diff --git a/autopush/.gitignore b/autopush/.gitignore new file mode 100644 index 0000000..31014c3 --- /dev/null +++ b/autopush/.gitignore @@ -0,0 +1,2 @@ +charts/*.tgz +values_test.yaml diff --git a/autopush/.helmignore b/autopush/.helmignore new file mode 100644 index 0000000..50af031 --- /dev/null +++ b/autopush/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/autopush/Chart.lock b/autopush/Chart.lock new file mode 100644 index 0000000..50a66e1 --- /dev/null +++ b/autopush/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: redis + repository: oci://docker.io/bitnamicharts + version: 20.6.1 +digest: sha256:c792eb1f889b58718def58d4bb80d370a1f5ddfc093e5902ab3d87441a4a769f +generated: "2025-01-03T14:55:39.364820359+01:00" diff --git a/autopush/Chart.yaml b/autopush/Chart.yaml new file mode 100644 index 0000000..b6fb901 --- /dev/null +++ b/autopush/Chart.yaml @@ -0,0 +1,17 @@ +apiVersion: v2 +name: autopush +description: A Helm chart for Kubernetes +icon: +type: application +version: 0.0.1 +# renovate: image=docker.io/mozilla-services/autopush-rs +appVersion: "1.72.2" +maintainers: + - name: WrenIX + url: https://wrenix.eu + +dependencies: + - name: redis + version: "20.6.1" + repository: "oci://docker.io/bitnamicharts" + condition: redis.internal diff --git a/autopush/README.md b/autopush/README.md new file mode 100644 index 0000000..c5fa170 --- /dev/null +++ b/autopush/README.md @@ -0,0 +1,149 @@ +--- +title: "autopush" + +description: "A Helm chart for Kubernetes" + +--- + +# autopush + +![Version: 0.0.1](https://img.shields.io/badge/Version-0.0.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.72.2](https://img.shields.io/badge/AppVersion-1.72.2-informational?style=flat-square) + +A Helm chart for Kubernetes + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| WrenIX | | | + += Beta + +WARNING +==== +We let it run in production, but it is not stable / complete. + +TODOs: + - [ ] official container with redis backend, see: https://github.com/mozilla-services/autopush-rs/pull/813 + - [ ] automatical create CRYPT_KEY (instatt of key) + - [ ] better ingress / host name support + - [ ] Improve monitoring with alerts and grafana dashboard + +==== + +## Usage + +Helm must be installed and setup to your kubernetes cluster to use the charts. +Refer to Helm's [documentation](https://helm.sh/docs) to get started. +Once Helm has been set up correctly, fetch the charts as follows: + +```bash +helm pull oci://codeberg.org/wrenix/helm-charts/autopush +``` + +You can install a chart release using the following command: + +```bash +helm install autopush-release oci://codeberg.org/wrenix/helm-charts/autopush --values values.yaml +``` + +To uninstall a chart release use `helm`'s delete command: + +```bash +helm uninstall autopush-release +``` + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| oci://docker.io/bitnamicharts | redis | 20.6.1 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| autoconnect.affinity | object | `{}` | | +| autoconnect.image.pullPolicy | string | `"IfNotPresent"` | | +| autoconnect.image.registry | string | `"codeberg.org"` | | +| autoconnect.image.repository | string | `"wrenix/autopush/autoconnect"` | | +| autoconnect.image.tag | string | `"latest"` | | +| autoconnect.livenessProbe | object | `{"httpGet":{"path":"/health","port":"http"}}` | This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ | +| autoconnect.nodeSelector | object | `{}` | | +| autoconnect.podAnnotations | object | `{}` | This is for setting Kubernetes Annotations to a Pod. For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ | +| autoconnect.podLabels | object | `{}` | This is for setting Kubernetes Labels to a Pod. For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ | +| autoconnect.podSecurityContext | object | `{}` | | +| autoconnect.readinessProbe.httpGet.path | string | `"/health"` | | +| autoconnect.readinessProbe.httpGet.port | string | `"http"` | | +| autoconnect.replicaCount | int | `1` | This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/ | +| autoconnect.resources | object | `{}` | We usually recommend not to specify default resources and to leave this as a conscious choice for the user. This also increases chances charts run on environments with little resources, such as Minikube. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits: cpu: 100m memory: 128Mi requests: cpu: 100m memory: 128Mi | +| autoconnect.securityContext | object | `{}` | securityContext capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 | +| autoconnect.service.port | int | `80` | | +| autoconnect.service.type | string | `"ClusterIP"` | | +| autoconnect.tolerations | list | `[]` | | +| autoconnect.volumeMounts | list | `[]` | Additional volumeMounts on the output Deployment definition. - name: foo mountPath: "/etc/foo" readOnly: true | +| autoendpoint.affinity | object | `{}` | | +| autoendpoint.image.pullPolicy | string | `"IfNotPresent"` | | +| autoendpoint.image.registry | string | `"codeberg.org"` | | +| autoendpoint.image.repository | string | `"wrenix/autopush/autoendpoint"` | | +| autoendpoint.image.tag | string | `"latest"` | | +| autoendpoint.livenessProbe | object | `{"httpGet":{"path":"/health","port":"http"}}` | This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ | +| autoendpoint.nodeSelector | object | `{}` | | +| autoendpoint.podAnnotations | object | `{}` | | +| autoendpoint.podLabels | object | `{}` | | +| autoendpoint.podSecurityContext | object | `{}` | | +| autoendpoint.readinessProbe.httpGet.path | string | `"/health"` | | +| autoendpoint.readinessProbe.httpGet.port | string | `"http"` | | +| autoendpoint.replicaCount | int | `1` | This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/ | +| autoendpoint.resources | object | `{}` | We usually recommend not to specify default resources and to leave this as a conscious choice for the user. This also increases chances charts run on environments with little resources, such as Minikube. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits: cpu: 100m memory: 128Mi requests: cpu: 100m memory: 128Mi | +| autoendpoint.securityContext | object | `{}` | | +| autoendpoint.service.port | int | `80` | | +| autoendpoint.service.type | string | `"ClusterIP"` | | +| autoendpoint.tolerations | list | `[]` | | +| autoendpoint.volumeMounts | list | `[]` | Additional volumeMounts on the output Deployment definition. - name: foo mountPath: "/etc/foo" readOnly: true | +| config.cryptoKey | string | `""` | run https://github.com/mozilla-services/autopush-rs/blob/master/scripts/fernet_key.py | +| config.logs.backtrace | bool | `false` | enable backtrace of autopush | +| config.logs.level | string | `"warn"` | set log level of autopush | +| fullnameOverride | string | `""` | | +| global.image.pullPolicy | string | `nil` | if set it will overwrite all pullPolicy | +| global.image.registry | string | `nil` | if set it will overwrite all registry entries | +| imagePullSecrets | list | `[]` | This is for the secretes for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | +| ingress.annotations | object | `{}` | | +| ingress.className | string | `""` | | +| ingress.enabled | bool | `false` | | +| ingress.host | string | `"chart-example.local"` | | +| ingress.tls | list | `[]` | | +| nameOverride | string | `""` | This is to override the chart name. | +| prometheus.enabled | bool | `true` | start statsd sidecar and configure | +| prometheus.image.pullPolicy | string | `"IfNotPresent"` | | +| prometheus.image.registry | string | `"docker.io"` | | +| prometheus.image.repository | string | `"prom/statsd-exporter"` | | +| prometheus.image.tag | string | `"v0.28.0"` | | +| prometheus.livenessProbe | object | `{"httpGet":{"path":"/","port":"metrics"}}` | This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ | +| prometheus.readinessProbe.httpGet.path | string | `"/"` | | +| prometheus.readinessProbe.httpGet.port | string | `"metrics"` | | +| prometheus.resources | object | `{}` | We usually recommend not to specify default resources and to leave this as a conscious choice for the user. This also increases chances charts run on environments with little resources, such as Minikube. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits: cpu: 100m memory: 128Mi requests: cpu: 100m memory: 128Mi | +| prometheus.securityContext | object | `{}` | securityContext capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 | +| prometheus.servicemonitor.enabled | bool | `false` | | +| prometheus.servicemonitor.labels | object | `{}` | | +| prometheus.volumeMounts | list | `[]` | Additional volumeMounts on the output Deployment definition. - name: foo mountPath: "/etc/foo" readOnly: true | +| redis.architecture | string | `"standalone"` | | +| redis.auth.enabled | bool | `true` | | +| redis.auth.existingSecret | string | `nil` | Or use existing secret with "redis-password" key instead of static password | +| redis.auth.password | string | `"autopush"` | XXX Change me! | +| redis.dbid | int | `0` | Database ID for non-default database | +| redis.external.existingSecretPasswordKey | string | `"redis-password"` | Password key to be retrieved from existing secret | +| redis.external.host | string | `"redis"` | | +| redis.external.port | int | `6379` | | +| redis.internal | bool | `true` | | +| redis.master.kind | string | `"Deployment"` | | +| redis.master.persistence.enabled | bool | `false` | | +| redis.master.service.port | int | `6379` | | +| serviceAccount.annotations | object | `{}` | | +| serviceAccount.automount | bool | `true` | | +| serviceAccount.create | bool | `true` | | +| serviceAccount.name | string | `""` | | +| volumes | list | `[]` | Additional volumes on the output Deployment definition. - name: foo secret: secretName: mysecret optional: false | + +Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs) + diff --git a/autopush/_docs.gotmpl b/autopush/_docs.gotmpl new file mode 100644 index 0000000..fb13262 --- /dev/null +++ b/autopush/_docs.gotmpl @@ -0,0 +1,15 @@ +{{ define "chart.prerequirements" -}} += Beta + +WARNING +==== +We let it run in production, but it is not stable / complete. + +TODOs: + - [ ] official container with redis backend, see: https://github.com/mozilla-services/autopush-rs/pull/813 + - [ ] automatical create CRYPT_KEY (instatt of key) + - [ ] better ingress / host name support + - [ ] Improve monitoring with alerts and grafana dashboard + +==== +{{ end }} diff --git a/autopush/ci/ct-empty-values.yaml b/autopush/ci/ct-empty-values.yaml new file mode 100644 index 0000000..e69de29 diff --git a/autopush/ci/ct-monitor-values.yaml b/autopush/ci/ct-monitor-values.yaml new file mode 100644 index 0000000..f589e9d --- /dev/null +++ b/autopush/ci/ct-monitor-values.yaml @@ -0,0 +1,6 @@ +prometheus: + enabled: true + servicemonitor: + enabled: true + labels: + prometheus: default diff --git a/autopush/container/Containerfile b/autopush/container/Containerfile new file mode 100644 index 0000000..1535ff5 --- /dev/null +++ b/autopush/container/Containerfile @@ -0,0 +1,15 @@ +FROM python:3.8-slim + +# Set the working directory +WORKDIR /app + +# Copy the requirements file +COPY requirements.txt . + +# Install any needed packages +RUN pip install -r requirements.txt + +# Copy the application code into the container +COPY setup.py setup.py + +CMD ["python", "setup.py"] diff --git a/autopush/container/requirements.txt b/autopush/container/requirements.txt new file mode 100644 index 0000000..0d38bc5 --- /dev/null +++ b/autopush/container/requirements.txt @@ -0,0 +1 @@ +cryptography diff --git a/autopush/container/setup.py b/autopush/container/setup.py new file mode 100644 index 0000000..3cbdcd2 --- /dev/null +++ b/autopush/container/setup.py @@ -0,0 +1,5 @@ +#!/bin/env python3 +from cryptography.fernet import Fernet + +if __name__ == '__main__': + print(Fernet.generate_key().decode("UTF-8")) diff --git a/autopush/templates/_helpers.tpl b/autopush/templates/_helpers.tpl new file mode 100644 index 0000000..237e348 --- /dev/null +++ b/autopush/templates/_helpers.tpl @@ -0,0 +1,93 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "autopush.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "autopush.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "autopush.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "autopush.labels" -}} +helm.sh/chart: {{ include "autopush.chart" . }} +{{ include "autopush.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "autopush.selectorLabels" -}} +app.kubernetes.io/name: {{ include "autopush.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "autopush.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "autopush.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Prometheus-sidecar +*/}} +{{- define "autopush.containerPrometheus" -}} +{{- with .Values.prometheus }} +{{- if .enabled }} +- name: statsd-exporter + securityContext: + {{- toYaml .securityContext | nindent 4 }} + {{- with .image }} + image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag }}" + imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }} + {{- end }} + ports: + - name: metrics + containerPort: 9102 + protocol: TCP + livenessProbe: + {{- toYaml .livenessProbe | nindent 4 }} + readinessProbe: + {{- toYaml .readinessProbe | nindent 4 }} + resources: + {{- toYaml .resources | nindent 4 }} + {{- with .volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/autopush/templates/autoconnect/deployment.yaml b/autopush/templates/autoconnect/deployment.yaml new file mode 100644 index 0000000..0f1f3bb --- /dev/null +++ b/autopush/templates/autoconnect/deployment.yaml @@ -0,0 +1,91 @@ +{{- with .Values.autoconnect }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "autopush.fullname" $ }}-autoconnect + labels: + {{- include "autopush.labels" $ | nindent 4 }} +spec: + replicas: {{ .replicaCount }} + selector: + matchLabels: + {{- include "autopush.selectorLabels" $ | nindent 6 }} + app.kubernetes.io/component: autoconnect + template: + metadata: + {{- with .podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "autopush.labels" $ | nindent 8 }} + app.kubernetes.io/component: autoconnect + {{- with .podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "autopush.serviceAccountName" $ }} + securityContext: + {{- toYaml .podSecurityContext | nindent 8 }} + containers: + - name: autoconnect + securityContext: + {{- toYaml .securityContext | nindent 12 }} + {{- with .image }} + image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default (printf "v%s" $.Chart.AppVersion) }}" + imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }} + {{- end }} + envFrom: + - secretRef: + name: {{ include "autopush.fullname" $ }}-env + env: + - name: "AUTOCONNECT__DB_DSN" + {{- if $.Values.redis.auth.enabled }} + value: "redis://:$(REDIS_HOST_PASSWORD)@$(REDIS_HOST)" + {{- else }} + value: "redis://$(REDIS_HOST)" + {{- end }} + - name: "AUTOCONNECT__CRYPTO_KEY" + valueFrom: + secretKeyRef: + name: {{ include "autopush.fullname" $ }}-env + key: "CRYPTO_KEY" + ports: + - name: http + containerPort: 8080 + protocol: TCP + - name: router + containerPort: 8081 + protocol: TCP + livenessProbe: + {{- toYaml .livenessProbe | nindent 12 }} + readinessProbe: + {{- toYaml .readinessProbe | nindent 12 }} + resources: + {{- toYaml .resources | nindent 12 }} + {{- with .volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- include "autopush.containerPrometheus" $ | nindent 8 }} + {{- with .volumes }} + volumes: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/autopush/templates/autoconnect/service.yaml b/autopush/templates/autoconnect/service.yaml new file mode 100644 index 0000000..2a54f55 --- /dev/null +++ b/autopush/templates/autoconnect/service.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "autopush.fullname" . }}-autoconnect + labels: + {{- include "autopush.labels" . | nindent 4 }} +spec: + type: {{ .Values.autoconnect.service.type }} + selector: + {{- include "autopush.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: autoconnect + ports: + - port: {{ .Values.autoconnect.service.port }} + targetPort: http + protocol: TCP + name: http + {{- if .Values.prometheus.enabled }} + - port: 9100 + targetPort: metrics + protocol: TCP + name: metrics + {{- end }} diff --git a/autopush/templates/autoendpoint/deployment.yaml b/autopush/templates/autoendpoint/deployment.yaml new file mode 100644 index 0000000..f738b48 --- /dev/null +++ b/autopush/templates/autoendpoint/deployment.yaml @@ -0,0 +1,88 @@ +{{- with .Values.autoendpoint }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "autopush.fullname" $ }}-autoendpoint + labels: + {{- include "autopush.labels" $ | nindent 4 }} +spec: + replicas: {{ .replicaCount }} + selector: + matchLabels: + {{- include "autopush.selectorLabels" $ | nindent 6 }} + app.kubernetes.io/component: autoendpoint + template: + metadata: + {{- with .podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "autopush.labels" $ | nindent 8 }} + app.kubernetes.io/component: autoendpoint + {{- with .podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "autopush.serviceAccountName" $ }} + securityContext: + {{- toYaml .podSecurityContext | nindent 8 }} + containers: + - name: autoendpoint + securityContext: + {{- toYaml .securityContext | nindent 12 }} + {{- with .image }} + image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default (printf "v%s" $.Chart.AppVersion) }}" + imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }} + {{- end }} + envFrom: + - secretRef: + name: {{ include "autopush.fullname" $ }}-env + env: + - name: "AUTOEND__DB_DSN" + {{- if $.Values.redis.auth.enabled }} + value: "redis://:$(REDIS_HOST_PASSWORD)@$(REDIS_HOST)" + {{- else }} + value: "redis://$(REDIS_HOST)" + {{- end }} + - name: "AUTOEND__CRYPTO_KEYS" + valueFrom: + secretKeyRef: + name: {{ include "autopush.fullname" $ }}-env + key: "CRYPTO_KEY" + ports: + - name: http + containerPort: 8000 + protocol: TCP + livenessProbe: + {{- toYaml .livenessProbe | nindent 12 }} + readinessProbe: + {{- toYaml .readinessProbe | nindent 12 }} + resources: + {{- toYaml .resources | nindent 12 }} + {{- with .volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- include "autopush.containerPrometheus" $ | nindent 8 }} + {{- with .volumes }} + volumes: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/autopush/templates/autoendpoint/service.yaml b/autopush/templates/autoendpoint/service.yaml new file mode 100644 index 0000000..ef7abb3 --- /dev/null +++ b/autopush/templates/autoendpoint/service.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "autopush.fullname" . }}-autoendpoint + labels: + {{- include "autopush.labels" . | nindent 4 }} +spec: + type: {{ .Values.autoendpoint.service.type }} + selector: + {{- include "autopush.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: autoendpoint + ports: + - port: {{ .Values.autoendpoint.service.port }} + targetPort: http + protocol: TCP + name: http + {{- if .Values.prometheus.enabled }} + - port: 9100 + targetPort: metrics + protocol: TCP + name: metrics + {{- end }} diff --git a/autopush/templates/ingress.yaml b/autopush/templates/ingress.yaml new file mode 100644 index 0000000..d53ba34 --- /dev/null +++ b/autopush/templates/ingress.yaml @@ -0,0 +1,41 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ include "autopush.fullname" . }} + labels: + {{- include "autopush.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- with .Values.ingress.className }} + ingressClassName: {{ . }} + {{- end }} + {{- with .Values.ingress.tls }} + tls: + {{- toYaml . | nindent 4 }} + {{- end }} + rules: + - host: {{ .Values.ingress.host | quote }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: {{ include "autopush.fullname" $ }}-autoconnect + port: + name: http + - host: {{ printf "updates.%s" .Values.ingress.host | quote }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: {{ include "autopush.fullname" $ }}-autoendpoint + port: + name: http +{{- end }} diff --git a/autopush/templates/secret.yaml b/autopush/templates/secret.yaml new file mode 100644 index 0000000..46fe7f1 --- /dev/null +++ b/autopush/templates/secret.yaml @@ -0,0 +1,45 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "autopush.fullname" . }}-env + annotations: + "helm.sh/hook": "pre-install,pre-upgrade" +type: Opaque +data: + {{/* GLOBAL */}} + RUST_BACKTRACE: {{ ternary "1" "0" .Values.config.logs.backtrace | b64enc }} + RUST_LOG: {{ .Values.config.logs.level | b64enc }} + {{- with .Values.redis }} + {{- if .auth.enabled }} + {{- with .auth.password }} + REDIS_HOST_PASSWORD: {{ . | b64enc }} + {{- end }} + {{- end }} + {{- if .internal }} + REDIS_HOST: {{ printf "%s-redis-master:%.0f/%.0f" (include "autopush.fullname" $) .master.service.port .dbid | b64enc }} + {{- else }} + REDIS_HOST: {{ printf "%s:%s/$.0f" .external.host .external.port .dbid | b64enc }} + {{- end }} + {{- end }} + CRYPTO_KEY: {{ printf "[%s]" .Values.config.cryptoKey | b64enc }} + {{/* autoconnect */}} + {{- if .Values.ingress.tls }} + AUTOCONNECT__ENDPOINT_SCHEME: {{ "https" | b64enc }} + AUTOCONNECT__ENDPOINT_PORT: {{ "443" | b64enc }} + {{- else }} + AUTOCONNECT__ENDPOINT_SCHEME: {{ "http" | b64enc }} + AUTOCONNECT__ENDPOINT_PORT: {{ "80" | b64enc }} + {{- end }} + AUTOCONNECT__ENDPOINT_HOSTNAME: {{ printf "updates.%s" .Values.ingress.host | b64enc }} + AUTOCONNECT__ROUTER_HOSTNAME: {{ printf "%s-autoconnect" (include "autopush.fullname" .) | b64enc }} + {{- if .Values.prometheus.enabled }} + AUTOCONNECT__STATSD_HOST: {{ "127.0.0.1" | b64enc}} + AUTOCONNECT__STATSD_PORT: {{ "9125" | b64enc }} + {{- end }} + {{/* autoendpoint */}} + AUTOEND__HOST: {{ "::" | b64enc }} + {{- if .Values.prometheus.enabled }} + AUTOEND__STATSD_HOST: {{ "127.0.0.1" | b64enc }} + AUTOEND__STATSD_PORT: {{ "9125" | b64enc }} + {{- end }} diff --git a/autopush/templates/serviceaccount.yaml b/autopush/templates/serviceaccount.yaml new file mode 100644 index 0000000..f341e97 --- /dev/null +++ b/autopush/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "autopush.serviceAccountName" . }} + labels: + {{- include "autopush.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automount }} +{{- end }} diff --git a/autopush/templates/servicemonitor.yaml b/autopush/templates/servicemonitor.yaml new file mode 100644 index 0000000..87b7f82 --- /dev/null +++ b/autopush/templates/servicemonitor.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.prometheus.enabled .Values.prometheus.servicemonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "autopush.fullname" . }} + labels: + {{- include "autopush.labels" . | nindent 4 }} + {{- with .Values.prometheus.servicemonitor.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "autopush.selectorLabels" . | nindent 6 }} + endpoints: + - port: metrics +{{- end }} diff --git a/autopush/values.yaml b/autopush/values.yaml new file mode 100644 index 0000000..ac0fabc --- /dev/null +++ b/autopush/values.yaml @@ -0,0 +1,279 @@ +global: + image: + # -- if set it will overwrite all registry entries + registry: + # -- if set it will overwrite all pullPolicy + pullPolicy: + +# -- This is for the secretes for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] +# -- This is to override the chart name. +nameOverride: "" +fullnameOverride: "" + + + + +config: + logs: + # -- set log level of autopush + level: warn + # -- enable backtrace of autopush + backtrace: false + # -- run https://github.com/mozilla-services/autopush-rs/blob/master/scripts/fernet_key.py + cryptoKey: "" + +prometheus: + # -- start statsd sidecar and configure + enabled: true + + servicemonitor: + enabled: false + labels: {} + + image: + registry: docker.io + repository: prom/statsd-exporter + pullPolicy: IfNotPresent + tag: v0.28.0 + + # -- securityContext + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + securityContext: {} + + # -- We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + resources: {} + + # -- This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + httpGet: + path: / + port: metrics + readinessProbe: + httpGet: + path: / + port: metrics + + # -- Additional volumeMounts on the output Deployment definition. + # - name: foo + # mountPath: "/etc/foo" + # readOnly: true + volumeMounts: [] + +## This configuration is for the internal Redis that's deployed for use with +## workers/sharding, for an external Redis server you want to set enabled to +## false and configure the externalRedis block. +## +redis: + internal: true + # -- Database ID for non-default database + dbid: 0 + + auth: + enabled: true + # -- XXX Change me! + password: autopush + + # -- Or use existing secret with "redis-password" key instead of static password + existingSecret: + external: + host: redis + port: 6379 + + # -- Password key to be retrieved from existing secret + existingSecretPasswordKey: redis-password + + + architecture: standalone + master: + kind: Deployment + persistence: + enabled: false + service: + port: 6379 + + + +autoconnect: + # -- This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/ + replicaCount: 1 + image: + registry: codeberg.org + repository: wrenix/autopush/autoconnect + pullPolicy: IfNotPresent + tag: latest + # -- This is for setting Kubernetes Annotations to a Pod. + # For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # -- This is for setting Kubernetes Labels to a Pod. + # For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + + nodeSelector: {} + + tolerations: [] + + affinity: {} + + podSecurityContext: {} + # fsGroup: 2000 + + # -- securityContext + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + securityContext: {} + + # This is for setting up a service more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/ + service: + # This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types + type: ClusterIP + # This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports + port: 80 + + # -- We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + resources: {} + + # -- This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + httpGet: + path: /health + port: http + readinessProbe: + httpGet: + path: /health + port: http + + # -- Additional volumeMounts on the output Deployment definition. + # - name: foo + # mountPath: "/etc/foo" + # readOnly: true + volumeMounts: [] + +autoendpoint: + # -- This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/ + replicaCount: 1 + image: + registry: codeberg.org + repository: wrenix/autopush/autoendpoint + pullPolicy: IfNotPresent + tag: latest + + # This is for setting Kubernetes Annotations to a Pod. + # For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # This is for setting Kubernetes Labels to a Pod. + # For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + + nodeSelector: {} + + tolerations: [] + + affinity: {} + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + # This is for setting up a service more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/ + service: + # This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types + type: ClusterIP + # This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports + port: 80 + + # -- We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + resources: {} + + # -- This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + httpGet: + path: /health + port: http + readinessProbe: + httpGet: + path: /health + port: http + + # -- Additional volumeMounts on the output Deployment definition. + # - name: foo + # mountPath: "/etc/foo" + # readOnly: true + volumeMounts: [] + + +#This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/ +serviceAccount: + # Specifies whether a service account should be created + create: true + # Automatically mount a ServiceAccount's API credentials? + automount: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +# This block is for setting up the ingress for more information can be found here: https://kubernetes.io/docs/concepts/services-networking/ingress/ +ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + host: chart-example.local + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + +# -- Additional volumes on the output Deployment definition. +# - name: foo +# secret: +# secretName: mysecret +# optional: false +volumes: []