feat(config): improvment

README.md

@@ -32,27 +32,19 @@ It can be adapted to your scenario.
 cp values.example.yaml values.yaml
 ```
 
-## Deploy a PostgreSQL database
+## Prepare the database
 
-Here is the command to deploy a PostgreSQL database using the [Bitnami Helm Chart](https://artifacthub.io/packages/helm/bitnami/postgresql).
+You need a postgresql database with a dedicated owner.
 
-```sh
-helm repo add bitnami https://charts.bitnami.com/bitnami
-helm install store-server-db bitnami/postgresql --wait
-```
+In case you don't have one, you can use the provided helm chart to test it.  You can find detailed instructions in the [dedicated documentation](./docs/deploy-postgresql.md).
 
-Wait for the DB to be ready.
+### Create the database secret file
 
-### Create the database and users
+You need to provide the database password as a secret. You have to [create a secret](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret_generic/) with the key `database-password-file` entry.
 
-```sh
-kubectl exec -i store-server-db-postgresql-0 -- /opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash -c 'PGPASSWORD=$POSTGRES_PASSWORD psql' < create-db-and-users.sql
-```
-
-### Create the database secret file
+For example, if you have a postgresql database deployed with the helm chart, you can create the secret with the following command:
 
 ```sh
-# Create the new secret
 kubectl create secret generic database-password-file \
   --from-literal=database-password-file="$(kubectl get secret store-server-db-postgresql -o jsonpath="{.data.postgres-password}" | base64 -d)"
 ```
@@ -62,6 +54,7 @@ Make sure you have the following part in your custom `values.yaml` file:
 ```yaml
 store-server:
   secrets:
+    # database-password-file is the name of the secret
     database-password-file: /run/secrets/database-password-file
 ```
 

charts/ontopic-studio/identity/cookie-secret

@@ -1 +1 @@
-fW3MgE9f_hLd6_4rHGrDorLqVJ2tkXZjItJIfEGPZBg
+fW3MgE9f_hLd6_4rHGrDorLqVJ2tkXZjItJIfEGPZBg

charts/ontopic-studio/templates/config.yaml

@@ -17,17 +17,8 @@ data:
 --- # Identity Service
 apiVersion: v1
 kind: Secret
-metadata:
-    name: cookie-secret
-type: Opaque
-data:
-{{ (.Files.Glob "identity/cookie-secret").AsSecrets | indent 4 }}
----
-apiVersion: v1
-kind: Secret
 metadata:
     name: password-file-db
 type: Opaque
 data:
 {{ (.Files.Glob "identity/password-file-db").AsSecrets | indent 4 }}
-

charts/ontopic-studio/templates/job.yaml

@@ -0,0 +1,77 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-pre-install
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-weight: "-2"
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["create"]
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Release.Name }}-pre-install
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-weight: "-2"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Release.Name }}-pre-install
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-weight: "-1"
+subjects:
+  - kind: ServiceAccount
+    namespace: {{ .Release.Namespace }}
+    name: {{ .Release.Name }}-pre-install
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Release.Name }}-pre-install
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Release.Name }}-generate-cookie-secret
+  labels:
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-weight: "1"
+spec:
+  template:
+    metadata:
+      name: "{{ .Release.Name }}"
+      labels:
+        app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+        app.kubernetes.io/instance: {{ .Release.Name | quote }}
+        helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    spec:
+      serviceAccountName: {{ .Release.Name }}-pre-install
+      restartPolicy: Never
+      containers:
+      - name: generate-secret
+        image: ghcr.io/ontopic-vkg/ontopic-helm/identity-service:helm-{{ .Chart.AppVersion }}
+        command: ["/usr/bin/entrypoint", "generate", "cookie"]
+        args: [ ">", "/mnt/secret/cookie-secret && cat /mnt/secret/cookie-secret" ]
+        volumeMounts:
+        - name: secret
+          mountPath: /mnt/secret
+      - name: create-secret
+        image: bitnami/kubectl:latest
+        command: ["sh", "-c", "while [ ! -f /mnt/data/output.txt ]; do sleep 1; done; cat /mnt/secret/cookie-secret && kubectl create secret generic cookie-secret --from-file=password=/mnt/secret/cookie-secret"]
+        volumeMounts:
+        - name: secret
+          mountPath: /mnt/secret
+      restartPolicy: Never
+      volumes:
+      - name: secret
+        emptyDir: {}

create-db-and-users.sql

@@ -1,8 +1,3 @@
--- create database gitea;
--- create user gitea with encrypted password 'Phei8Vai';
--- grant all privileges on database gitea to gitea;
--- alter database gitea OWNER TO gitea;
----
 create database internal;
 grant all privileges on database internal to postgres;
 alter database internal OWNER TO postgres;

docs/deploy-postgresql.md

@@ -0,0 +1,27 @@
+Deploy a PostgreSQL database
+============================
+
+Here is the command to deploy a PostgreSQL database using the [Bitnami Helm Chart](https://artifacthub.io/packages/helm/bitnami/postgresql).
+
+```sh
+helm repo add bitnami https://charts.bitnami.com/bitnami
+helm install store-server-db bitnami/postgresql --wait
+```
+
+Wait for the DB to be ready.
+
+Create the database and users
+-----------------------------
+
+```bash
+kubectl exec -i store-server-db-postgresql-0 -- /opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash -c 'PGPASSWORD=$POSTGRES_PASSWORD psql' < create-db-and-users.sql
+```
+
+Create the database secret file
+-------------------------------
+
+```bash
+# Create the new secret
+kubectl create secret generic database-password-file \
+  --from-literal=database-password-file="$(kubectl get secret store-server-db-postgresql -o jsonpath="{.data.postgres-password}" | base64 -d)"
+```