draft 2

developmentseed · Jun 6, 2024 · 4b190b3 · 4b190b3
1 parent f7bbd34
commit 4b190b3
Show file tree

Hide file tree

Showing 9 changed files with 120 additions and 157 deletions.
diff --git a/helm-chart/eoapi/templates/_helpers.tpl b/helm-chart/eoapi/templates/_helpers.tpl
@@ -66,13 +66,86 @@ Create pgstac host string depending if .Values.testing
 */}}
 {{- define "eoapi.pgstacHostName" -}}
 {{- if .Values.testing }}
-{{- printf "%s-%s" "pgstac" .Release.Name }}
+{{- printf "%s-%s" "pgstacloader" .Release.Name }}
 {{- else }}
 {{/* need to match what is default in values.yamls */}}
-{{- printf "%s" "pgstac" }}
+{{- printf "%s" "pgstacloader" }}
 {{- end }}
 {{- end }}
 
+{{/*
+Secrets for postgres/postgis access have to be
+derived from what the crunchydata operator creates
+so we factor out here to pass to all the services
+and dbloader
+*/}}
+{{- define "eoapi.pgstacsecrets"  -}}
+{{- /* admin user */ -}}
+- name: POSTGRES_DB
+  valueFrom:
+    secretKeyRef:
+      name: postgrescluster-pguser-postgrescluster
+      key: dbname
+- name: POSTGRES_USER
+  valueFrom:
+    secretKeyRef:
+      name: postgrescluster-pguser-postgrescluster
+      key: user
+- name: POSTGRES_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: postgrescluster-pguser-postgrescluster
+      key: password
+- name: POSTGRES_PORT
+  valueFrom:
+    secretKeyRef:
+      name: postgrescluster-pguser-postgrescluster
+      key: port
+- name: POSTGRES_HOST
+  valueFrom:
+    secretKeyRef:
+      name: postgrescluster-pguser-postgrescluster
+      key: host
+- name: POSTGRES_HOST_READER
+  valueFrom:
+    secretKeyRef:
+      name: postgrescluster-pguser-postgrescluster
+      key: host
+- name: POSTGRES_HOST_WRITER
+  valueFrom:
+    secretKeyRef:
+      name: postgrescluster-pguser-postgrescluster
+      key: host
+{{- /* non-admin user, just reuse the admin user */ -}}
+- name: PGUSER
+  valueFrom:
+    secretKeyRef:
+      name: postgrescluster-pguser-postgrescluster
+      key: user
+- name: PGPASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: postgrescluster-pguser-postgrescluster
+      key: password
+- name: PGDATABASE
+  valueFrom:
+    secretKeyRef:
+      name: postgrescluster-pguser-postgrescluster
+      key: dbname
+{{- /* stac-utils seems to require different environment variable names for postgres  */ -}}
+- name: POSTGRES_PASS
+  valueFrom:
+    secretKeyRef:
+      name: postgrescluster-pguser-postgrescluster
+      key: password
+- name: POSTGRES_DBNAME
+  valueFrom:
+    secretKeyRef:
+      name: postgrescluster-pguser-postgrescluster
+      key: dbname
+{{- end }}
+
+
 {{/*
 values.schema.json doesn't play nice combined value checks
 so we use this helper function to check autoscaling rules

diff --git a/helm-chart/eoapi/templates/db/pvc.yaml b/helm-chart/eoapi/templates/db/pvc.yaml
diff --git a/helm-chart/eoapi/templates/db/secrets.yaml b/helm-chart/eoapi/templates/db/secrets.yaml
diff --git a/helm-chart/eoapi/templates/db/service.yaml b/helm-chart/eoapi/templates/db/service.yaml
diff --git a/helm-chart/eoapi/templates/db/configmap.yaml → ...t/eoapi/templates/dbloader/configmap.yaml b/helm-chart/eoapi/templates/db/configmap.yaml → ...t/eoapi/templates/dbloader/configmap.yaml
diff --git a/...-chart/eoapi/templates/db/deployment.yaml → .../eoapi/templates/dbloader/deployment.yaml b/...-chart/eoapi/templates/db/deployment.yaml → .../eoapi/templates/dbloader/deployment.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.dbloader.enabled }}
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -18,51 +19,34 @@ spec:
     spec:
       restartPolicy: Always
       containers:
-        - name: pgstac
-          image: {{ .Values.db.image.name }}:{{ .Values.db.image.tag }}
+        - name: pgstacloader
+          image: {{ .Values.dbloader.image.name }}:{{ .Values.dbloader.image.tag }}
+          command:
+            {{- toYaml .Values.dbloader.command | nindent 12 }}
           args:
-            {{- toYaml .Values.db.command | nindent 12 }}
-          envFrom:
-          - secretRef:
-              name: pgstac-secrets-{{ $.Release.Name }}
+            {{- toYaml .Values.dbloader.args | nindent 12 }}
           ports:
             - containerPort: 5432
+#          envFrom:
+#            - secretRef:
+#                name: postgrescluster-pguser-postgrescluster
+          env:
+            {{- include "eoapi.pgstacsecrets" . | nindent 12 }}
           resources:
             limits:
-              cpu: {{ .Values.db.settings.resources.limits.cpu }}
-              memory: {{ .Values.db.settings.resources.limits.memory }}
+              cpu: {{ .Values.dbloader.settings.resources.limits.cpu }}
+              memory: {{ .Values.dbloader.settings.resources.limits.memory }}
             requests:
-              cpu: {{ .Values.db.settings.resources.requests.cpu }}
-              memory: {{ .Values.db.settings.resources.requests.memory }}
-          volumeMounts:
-            - mountPath: /var/lib/postgresql/data
-              name: pgstac-claim-{{ $.Release.Name }}
-        {{- if .Values.db.enable_data_fixtures }}
-        - name: loader
-          image: {{ .Values.db.image.name }}:{{ .Values.db.image.tag }}
-          command:
-            - "sh"
-          args:
-            - "/opt/initdb/load.sh"
-          envFrom:
-            - secretRef:
-                name: pgstac-secrets-{{ $.Release.Name }}
-          ports:
-            - containerPort: 6543
+              cpu: {{ .Values.dbloader.settings.resources.requests.cpu }}
+              memory: {{ .Values.dbloader.settings.resources.requests.memory }}
           volumeMounts:
-            - mountPath: /var/lib/postgresql/data
-              name: pgstac-claim-{{ $.Release.Name }}
             - mountPath: /opt/initdb/sql-data
               name: initdb-sql-volume-{{ $.Release.Name }}
             - mountPath: /opt/initdb/json-data
               name: initdb-json-volume-{{ $.Release.Name }}
             - mountPath: /opt/initdb/
               name: initdb-sh-volume-{{ $.Release.Name }}
-        {{- end }}
       volumes:
-        - name: pgstac-claim-{{ $.Release.Name }}
-          persistentVolumeClaim:
-            claimName: pgstac-claim-{{ $.Release.Name }}
         - name: initdb-sql-volume-{{ $.Release.Name }}
           configMap:
             name: initdb-sql-config-{{ $.Release.Name }}
@@ -72,3 +56,4 @@ spec:
         - name: initdb-sh-volume-{{ $.Release.Name }}
           configMap:
             name: initdb-sh-config-{{ $.Release.Name }}
+{{- end }}
diff --git a/helm-chart/eoapi/templates/services/deployment.yaml b/helm-chart/eoapi/templates/services/deployment.yaml
@@ -55,12 +55,14 @@ spec:
           requests:
             cpu: {{ index $v "settings" "resources" "requests" "cpu" }}
             memory: {{ index $v "settings" "resources" "requests" "memory" }}
+        env:
+          {{- include "eoapi.pgstacsecrets" . | nindent 10 }}
         envFrom:
           # NOTE: there's no reason we need to use a `ConfigMap` or `Secret` here to get os env vars into the pod.
           # we could just template them out here immediately with `value: $_` but this allows us
           # to store them in k8s intermediately and change them and then bounce deploys if needed
-        - secretRef:
-            name: pgstac-secrets-{{ $.Release.Name }}
+#        - secretRef:
+#            name: postgrescluster-pguser-postgrescluster
         - configMapRef:
             name: {{ $serviceName }}-envvar-configmap-{{ $.Release.Name }}
 ---

diff --git a/helm-chart/eoapi/values.schema.json b/helm-chart/eoapi/values.schema.json
@@ -2,59 +2,11 @@
   "$schema": "http://json-schema.org/schema#",
   "type": "object",
   "required": [
-    "db",
+
     "service",
     "gitSha"
   ],
   "properties": {
-    "db": {
-      "type": "object",
-      "required": [
-        "settings",
-        "environment"
-      ],
-      "properties": {
-        "settings": {
-          "type": "object",
-          "required": [
-            "secrets"
-          ],
-          "properties": {
-            "secrets": {
-              "type": "object",
-              "required": [
-                "PGPASSWORD",
-                "PGUSER",
-                "POSTGRES_PASSWORD",
-                "POSTGRES_USER"
-              ],
-              "properties": {
-                "PGPASSWORD": {
-                  "type": "string",
-                  "pattern": "^.+$"
-                },
-                "PGUSER": {
-                  "type": "string",
-                  "pattern": "^.+$"
-                },
-                "POSTGRES_PASSWORD": {
-                  "type": "string",
-                  "pattern": "^.+$"
-                },
-                "POSTGRES_USER": {
-                  "type": "string",
-                  "pattern": "^.+$"
-                }
-              }
-            }
-          }
-        },
-        "environment": {
-          "type": "string",
-          "pattern": "^(k8s|rds|cloudsql)$"
-        }
-      }
-    },
     "service": {
       "type": "object",
       "required": [

diff --git a/helm-chart/eoapi/values.yaml b/helm-chart/eoapi/values.yaml
@@ -33,7 +33,7 @@ ingress:
 comment: >
   we use the crunchy postgres operator/cluster charts as the k8s internal HA solution by default for this chart.
   those charts are therefore listed as a dependency of this chart in `Chart.yaml`.
-  they will create a postgres cluster and users for us by default that we can mount via secrets.
+  they will create a postgres cluster. they will also create user credentials for us by default that we can mount via secrets.
   see the `postgresOperator` and `postgresCluster` blocks below for pass-through values to configure those separate
   charts. And for more information read https://access.crunchydata.com/documentation/postgres-operator/latest
 
@@ -83,25 +83,18 @@ postgresCluster:
   backupsSize: 10Gi
 
 
-# TODO: refactor `db` to just
-# be a fixture loader pgstac image
-# to get tests and examples running
-
-# TODO: make this fixture loader and all services
-# leverage the secrets
-# be a fixture loader to get tests and examples running
-db:
-  environment: "k8s"
+# `dbloader` just provides a simple way for
+# fixtures to be default loaded for testing and examples
+# set `enabled: false` if you do not need it
+dbloader:
   enabled: true
   image:
     name: ghcr.io/stac-utils/pgstac
     tag: v0.8.2
   command:
-      - "postgres"
-      - "-N"
-      - "500"
-  # toggle to true||false if you want the db test fixtures loaded
-  enable_data_fixtures: true
+    - "sh"
+  args:
+    - "/opt/initdb/load.sh"
   settings:
     resources:
       requests:
@@ -111,21 +104,21 @@ db:
       limits:
         cpu: "512m"
         memory: "1024Mi"
-    secrets:
-      POSTGRES_DB: "postgis"
-      POSTGRES_USER: ""
-      POSTGRES_PASSWORD: ""
-      POSTGRES_PORT: "5432"
-      POSTGRES_HOST: "pgstac"
-      POSTGRES_HOST_READER: "pgstac"
-      POSTGRES_HOST_WRITER: "pgstac"
-      DB_MIN_CONN_SIZE: "1"
-      DB_MAX_CONN_SIZE: "15"
-      # default connect: https://www.postgresql.org/docs/current/libpq-envars.html
-      PGDATA: "/var/lib/postgresql/data/pgdata"
-      PGUSER: ""
-      PGPASSWORD: ""
-      PGDATABASE: "postgis"
+#    secrets:
+#      POSTGRES_DB: "postgis"
+#      POSTGRES_USER: ""
+#      POSTGRES_PASSWORD: ""
+#      POSTGRES_PORT: "5432"
+#      POSTGRES_HOST: "pgstac"
+#      POSTGRES_HOST_READER: "pgstac"
+#      POSTGRES_HOST_WRITER: "pgstac"
+#      DB_MIN_CONN_SIZE: "1"
+#      DB_MAX_CONN_SIZE: "15"
+#      # default connect: https://www.postgresql.org/docs/current/libpq-envars.html
+#      PGDATA: "/var/lib/postgresql/data/pgdata"
+#      PGUSER: ""
+#      PGPASSWORD: ""
+#      PGDATABASE: "postgis"
 
 ######################
 # SERVICES
@@ -278,6 +271,7 @@ vector:
       PORT: "8080"
       # https://www.uvicorn.org/settings/#production
       WEB_CONCURRENCY: "10"
+
 docServer:
   enabled: true