ci: update Calyptia Cloud Standalone chart

charts/calyptia-cloud-standalone/Chart.lock

@@ -1,10 +1,10 @@
 dependencies:
 - name: core-operator
   repository: https://helm.calyptia.com
-  version: 2.0.4
+  version: 2.0.8
 - name: core-crd
   repository: https://helm.calyptia.com
-  version: 2.0.4
+  version: 2.0.8
 - name: common
   repository: oci://registry-1.docker.io/bitnamicharts
   version: 2.13.3
@@ -17,5 +17,5 @@ dependencies:
 - name: fluent-bit
   repository: https://fluent.github.io/helm-charts
   version: 0.40.0
-digest: sha256:9cfa57a9a7c6335dc0dfc6d7f712f0ddf0089802f1e8f5b7203c456840967102
-generated: "2023-11-20T17:15:52.049928985Z"
+digest: sha256:847acb545de6be43b49572875a879831eb59f5e3091ea2461b75fb47a502937a
+generated: "2023-11-23T12:07:35.001448206Z"

charts/calyptia-cloud-standalone/Chart.yaml

@@ -4,8 +4,8 @@ description: Umbrella chart to configure a Calyptia Core control plane and suppo
 home: https://calyptia.com/products/calyptia-core/
 icon: https://storage.googleapis.com/calyptia_public_resources_bucket/logo-darkmode.svg
 type: application
-version: 2.0.1
-appVersion: "v1.6.5"
+version: 2.1.0
+appVersion: "v1.6.8"
 maintainers:
   - name: Calyptia
     email: [email protected]
@@ -30,13 +30,6 @@ dependencies:
     version: 2.9.10
     alias: loki-stack
     condition: monitoring.grafana
-  # Cannot use the chart due to incompatible usage of global.imagePullSecrets
-  # Instead we embed it
-  # - name: reloader
-  #   version: 1.x.x
-  #   repository: https://stakater.github.io/stakater-charts
-  #   alias: reloader
-  #   condition: reloader.enabled
   # Use the OSS Fluent Bit chart for monitoring
   - name: fluent-bit
     version: 0.x.x

charts/calyptia-cloud-standalone/README.md

@@ -47,10 +47,10 @@ helm upgrade --install \
 
 ## Upgrade
 
-To upgrade the chart, the two main things to ensure are:
+To upgrade the chart without service interruption, the two main things to ensure are:
 
 1. The Postgres database state does not change.
-1. The CRDs for the operator are not removed.
+1. The CRDs for the operator (if deployed with this chart) are not removed.
 
 The chart includes a Postgres database default deployment in-cluster but this is not recommended for production and provides no guarantees.
 An external database (external to this chart, it could be in-cluster) with high availability should be provided.
@@ -64,18 +64,45 @@ This includes CRD configuration but note Helm has caveats on managing existing C
 Any upgrade should first ensure the correct CRDs are installed via `kubectl replace -f crd.yaml`.
 The CRD YAML files are available on the specific release being installed here: <https://github.com/calyptia/core-operator-releases/>
 
-If CRDs are removed then all workloads associated with them will also be destroyed.
+If CRDs are removed then all workloads associated with them will also be destroyed (but will be recreated when the CRD is added again if the config is in the database).
+
 CRD removal can be prevented with the following annotation:
 
 ```shell
 kubectl annotate crd pipelines.core.calyptia.com helm.sh/resource-policy=keep --overwrite
+kubectl annotate crd ingestchecks.core.calyptia.com helm.sh/resource-policy=keep --overwrite
+```
+
+To upgrade from 1.x series chart to 2.x, also add these annotations to prevent replacement of the CRD:
+
+```shell
 kubectl annotate crd pipelines.core.calyptia.com meta.helm.sh/release-name=calyptia-cloud --overwrite
 kubectl annotate crd pipelines.core.calyptia.com meta.helm.sh/release-namespace="$CALYPTIA_NAMESPACE" --overwrite
 kubectl label crd pipelines.core.calyptia.com app.kubernetes.io/managed-by=Helm --overwrite
 ```
 
 The recommendation would be to deploy the Core Operator separately and disable it in this chart to maintain full control over lifecycle.
 
+## Production deployment
+
+The default configuration for this chart is intended to provide a simple in-cluster working deployment and as such is not recommended for production.
+Specifically, for a production deployment the recommendations are:
+
+* Deploy Postgres (and Influx) separately and manage with high availability.
+* Deploy the Core Operator separately and manage the data plane independently of the control plane.
+
+```yaml
+operator:
+  enabled: false
+cloudApi:
+  postgres:
+    enabled: false
+    connectionString: <Postgres DNS provided here>
+  influxdb:
+    enabled: false
+    server: <URL for InfluxDB server>
+```
+
 ## Services
 
 The helm chart provides the following services:
@@ -231,6 +258,39 @@ operator:
 Once the operator is deployed, the [`core-instance`](https://github.com/calyptia/charts/tree/master/charts/core-instance) chart can be used to add workloads to the cluster.
 Alternatively the legacy [`core`](https://github.com/calyptia/charts/tree/master/charts/core) chart can also be used without operator support.
 
+### Autoscaling
+
+Each of the main services can be set up to use [Horizontal Pod Autoscaling (HPA)](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/), however this is disabled by default.
+
+To enable, set the `autoscaling.enabled=true` property in the appropriate sections below:
+
+```yaml
+cloudApi:
+  autoscaling:
+    enabled: false
+    minReplicas: 1
+    maxReplicas: 5
+    targetMemoryUtilizationPercentage: 50
+    targetCPUUtilizationPercentage: 50
+frontend:
+  autoscaling:
+    enabled: false
+    minReplicas: 1
+    maxReplicas: 5
+    targetMemoryUtilizationPercentage: 50
+    targetCPUUtilizationPercentage: 50
+  luaSandbox:
+    autoscaling:
+      enabled: false
+      minReplicas: 1
+      maxReplicas: 5
+      targetMemoryUtilizationPercentage: 50
+      targetCPUUtilizationPercentage: 50
+```
+
+Remember HPA requires a controller (as well as a metrics server and any other supporting infrastructure) in the cluster to actually implement and manage scaling.
+Ensure this is deployed as well in an appropriate fashion.
+
 ## Troubleshooting
 
 ### Calyptia Fluent Bit LTS

charts/calyptia-cloud-standalone/templates/NOTES.txt

@@ -5,7 +5,7 @@ Calyptia Core Operator correctly installed.
 
 To get the project token:
 
-kubectl get secret -n {{ .Release.Namespace }} auth-secret -o jsonpath='{.data.ONPREM_CLOUD_API_PROJECT_TOKEN}'| base64 --decode
+kubectl get secret -n {{ .Release.Namespace }} auth-secret -o jsonpath='{.data.token}'| base64 --decode
 
 To create an instance in the cluster run:
 
@@ -17,7 +17,7 @@ export INSTANCE_NAMESPACE=core-instance
 export INSTANCE_NAME=test
 {{- if .Values.operator.enabled }}
 helm upgrade --install --namespace "$INSTANCE_NAMESPACE" --create-namespace calyptia-core-instance calyptia/core-instance \
-    --set cloudToken="$(kubectl get secret -n "$CLOUD_NAMESPACE" auth-secret -o jsonpath='{.data.ONPREM_CLOUD_API_PROJECT_TOKEN}'| base64 --decode)" \
+    --set cloudToken="$(kubectl get secret -n "$CLOUD_NAMESPACE" auth-secret -o jsonpath='{.data.token}'| base64 --decode)" \
     --set coreInstance="$INSTANCE_NAME" --set cloudUrl="http://cloud-api.${CLOUD_NAMESPACE}:5000" \
     --debug --wait
 
@@ -51,7 +51,7 @@ This will spin up a pod to handle the pipeline as a test, however this should be
 export INSTANCE_TAG=test
 
 helm upgrade --install --namespace "$INSTANCE_NAMESPACE" --create-namespace calyptia-core calyptia/core \
-    --set project_token="$(kubectl get secret -n "$CLOUD_NAMESPACE" auth-secret -o jsonpath='{.data.ONPREM_CLOUD_API_PROJECT_TOKEN}'| base64 --decode)" \
+    --set project_token="$(kubectl get secret -n "$CLOUD_NAMESPACE" auth-secret -o jsonpath='{.data.token}'| base64 --decode)" \
     --set name="$INSTANCE_NAME" --set core_instance_tags="$INSTANCE_TAG" --set api_url="http://cloud-api.$CLOUD_NAMESPACE:5000" \
     --debug --wait
 
@@ -123,3 +123,9 @@ A different configuration can be provided via the '.monitoring-aggregator.existi
 
 Each of these provides Prometheus metrics via port 2021 `/metrics` endpoint.
 {{- end }}
+{{- if .Values.cloudApi.postgres.enabled }}
+WARNING: This is a non-production deployment as it is using an in-cluster Postgres database deployed by this chart.
+{{- end }}
+{{- if .Values.operator.enabled }}
+WARNING: This is a non-production deployment as it is using an in-cluster Core Operator deployed by this chart.
+{{- end }}

charts/calyptia-cloud-standalone/templates/_helpers.tpl

@@ -65,13 +65,6 @@ Return the proper ingress.image image name
 {{ include "common.images.image" (dict "imageRoot" .Values.ingress.images.nginx "global" .Values.global) }}
 {{- end -}}
 
-{{/*
-Return the proper reloader.image image name
-*/}}
-{{- define "reloader.image" -}}
-{{ include "common.images.image" (dict "imageRoot" .Values.reloader.images.reloader "global" .Values.global) }}
-{{- end -}}
-
 {{/*
 Returns the proper service account name depending if an explicit service account name is set
 in the values file. If the name is not set it will default to either common.names.fullname if serviceAccount.create
@@ -106,23 +99,6 @@ is true or default otherwise.
     {{- end -}}
 {{- end -}}
 
-{{/*
-Returns the proper service account name depending if an explicit service account name is set
-in the values file. If the name is not set it will default to either common.names.fullname if serviceAccount.create
-is true or default otherwise.
-*/}}
-{{- define "reloader.serviceAccountName" -}}
-    {{- if .Values.reloader.serviceAccount.create -}}
-        {{- if (empty .Values.reloader.serviceAccount.name) -}}
-          {{- printf "%s-reloader" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}}
-        {{- else -}}
-          {{ default "default" .Values.reloader.serviceAccount.name }}
-        {{- end -}}
-    {{- else -}}
-        {{ default "default" .Values.reloader.serviceAccount.name }}
-    {{- end -}}
-{{- end -}}
-
 {{/*
 Return the proper Container Registry Secret Names
 */}}
@@ -165,15 +141,19 @@ Return the proper Container Registry Secret Names
 {{ include "common.images.pullSecrets" (dict "images" (list .Values.vivo.images.vivo) "global" .Values.global) }}
 {{- end -}}
 
-{{/*
-Return the proper Container Registry Secret Names
-*/}}
-{{- define "reloader.imagePullSecrets" -}}
-{{ include "common.images.pullSecrets" (dict "images" (list .Values.reloader.images.reloader) "global" .Values.global) }}
-{{- end -}}
-
 {{- define "createImagePullSecret" -}}
 {{- with .Values.imageCredentials }}
 {{- printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}}}" .registry .username .password .email (printf "%s:%s" .username .password | b64enc) | b64enc }}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Return the proper name for the shared authentication secret
+*/}}
+{{- define "cloud.authSecretName" -}}
+  {{- if .Values.authentication -}}
+    {{- default "auth-secret" .Values.authentication.secret.name | trunc 63 | trimSuffix "-" -}}
+  {{- else -}}
+    {{- "auth-secret" | trunc 63 | trimSuffix "-" -}}
+  {{- end -}}
+{{- end -}}

charts/calyptia-cloud-standalone/templates/cloud/deployment-cloud.yaml

@@ -65,12 +65,14 @@ spec:
             # - name: ALLOWED_ORIGINS
             #   # value: "https://config-viewer-ui-dev.herokuapp.com,https://visual-ui.herokuapp.com,https://cloud-api.calyptia.com,https://core-jet.vercel.app,https://core-git-*-calyptia.vercel.app"
             #   value: "*"
-            # Cross-mount a token file
+            # To enable secret export we have to specify a token file but we do not want to expose this
             - name: DEFAULT_TOKEN_FILE
-              value: /token/token.txt
+              value: /dev/null
+            - name: DEFAULT_TOKEN_K8S_SECRET_NAME
+              value: {{ template "cloud.authSecretName" . }}
+            - name: DEFAULT_TOKEN_K8S_SECRET_NAMESPACE
+              value: {{ .Release.Namespace | quote }}
           volumeMounts:
-            - mountPath: /token
-              name: token
           {{- if .Values.cloudApi.extraVolumeMounts }}
           {{- include "common.tplvalues.render" (dict "value" .Values.cloudApi.extraVolumeMounts "context" $) | nindent 12 }}
           {{- end }}
@@ -83,45 +85,7 @@ spec:
           {{- if .Values.cloudApi.livenessProbe }}
           livenessProbe: {{- toYaml .Values.cloudApi.livenessProbe | nindent 12 }}
           {{- end }}
-        - name: token-secret-creator
-          image: {{ template "cloud.kubectl.image" . }}
-          imagePullPolicy: {{ .Values.global.pullPolicy | quote }}
-          # Need access to the filesystem - cloud runs as root
-          securityContext:
-            runAsUser: 0
-          {{- if .Values.cloudApi.kubectl.resources }}
-          resources: {{- toYaml .Values.cloudApi.kubectl.resources | nindent 12 }}
-          {{- end }}
-          command: ["/bin/bash"]
-          args:
-            - "-c"
-            - |
-              if kubectl delete -n ${CORE_NAMESPACE} secret auth-secret ; then
-                echo 'Deleted existing token'
-              fi
-              until [[ -f /token/token.txt ]]; do
-                sleep 5
-              done
-              echo 'Token file found'
-              until kubectl create -n ${CORE_NAMESPACE} secret generic auth-secret --from-file=ONPREM_CLOUD_API_PROJECT_TOKEN=/token/token.txt ; do
-                sleep 5
-              done
-              echo 'Secret created - complete'
-              while true; do
-                sleep 5
-              done
-          env:
-            - name: CORE_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-          volumeMounts:
-            - name: token
-              mountPath: /token
       volumes:
-        - name: token
-          emptyDir:
-            sizeLimit: 1Mi
         {{- if .Values.cloudApi.extraVolumes }}
         {{- include "common.tplvalues.render" (dict "value" .Values.cloudApi.extraVolumes "context" $) | nindent 8 }}
         {{- end }}

charts/calyptia-cloud-standalone/templates/cloud/hpa.yaml

@@ -0,0 +1,31 @@
+{{- if (and .Values.cloudApi.autoscaling .Values.cloudApi.autoscaling.enabled) }}
+apiVersion: autoscaling/v1
+kind: HorizontalPodAutoscaler
+metadata:
+  name: cloud-api
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+  labels: {{- include "common.labels.standard" . | nindent 4 }}
+  namespace: {{ .Release.Namespace | quote }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: cloud-api
+  minReplicas: {{ default 1 .Values.cloudApi.autoscaling.minReplicas }}
+  maxReplicas: {{ default 5 .Values.cloudApi.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.cloudApi.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        targetAverageUtilization: {{ .Values.cloudApi.autoscaling.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.cloudApi.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        targetAverageUtilization: {{ .Values.cloudApi.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- end }}
+{{- end }}

charts/calyptia-cloud-standalone/templates/frontend/deployment-core-ui.yaml

@@ -2,11 +2,10 @@
 apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
 kind: Deployment
 metadata:
+  {{- if .Values.commonAnnotations }}
   annotations:
-    reloader.stakater.com/auto: "true"
-    {{- if .Values.commonAnnotations }}
     {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
-    {{- end }}
+  {{- end }}
   labels: {{- include "common.labels.standard" . | nindent 4 }}
     app.kubernetes.io/component: core
   name: core
@@ -47,14 +46,17 @@ spec:
           args:
             - "-c"
             - |
-              until kubectl get secret -n ${CORE_NAMESPACE} auth-secret; do
-                sleep 30
+              until kubectl get secret -n "${DEFAULT_TOKEN_K8S_SECRET_NAMESPACE}" "${DEFAULT_TOKEN_K8S_SECRET_NAME}"; do
+                sleep 10
               done
+              kubectl get secret -n "${DEFAULT_TOKEN_K8S_SECRET_NAMESPACE}" "${DEFAULT_TOKEN_K8S_SECRET_NAME}" -o yaml
           env:
-            - name: CORE_NAMESPACE
+            - name: DEFAULT_TOKEN_K8S_SECRET_NAMESPACE
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+            - name: DEFAULT_TOKEN_K8S_SECRET_NAME
+              value: {{ template "cloud.authSecretName" . }}
       containers:
         - image: {{ template "frontend.image" . }}
           imagePullPolicy: {{ .Values.global.pullPolicy | quote }}
@@ -80,9 +82,13 @@ spec:
               value: '1'
             - name: NEXT_TELEMETRY_DISABLED
               value: '1'
-          envFrom:
-            - secretRef:
-                name: auth-secret
+            # Extract the value for this from the secret specified
+            - name: ONPREM_CLOUD_API_PROJECT_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "cloud.authSecretName" . }}
+                  # Fixed name generated by Cloud since >=1.6.8
+                  key: token
           {{- if .Values.frontend.resources }}
           resources: {{- toYaml .Values.frontend.resources | nindent 12 }}
           {{- end }}