-secret.yaml deleted file mode 100644 index 548058fc..00000000 --- a/share/templates/pg-secret.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if and (.Values.tls.enabled) (.Values.tls.postgresql.enabled) }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Release.Name }}-postgresql-certs - labels: - app: {{ template "share.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -type: Opaque -data: - {{- range $key, $value := .Values.tls.postgresql.files }} - {{ $key }}: {{ $value | b64enc | quote }} - {{- end }} -{{- end }} diff --git a/share/templates/secret.yaml b/share/templates/secret.yaml deleted file mode 100644 index 730fc632..00000000 --- a/share/templates/secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "share.fullname" . }} - labels: - app: {{ template "share.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -type: Opaque -data: -{{- range $key, $value := .Values.secretEnvs }} - {{ $key }}: {{ $value | b64enc | quote }} -{{- end }} -{{- range $key, $value := .Values.secretFiles }} - {{ $key }}: {{ $value | b64enc | quote }} -{{- end }} diff --git a/share/templates/web-deployment.yaml b/share/templates/web-deployment.yaml deleted file mode 100644 index 6b567f5d..00000000 --- a/share/templates/web-deployment.yaml +++ /dev/null @@ -1,155 +0,0 @@ -{{- if .Values.web.enabled -}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "share.web.fullname" . }} - labels: - app: {{ template "share.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - component: "{{ .Values.web.name }}" - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - selector: - matchLabels: - app: {{ template "share.name" . }} - component: "{{ .Values.web.name }}" - release: {{ .Release.Name }} - replicas: {{ .Values.web.replicaCount }} - template: - metadata: - labels: - app: {{ template "share.name" . }} - component: "{{ .Values.web.name }}" - release: {{ .Release.Name }} - annotations: - {{- include "share.deploymentAnnotations" . | indent 8 }} - spec: - affinity: - {{- if .Values.web.additionalAffinities }} - {{- toYaml .Values.web.additionalAffinities | nindent 8 }} - {{- end }} - {{- if eq .Values.web.antiAffinity "hard" }} - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - topologyKey: kubernetes.io/hostname - labelSelector: - matchLabels: - app: {{ template "share.name" . }} - release: "{{ .Release.Name }}" - component: "{{ .Values.web.name }}" - {{- else if eq .Values.web.antiAffinity "soft" }} - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - podAffinityTerm: - topologyKey: kubernetes.io/hostname - labelSelector: - matchLabels: - app: {{ template "share.name" . }} - release: "{{ .Release.Name }}" - component: "{{ .Values.web.name }}" - {{- end }} - initContainers: - - name: collectstatic - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - python - - manage.py - - collectstatic - - --noinput - volumeMounts: - - mountPath: /code/static - name: static - containers: - - name: nginx - image: "{{ .Values.web.nginx.image.repository }}:{{ .Values.web.nginx.image.tag }}" - imagePullPolicy: {{ .Values.web.nginx.image.pullPolicy }} - command: - - nginx - - -c - - /etc/nginx/nginx.conf - - -g - - daemon off; - ports: - - name: http - containerPort: {{ .Values.web.service.internalPort }} - readinessProbe: - httpGet: - path: /healthz - port: {{ .Values.web.service.internalPort }} - initialDelaySeconds: 10 - volumeMounts: - - mountPath: /static - name: static - - mountPath: /etc/nginx/nginx.conf - name: config - subPath: nginx.conf - readOnly: true - - mountPath: /usr/share/nginx/html/robots.txt - name: config - subPath: robots.txt - readOnly: true - resources: - {{- toYaml .Values.web.nginx.resources | nindent 12 }} - - name: uwsgi - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - /bin/sh - - -c - - |- - PREFIX='' - if [ -f /code/newrelic.ini ]; then - PREFIX='newrelic-admin run-program' - fi - $PREFIX uwsgi --ini /etc/uwsgi/uwsgi.ini --socket :{{ .Values.web.service.externalPort }} - env: - {{- include "share.environment" . | nindent 12 }} - {{- range $key, $value := .Values.web.env }} - - name: {{ $key }} - value: {{ $value | quote }} - {{- end }} - ports: - - name: wsgi - containerPort: {{ .Values.web.service.externalPort }} - - name: stats - containerPort: 1717 - readinessProbe: - tcpSocket: - port: {{ .Values.web.service.externalPort }} - initialDelaySeconds: 10 - volumeMounts: - - mountPath: /etc/uwsgi/uwsgi.ini - name: config - subPath: uwsgi.ini - readOnly: true - {{- if .Values.volumeMounts }} - {{- toYaml .Values.volumeMounts | nindent 12 }} - {{- end }} - {{- if .Values.web.volumeMounts }} - {{- toYaml .Values.web.volumeMounts | nindent 12 }} - {{- end }} - {{- if .Values.web.resources }} - resources: - {{- toYaml .Values.web.resources | nindent 12 }} - {{- end }} - volumes: - - name: static - emptyDir: {} - - name: config - configMap: - name: {{ template "share.fullname" . }} - - name: secret - secret: - secretName: {{ template "share.fullname" . }} - - name: elasticsearch-certs - secret: - secretName: {{ .Values.elasticsearchCertificateSecret }} - {{- if .Values.postgresqlCertificateSecret }} - - name: postgresql-certs - secret: - secretName: {{ .Values.postgresqlCertificateSecret }} - {{- end }} -{{- end -}} diff --git a/share/templates/web-hpa.yaml b/share/templates/web-hpa.yaml deleted file mode 100644 index ab4cf340..00000000 --- a/share/templates/web-hpa.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.web.horizontalPodAutoscaler.enabled -}} -apiVersion: autoscaling/v1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ template "share.web.fullname" . }} - labels: - app: {{ template "share.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - component: "{{ .Values.web.name }}" - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ template "share.web.fullname" . }} - minReplicas: {{ .Values.web.replicaCount }} - maxReplicas: {{ .Values.web.horizontalPodAutoscaler.maxReplicas }} - targetCPUUtilizationPercentage: {{ .Values.web.horizontalPodAutoscaler.targetCPUUtilizationPercentage }} -{{- end -}} diff --git a/share/templates/web-ingress.yaml b/share/templates/web-ingress.yaml deleted file mode 100644 index 7c77023c..00000000 --- a/share/templates/web-ingress.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{- if .Values.web.ingress.enabled -}} -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ template "share.web.fullname" . }} - labels: - app: {{ template "share.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - component: "{{ .Values.web.name }}" - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - {{- if .Values.web.ingress.annotations }} - annotations: - {{- toYaml .Values.web.ingress.annotations | nindent 4 }} - {{- end }} -spec: - rules: - {{- range .Values.web.ingress.hosts }} - - host: {{ . }} - http: - paths: - {{- range $.Values.web.ingress.paths }} - - path: {{ . }} - pathType: ImplementationSpecific - backend: - service: - name: {{ include "share.web.fullname" $ }} - port: - number: {{ $.Values.web.service.externalPort }} - {{- end -}} - {{- end -}} - {{- if (or .Values.web.ingress.tls (and .Values.web.certificate.enabled .Values.web.certificate.tls)) }} - tls: - {{- if .Values.web.ingress.tls }} - {{- toYaml .Values.web.ingress.tls | nindent 4 }} - {{- end -}} - {{- if (and .Values.web.certificate.enabled .Values.web.certificate.tls) }} - - secretName: "{{ template "share.web.certificate.fullname" . }}" - hosts: - {{- range .Values.web.certificate.acmeConfig.domains }} - - {{ . }} - {{- end }} - {{- end -}} - {{- end -}} -{{- end -}} diff --git a/share/templates/web-pdb.yaml b/share/templates/web-pdb.yaml deleted file mode 100644 index f1b05156..00000000 --- a/share/templates/web-pdb.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.web.budget.minAvailable -}} -{{- if .Capabilities.APIVersions.Has "policy/v1" -}} -apiVersion: policy/v1 -{{- else}} -apiVersion: policy/v1beta1 -{{- end }} -kind: PodDisruptionBudget -metadata: - name: "{{ template "share.web.fullname" . }}" - labels: - app: {{ template "share.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - component: "{{ .Values.web.name }}" - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - selector: - matchLabels: - app: {{ template "share.name" . }} - component: "{{ .Values.web.name }}" - release: {{ .Release.Name }} - minAvailable: {{ .Values.web.budget.minAvailable }} -{{- end -}} diff --git a/share/templates/web-service.yaml b/share/templates/web-service.yaml deleted file mode 100644 index 4b14637f..00000000 --- a/share/templates/web-service.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.web.enabled -}} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "share.web.fullname" . }} - labels: - app: {{ template "share.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - component: "{{ .Values.web.name }}" - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - type: {{ .Values.web.service.type }} - ports: - - port: {{ .Values.web.service.externalPort }} - targetPort: {{ .Values.web.service.internalPort }} - protocol: TCP - name: {{ .Values.web.service.name }} - selector: - app: {{ template "share.name" . }} - component: "{{ .Values.web.name }}" - release: {{ .Release.Name }} -{{- end -}} diff --git a/share/templates/web.yaml b/share/templates/web.yaml new file mode 100644 index 00000000..9ccd31d6 --- /dev/null +++ b/share/templates/web.yaml @@ -0,0 +1,8 @@ +{{- include "cos-common.configmap" (dict "root" . "name" "web" "values" .Values.web) }} +{{- include "cos-common.secret" (dict "root" . "name" "web" "values" .Values.web) }} +{{- include "cos-common.certificate" (dict "root" . "name" "web" "values" .Values.web) }} +{{- include "cos-common.deployment" (dict "root" . "name" "web" "values" .Values.web) }} +{{- include "cos-common.service" (dict "root" . "name" "web" "values" .Values.web) }} +{{- include "cos-common.ingress" (dict "root" . "name" "web" "values" .Values.web) }} +{{- include "cos-common.hpa" (dict "root" . "name" "web" "values" .Values.web) }} +{{- include "cos-common.pdb" (dict "root" . "name" "web" "values" .Values.web) }} diff --git a/share/templates/worker-deployment.yaml b/share/templates/worker-deployment.yaml deleted file mode 100644 index 4456eda4..00000000 --- a/share/templates/worker-deployment.yaml +++ /dev/null @@ -1,106 +0,0 @@ -{{- if .Values.worker.enabled -}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "share.worker.fullname" . }} - labels: - app: {{ template "share.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - component: "{{ .Values.worker.name }}" - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - selector: - matchLabels: - app: {{ template "share.name" . }} - component: "{{ .Values.worker.name }}" - release: {{ .Release.Name }} - replicas: {{ .Values.worker.replicaCount }} - template: - metadata: - labels: - app: {{ template "share.name" . }} - component: "{{ .Values.worker.name }}" - release: {{ .Release.Name }} - annotations: - {{- include "share.deploymentAnnotations" . | nindent 8 }} - spec: - affinity: - {{- if .Values.worker.additionalAffinities }} - {{- toYaml .Values.worker.additionalAffinities | nindent 8 }} - {{- end }} - {{- if eq .Values.worker.antiAffinity "hard" }} - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - topologyKey: kubernetes.io/hostname - labelSelector: - matchLabels: - app: {{ template "share.name" . }} - release: "{{ .Release.Name }}" - component: "{{ .Values.worker.name }}" - {{- else if eq .Values.worker.antiAffinity "soft" }} - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - podAffinityTerm: - topologyKey: kubernetes.io/hostname - labelSelector: - matchLabels: - app: {{ template "share.name" . }} - release: "{{ .Release.Name }}" - component: "{{ .Values.worker.name }}" - {{- end }} - containers: - - name: {{ .Values.worker.name }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - /bin/sh - - -c - - |- - PREFIX='' - if [ -f /code/newrelic.ini ]; then - PREFIX='newrelic-admin run-program' - fi - $PREFIX gosu www-data celery --app project worker \ - --concurrency "{{ .Values.worker.concurrency }}" --loglevel "{{ .Values.worker.logLevel }}" \ - --hostname $POD_NAME --without-gossip -Ofair - {{- if .Values.worker.maxTasksPerChild }} --max-tasks-per-child "{{ .Values.worker.maxTasksPerChild }}"{{- end }} - {{- if .Values.worker.queues }} --queues "{{ .Values.worker.queues }}"{{- end }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - {{- include "share.environment" . | nindent 12 }} - {{- range $key, $value := .Values.worker.env }} - - name: {{ $key }} - value: {{ $value | quote }} - {{- end }} - volumeMounts: - {{- if .Values.volumeMounts }} - {{- toYaml .Values.volumeMounts | nindent 12 }} - {{- end }} - {{- if .Values.worker.volumeMounts }} - {{- toYaml .Values.worker.volumeMounts | nindent 12 }} - {{- end }} - {{- if .Values.worker.resources }} - resources: - {{- toYaml .Values.worker.resources | nindent 12 }} - {{- end }} - volumes: - - name: config - configMap: - name: {{ template "share.fullname" . }} - - name: secret - secret: - secretName: {{ template "share.fullname" . }} - - name: elasticsearch-certs - secret: - secretName: {{ .Values.elasticsearchCertificateSecret }} - {{- if .Values.postgresqlCertificateSecret }} - - name: postgresql-certs - secret: - secretName: {{ .Values.postgresqlCertificateSecret }} - {{- end }} -{{- end -}} diff --git a/share/templates/worker-hpa.yaml b/share/templates/worker-hpa.yaml deleted file mode 100644 index e4d49c64..00000000 --- a/share/templates/worker-hpa.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.worker.horizontalPodAutoscaler.enabled -}} -apiVersion: autoscaling/v1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ template "share.worker.fullname" . }} - labels: - app: {{ template "share.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - component: "{{ .Values.worker.name }}" - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ template "share.worker.fullname" . }} - minReplicas: {{ .Values.worker.replicaCount }} - maxReplicas: {{ .Values.worker.horizontalPodAutoscaler.maxReplicas }} - targetCPUUtilizationPercentage: {{ .Values.worker.horizontalPodAutoscaler.targetCPUUtilizationPercentage }} -{{- end -}} diff --git a/share/templates/worker-pdb.yaml b/share/templates/worker-pdb.yaml deleted file mode 100644 index dcd3c1b8..00000000 --- a/share/templates/worker-pdb.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.worker.budget.minAvailable -}} -{{- if .Capabilities.APIVersions.Has "policy/v1" -}} -apiVersion: policy/v1 -{{- else}} -apiVersion: policy/v1beta1 -{{- end }} -kind: PodDisruptionBudget -metadata: - name: "{{ template "share.worker.fullname" . }}" - labels: - app: {{ template "share.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - component: "{{ .Values.worker.name }}" - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - selector: - matchLabels: - app: {{ template "share.name" . }} - component: "{{ .Values.worker.name }}" - release: {{ .Release.Name }} - minAvailable: {{ .Values.worker.budget.minAvailable }} -{{- end -}} diff --git a/share/templates/worker.yaml b/share/templates/worker.yaml new file mode 100644 index 00000000..2a14b70a --- /dev/null +++ b/share/templates/worker.yaml @@ -0,0 +1,5 @@ +{{- include "cos-common.configmap" (dict "root" . "name" "worker" "values" .Values.worker) }} +{{- include "cos-common.secret" (dict "root" . "name" "worker" "values" .Values.worker) }} +{{- include "cos-common.deployment" (dict "root" . "name" "worker" "values" .Values.worker) }} +{{- include "cos-common.hpa" (dict "root" . "name" "worker" "values" .Values.worker) }} +{{- include "cos-common.pdb" (dict "root" . "name" "worker" "values" .Values.worker) }} diff --git a/share/values.yaml b/share/values.yaml index 2b74ef7c..10eef625 100644 --- a/share/values.yaml +++ b/share/values.yaml @@ -1,293 +1,701 @@ -# Default values for lookit. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. +### ------- Global or Reusable parts across values.yaml ------- + +## ------- Global images image: repository: quay.io/centerforopenscience/share tag: develop pullPolicy: Always -elasticsearchCertificateSecret: -postgresqlCertificateSecret: +## ------- Global Secret names +elasticsearchCertificateSecret: "" # Be aware that it will use existing secret! if you do set name here then do not forget to uncomment/add volumes attachment for "elasticsearch-certs" volume and add volumeMounts. -beat: +# =============== COMMON Component =============== +# No workload in this component, only configs and secrets. +common: enabled: true - name: beat - - logLevel: DEBUG - resources: {} - #limits: - # cpu: 100m - # memory: 128Mi - #requests: - # cpu: 100m - # memory: 128Mi +# ------- ConfigMap configuration ------- +# configmap name: '{{ include "cos-common.fullname" (dict "root" . "name" "") | trim }}' + configMap: + enabled: true + tpl: true + data: + nginx.conf: |- + {{ tpl (.Files.Get "files/nginx.conf") (dict "Values" .Values "root" .) }} + uwsgi.ini: |- + {{ .Files.Get "files/uwsgi.ini" }} + robots.txt: |- + {{ .Files.Get "files/robots.txt" }} + +# configmap name: '{{ include "cos-common.fullname" (dict "root" . "name" "") | trim }}' + name + additionalConfigMaps: + - name: common-env + enabled: true + tpl: false + data: + DEBUG: "" + DJANGO_SETTINGS_MODULE: project.settings + ALLOWED_HOSTS: "*" + + +# ------- Secrets configuration ------- +# secret name: '{{ include "cos-common.fullname" (dict "root" . "name" "") | trim }}' + secret: + enabled: true + includeTls: false + data: {} + # googleAppCreds.json: |- + # ... + + +# secret name: '{{ include "cos-common.fullname" (dict "root" . "name" "") | trim }}' + name + additionalSecrets: + - name: common-env + enabled: true + includeTls: false + data: {} + # BYPASS_THROTTLE_TOKEN: abc123 + + # Create secret with TLS certs for Postgres + # If enable this secret then do not forget to uncomment/add volumes attachment for "postgresql-certs" volume and add volumeMounts. + # Secret name will be Release.Name-Chart.Name-name + - name: postgresql-certs + enabled: false + includeTls: false + data: + root.crt: |- + crt + root.crl: |- + crl + postgresql.key: |- + key + postgresql.crt: |- + crt + +# =============== WEB Component =============== web: enabled: true - name: web - replicaCount: 1 - antiAffinity: soft + replicas: 1 - budget: - minAvailable: 0 + http: + internalPort: 80 + externalPort: 8000 + serviceType: ClusterIP - nginx: - image: - repository: nginx - tag: alpine - pullPolicy: Always - resources: {} - #limits: - # cpu: "1" - # memory: 128Mi - #requests: - # cpu: 100m - # memory: 128Mi + mediaUrl: "" + staticUrl: "" - resources: {} - #limits: - # cpu: 100m - # memory: 128Mi - #requests: - # cpu: 100m - # memory: 128Mi - - horizontalPodAutoscaler: - enabled: false - maxReplicas: 3 - targetCPUUtilizationPercentage: 90 +# ------- Configuration follows for containerName: nginx ------- + image: + repository: nginx + tag: alpine + pullPolicy: Always + + containerName: nginx + + command: + - nginx + - -c + - /etc/nginx/nginx.conf + - -g + - daemon off; + + ports: + - name: http-internal + containerPort: "{{ .Values.web.http.internalPort }}" + + probes: + readiness: + httpGet: + path: /healthz + port: "{{ .Values.web.http.internalPort }}" + initialDelaySeconds: 10 + + volumeMounts: + - name: static + mountPath: /static + readOnly: true + - name: config + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + readOnly: true + - name: config + mountPath: /usr/share/nginx/html/robots.txt + subPath: robots.txt + readOnly: true + resources: {} + # limits: + # cpu: "1" + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + +# ------- Init containers ------- + initContainers: + - name: collectstatic + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + command: + - python + - manage.py + - collectstatic + - --noinput + volumeMounts: + - mountPath: /code/static + name: static + + +# ------- Additional containers ------- + uwsgi: + resources: {} + volumeMounts: + - name: config + mountPath: /etc/uwsgi/uwsgi.ini + subPath: uwsgi.ini + readOnly: true + + additionalContainers: + - name: uwsgi + inheritVolumeMountsFrom: uwsgi # <----- gets volume mounts from uwsgi set of vars above + inheritResourcesFrom: uwsgi # <----- gets resources from uwsgi set of vars above + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + command: + - /bin/sh + - -c + - |- + PREFIX='' + if [ -f /code/newrelic.ini ]; then + PREFIX='newrelic-admin run-program' + fi + $PREFIX uwsgi --ini /etc/uwsgi/uwsgi.ini --socket :{{ .Values.web.http.externalPort }} + envFrom: + - configMapRef: + name: '{{ include "cos-common.fullname" (dict "root" . "name" "common-env") | trim }}' + - secretRef: + name: '{{ include "cos-common.fullname" (dict "root" . "name" "common-env") | trim }}' + ports: + - name: wsgi + containerPort: "{{ .Values.web.http.externalPort }}" + - name: stats + containerPort: 1717 + readinessProbe: + tcpSocket: + port: "{{ .Values.web.http.externalPort }}" + initialDelaySeconds: 10 + + +# ------- Volumes configuration for the pod ------- + volumes: + - name: static + emptyDir: {} + - name: config + configMap: + name: '{{ include "cos-common.fullname" (dict "root" . "name" "" "values" .Values.common) | trim }}' + - name: secret + secret: + secretName: '{{ include "cos-common.fullname" (dict "root" . "name" "" "values" .Values.common) | trim }}' + + additionalVolumes: [] + # # If Postgres certs enabled <------- + # - name: postgresql-certs + # secret: + # secretName: '{{ include "cos-common.fullname" (dict "root" . "name" "postgresql-certs") | trim }}' + # # If pass ElasticSearch certs <------- + # - name: elasticsearch-certs + # secret: + # secretName: "{{ .Values.elasticsearchCertificateSecret }}" + + +# ------- Affitnity configuration ------- + affinity: {} + # podAntiAffinity: + # preferredDuringSchedulingIgnoredDuringExecution: + # - weight: 1 + # podAffinityTerm: + # topologyKey: kubernetes.io/hostname + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: "{{ .Chart.Name }}" + # app.kubernetes.io/instance: "{{ .Release.Name }}" + # app.kubernetes.io/component: "{{ .Values.web.component }}" + + additionalAffinities: [] + + +# ------- Pod Annotations ------- + podAnnotations: + checksum/common-config: '{{ include "cos-common.componentChecksum" (dict "root" . "name" "" "values" .Values.common "resource" "configmap") }}' + checksum/common-secret: '{{ include "cos-common.componentChecksum" (dict "root" . "name" "" "values" .Values.common "resource" "secret") }}' + + +# ------- Service configuration ------- +# service name: '{{ include "cos-common.fullname" (dict "root" . "name" "") | trim }}' service: - name: http - type: ClusterIP - externalPort: 8000 - internalPort: 80 + enabled: true + type: "{{ .Values.web.http.serviceType }}" + ports: + - name: http + port: "{{ .Values.web.http.externalPort }}" + targetPort: "{{ .Values.web.http.internalPort }}" + +# ------- Ingress configuration ------- +# ingress name: '{{ include "cos-common.fullname" (dict "root" . "name" "") | trim }}' ingress: enabled: false - # Used to create Ingress record (should used with service.type: ClusterIP). - hosts: - - chart-example.local - paths: - - / annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: 'true' - tls: - # Secrets must be manually created in the namespace. - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - + hosts: + primary: + - chart-example.local + rules: + - name: web + includeForPrimaryHost: true + includeForAdditionalHost: false + pathType: ImplementationSpecific + service: + name: '{{ include "cos-common.fullname" (dict "root" . "name" "web" "values" .Values.web) | trim }}' + port: "{{ .Values.web.http.externalPort }}" + paths: + - / + tls: [] + + +# ------- Certificate configuration ------- (if we want to create Certificate object) +# certificate name: '{{ include "cos-common.fullname" (dict "root" . "name" "cert") | trim }}' certificate: enabled: false - name: cert - # WORKAROUND: Ingress deploy blocked to GLBC due to race condition w/ missing TLS certificate - # - Issue: https://github.com/jetstack/cert-manager/issues/606 - # - PR: https://github.com/kubernetes/ingress-gce/pull/388 - tls: true - # issuerRef: - # name: letsencrypt-prod - # kind: ClusterIssuer - # commonName: example.org - # dnsNames: - # - example.org - # - subdomain.example.org - # acmeConfig: - # http01: {} - # # ingress: '' - # domains: - # - example.org - # - subdomain.example.org - - env: {} - - volumeMounts: [] - -indexer: - enabled: true - name: indexer - replicaCount: 1 + issuerRef: + name: letsencrypt-prod + kind: ClusterIssuer + commonName: example.org + dnsNames: + - example.org + acmeConfig: + http01: {} + domains: + - example.org + + +# ------- HPA configuration ------- + hpa: + enabled: false + minReplicas: "{{ .Values.web.replicas }}" + maxReplicas: 3 + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 90 + behavior: {} + + +# ------- PDB configuration ------- + pdb: + enabled: false + minAvailable: 0 - antiAffinity: soft - budget: - minAvailable: 0 +# ------- Selectors and etc. ------- - resources: {} - #limits: - # cpu: 100m - # memory: 128Mi - #requests: - # cpu: 100m - # memory: 128Mi - - horizontalPodAutoscaler: - enabled: false - maxReplicas: 3 - targetCPUUtilizationPercentage: 90 + nodeSelector: {} - env: {} + tolerations: [] - volumeMounts: [] +# =============== WORKER Component =============== worker: enabled: true - name: worker - replicaCount: 1 - antiAffinity: soft + replicas: 1 - budget: - minAvailable: 0 + component: worker + +# ------- Configuration follows for containerName: "{{ .Values.worker.component }}" ------- + image: + repository: "{{ .Values.image.repository }}" + tag: "{{ .Values.image.tag }}" + pullPolicy: "{{ .Values.image.pullPolicy }}" + + containerName: "{{ .Values.worker.component }}" concurrency: 5 logLevel: INFO maxTasksPerChild: 5 - # queues: ... + queues: "" + + command: + - /bin/sh + - -c + - |- + PREFIX='' + if [ -f /code/newrelic.ini ]; then + PREFIX='newrelic-admin run-program' + fi + $PREFIX gosu www-data celery --app project worker \ + --concurrency "{{ .Values.worker.concurrency }}" --loglevel "{{ .Values.worker.logLevel }}" \ + --hostname $POD_NAME --without-gossip -Ofair + {{- if .Values.worker.maxTasksPerChild }} --max-tasks-per-child "{{ .Values.worker.maxTasksPerChild }}"{{- end }} + {{- if .Values.worker.queues }} --queues "{{ .Values.worker.queues }}"{{- end }} + + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + + envFrom: + - configMapRef: + name: '{{ include "cos-common.fullname" (dict "root" . "name" "common-env") | trim }}' + - secretRef: + name: '{{ include "cos-common.fullname" (dict "root" . "name" "common-env") | trim }}' + + volumeMounts: [] resources: {} - #limits: - # cpu: 100m - # memory: 128Mi - #requests: - # cpu: 100m - # memory: 128Mi - - horizontalPodAutoscaler: + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + +# ------- Volumes configuration for the pod ------- + volumes: + - name: config + configMap: + name: '{{ include "cos-common.fullname" (dict "root" . "name" "" "values" .Values.common) | trim }}' + - name: secret + secret: + secretName: '{{ include "cos-common.fullname" (dict "root" . "name" "" "values" .Values.common) | trim }}' + + additionalVolumes: [] + # # If Postgres certs enabled <------- + # - name: postgresql-certs + # secret: + # secretName: '{{ include "cos-common.fullname" (dict "root" . "name" "postgresql-certs") | trim }}' + # # If pass ElasticSearch certs <------- + # - name: elasticsearch-certs + # secret: + # secretName: "{{ .Values.elasticsearchCertificateSecret }}" + + +# ------- Affitnity configuration ------- + affinity: {} + # podAntiAffinity: + # preferredDuringSchedulingIgnoredDuringExecution: + # - weight: 1 + # podAffinityTerm: + # topologyKey: kubernetes.io/hostname + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: "{{ .Chart.Name }}" + # app.kubernetes.io/instance: "{{ .Release.Name }}" + # app.kubernetes.io/component: "{{ .Values.worker.component }}" + + additionalAffinities: [] + + +# ------- Pod Annotations ------- + podAnnotations: + checksum/common-config: '{{ include "cos-common.componentChecksum" (dict "root" . "name" "" "values" .Values.common "resource" "configmap") }}' + checksum/common-secret: '{{ include "cos-common.componentChecksum" (dict "root" . "name" "" "values" .Values.common "resource" "secret") }}' + + +# ------- HPA configuration ------- + hpa: enabled: false + minReplicas: "{{ .Values.worker.replicas }}" maxReplicas: 3 - targetCPUUtilizationPercentage: 90 + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 90 + behavior: {} + + +# ------- PDB configuration ------- + pdb: + enabled: false + minAvailable: 0 - env: {} - volumeMounts: [] +# ------- Selectors and etc. ------- -migration: + nodeSelector: {} + + tolerations: [] + + +# =============== INDEXER Component =============== +indexer: enabled: true - name: migration - resources: {} - #limits: - # cpu: 100m - # memory: 128Mi - #requests: - # cpu: 100m - # memory: 128Mi + replicas: 1 + + component: indexer - env: {} + # ------- Configuration follows for containerName: "{{ .Values.indexer.component }}" ------- + image: + repository: "{{ .Values.image.repository }}" + tag: "{{ .Values.image.tag }}" + pullPolicy: "{{ .Values.image.pullPolicy }}" + + containerName: "{{ .Values.indexer.component }}" + + command: + - /bin/sh + - -c + - |- + PREFIX='' + if [ -f /code/newrelic.ini ]; then + PREFIX='newrelic-admin run-program' + fi + $PREFIX gosu www-data python manage.py shtrove_indexer_run + + envFrom: + - configMapRef: + name: '{{ include "cos-common.fullname" (dict "root" . "name" "common-env") | trim }}' + - secretRef: + name: '{{ include "cos-common.fullname" (dict "root" . "name" "common-env") | trim }}' volumeMounts: [] -configEnvs: - DEBUG: "" - DJANGO_SETTINGS_MODULE: project.settings - ALLOWED_HOSTS: "*" - -configFiles: {} - # Override configmap files here (and delete the {} above), e.g.: - #robots.txt: |- - # User-agent: * - # Disallow: / - -secretEnvs: {} - # BYPASS_THROTTLE_TOKEN: abc123 - -secretFiles: {} - # googleAppCreds.json: |- - # ... - -# volumeMounts: -# - mountPath: /code/project/settings/local.py -# name: secret-volume -# subPath: local.py -# readOnly: true -# - mountPath: /etc/googleAppCreds.json -# name: secret-volume -# subPath: googleAppCreds.json -# readOnly: true - -tls: - enabled: false - postgresql: + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + +# ------- Volumes configuration for the pod ------- + volumes: + - name: config + configMap: + name: '{{ include "cos-common.fullname" (dict "root" . "name" "" "values" .Values.common) | trim }}' + - name: secret + secret: + secretName: '{{ include "cos-common.fullname" (dict "root" . "name" "" "values" .Values.common) | trim }}' + + additionalVolumes: [] + # # If Postgres certs enabled <------- + # - name: postgresql-certs + # secret: + # secretName: '{{ include "cos-common.fullname" (dict "root" . "name" "postgresql-certs") | trim }}' + # # If pass ElasticSearch certs <------- + # - name: elasticsearch-certs + # secret: + # secretName: "{{ .Values.elasticsearchCertificateSecret }}" + + +# ------- Affitnity configuration ------- + affinity: {} + # podAntiAffinity: + # preferredDuringSchedulingIgnoredDuringExecution: + # - weight: 1 + # podAffinityTerm: + # topologyKey: kubernetes.io/hostname + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: "{{ .Chart.Name }}" + # app.kubernetes.io/instance: "{{ .Release.Name }}" + # app.kubernetes.io/component: "{{ .Values.indexer.component }}" + + additionalAffinities: [] + + +# ------- Pod Annotations ------- + podAnnotations: + checksum/common-config: '{{ include "cos-common.componentChecksum" (dict "root" . "name" "" "values" .Values.common "resource" "configmap") }}' + checksum/common-secret: '{{ include "cos-common.componentChecksum" (dict "root" . "name" "" "values" .Values.common "resource" "secret") }}' + + +# ------- HPA configuration ------- + hpa: enabled: false - -postgresql: - enabled: true - standby: + minReplicas: "{{ .Values.indexer.replicas }}" + maxReplicas: 3 + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 90 + behavior: {} + + +# ------- PDB configuration ------- + pdb: enabled: false - secrets: - POSTGRES_DB: share - POSTGRES_USER: share - POSTGRES_PASSWORD: share + minAvailable: 0 + + +# ------- Selectors and etc. ------- + + nodeSelector: {} + + tolerations: [] -rabbitmq: - enabled: true - secretEnvs: - RABBITMQ_DEFAULT_USER: guest - RABBITMQ_DEFAULT_PASS: guest -elasticsearch: +# =============== BEAT Component =============== +beat: enabled: true + replicas: 1 + + component: beat + + strategy: + type: Recreate + +# ------- Configuration follows for containerName: "{{ .Values.beat.component }}" ------- image: - repository: docker.elastic.co/elasticsearch/elasticsearch - tag: "5.6.7" - pullPolicy: "Always" + repository: "{{ .Values.image.repository }}" + tag: "{{ .Values.image.tag }}" + pullPolicy: "{{ .Values.image.pullPolicy }}" - rbac: - enabled: true + containerName: "{{ .Values.beat.component }}" - plugins: - enabled: true - remove: - - x-pack + logLevel: DEBUG - cluster: - env: - MINIMUM_MASTER_NODES: "1" - EXPECTED_MASTER_NODES: "1" - RECOVER_AFTER_MASTER_NODES: "1" + command: + - /bin/sh + - -c + - |- + PREFIX='' + if [ -f /code/newrelic.ini ]; then + PREFIX='newrelic-admin run-program' + fi + $PREFIX gosu www-data celery --app project beat \ + --loglevel "{{ .Values.beat.logLevel }}" --pidfile= + + envFrom: + - configMapRef: + name: '{{ include "cos-common.fullname" (dict "root" . "name" "common-env") | trim }}' + - secretRef: + name: '{{ include "cos-common.fullname" (dict "root" . "name" "common-env") | trim }}' - tls: - enabled: false + volumeMounts: [] - client: - name: client - replicas: 1 - serviceType: ClusterIP - heapSize: "128m" - resources: {} - # limits: - # cpu: "1" - # memory: "512Mi" - # requests: - # cpu: "25m" - # memory: "256Mi" - - master: - name: master - replicas: 1 - heapSize: "128m" - resources: {} - # limits: - # cpu: "1" - # memory: "512Mi" - # requests: - # cpu: "25m" - # memory: "256Mi" - - data: - name: data - replicas: 1 - heapSize: "1536m" - terminationGracePeriodSeconds: 3600 - resources: {} - # limits: - # cpu: "1" - # memory: "512Mi" - # requests: - # cpu: "25m" - # memory: "256Mi" + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + +# ------- Volumes configuration for the pod ------- + volumes: + - name: config + configMap: + name: '{{ include "cos-common.fullname" (dict "root" . "name" "" "values" .Values.common) | trim }}' + - name: secret + secret: + secretName: '{{ include "cos-common.fullname" (dict "root" . "name" "" "values" .Values.common) | trim }}' + + additionalVolumes: [] + # # If Postgres certs enabled <------- + # - name: postgresql-certs + # secret: + # secretName: '{{ include "cos-common.fullname" (dict "root" . "name" "postgresql-certs") | trim }}' + +# ------- Affitnity configuration ------- + affinity: {} + # podAntiAffinity: + # preferredDuringSchedulingIgnoredDuringExecution: + # - weight: 1 + # podAffinityTerm: + # topologyKey: kubernetes.io/hostname + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: "{{ .Chart.Name }}" + # app.kubernetes.io/instance: "{{ .Release.Name }}" + # app.kubernetes.io/component: "{{ .Values.beat.component }}" + + additionalAffinities: [] + + +# ------- Pod Annotations ------- + podAnnotations: + checksum/common-config: '{{ include "cos-common.componentChecksum" (dict "root" . "name" "" "values" .Values.common "resource" "configmap") }}' + checksum/common-secret: '{{ include "cos-common.componentChecksum" (dict "root" . "name" "" "values" .Values.common "resource" "secret") }}' + + +# =============== MIGRATION Component =============== +migration: + enabled: true + + fullnameOverride: "{{ .Release.Name }}-{{ .Chart.Name }}-migration-{{ .Release.Revision }}" + + component: migration + +# ------- Configuration follows for containerName: "{{ .Values.migration.component }}" ------- + + image: + repository: "{{ .Values.image.repository }}" + tag: "{{ .Values.image.tag }}" + pullPolicy: "{{ .Values.image.pullPolicy }}" + + containerName: "{{ .Values.migration.component }}" + + activeDeadlineSeconds: 900 + + workloadAnnotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation + + restartPolicy: Never + + command: + - /bin/sh + - -c + - |- + PREFIX='' + if [ -f /code/newrelic.ini ]; then + PREFIX='newrelic-admin run-program' + fi + $PREFIX python manage.py migrate + + envFrom: + - configMapRef: + name: '{{ include "cos-common.fullname" (dict "root" . "name" "common-env") | trim }}' + - secretRef: + name: '{{ include "cos-common.fullname" (dict "root" . "name" "common-env") | trim }}' + + +# ------- Volumes configuration for the pod ------- + volumes: + - name: config + configMap: + name: '{{ include "cos-common.fullname" (dict "root" . "name" "" "values" .Values.common) | trim }}' + - name: secret + secret: + secretName: '{{ include "cos-common.fullname" (dict "root" . "name" "" "values" .Values.common) | trim }}' + + additionalVolumes: [] + # # If Postgres certs enabled <------- + # - name: postgresql-certs + # secret: + # secretName: '{{ include "cos-common.fullname" (dict "root" . "name" "postgresql-certs") | trim }}' + + +# ------- Pod Annotations ------- + podAnnotations: + checksum/common-config: '{{ include "cos-common.componentChecksum" (dict "root" . "name" "" "values" .Values.common "resource" "configmap") }}' + checksum/common-secret: '{{ include "cos-common.componentChecksum" (dict "root" . "name" "" "values" .Values.common "resource" "secret") }}'