feat/ca mount (#163)

* feat: support mounting a ca bundle into the certs directory * feat: support alternative secret for CA * fix: don't strip newline * Changing how images are passed in * Add conditional to override tag as per fede * Update to handle external commands and top level image * Updating changes * Fixed tagging * Adding helper named template to get the image * Template working * chore: version bump * fix: revert values.yaml changes Co-authored-by: James Nieper <james.nieper@gmail.com>

feat/ca mount (#163)
cd267840 · David McKay · GitHub · 5f666720 · cd267840 · cd267840
Unverified Commit cd267840 authored Aug 21, 2020 by David McKay Committed by GitHub Aug 21, 2020
8 changed files
--- a/charts/influxdb-enterprise/Chart.yaml
+++ b/charts/influxdb-enterprise/Chart.yaml
-apiVersion: v2
+apiVersion: v1
-version: 0.1.6
+version: 0.1.7
 appVersion: 1.8.0
 engine: gotpl

--- a/charts/influxdb-enterprise/templates/_helpers.tpl
+++ b/charts/influxdb-enterprise/templates/_helpers.tpl
@@ -50,3 +50,19 @@ Selector labels
 app.kubernetes.io/name: {{ include "influxdb-enterprise.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
+{{- define "influxdb-enterprise.image" -}}
+{{- $dataTagName := (printf "%s-%s" .chart.AppVersion .podtype) -}}
+{{- if (.imageroot) }}
+{{- if (.imageroot.tag) -}}
+{{- $dataTagName = .imageroot.tag -}}
+{{- end -}}
+{{- if (.imageroot.addsuffix) -}}
+{{- $dataTagName = printf "%s-%s" $dataTagName .podtype -}}
+{{- end -}}
+{{- end }}
+image: "{{ .podvals.image.repository | default "influxdb" }}:{{ $dataTagName }}"
+{{- end }}
--- a/charts/influxdb-enterprise/templates/bootstrap-job.yaml
+++ b/charts/influxdb-enterprise/templates/bootstrap-job.yaml
@@ -29,7 +29,7 @@ spec:
      initContainers:
      {{- if .Values.bootstrap.auth.secretName }}
      - name: auth
-        image: "{{ .Values.data.image.repository | default "influxdb" }}:{{ .Values.data.image.tag | default (printf "%s-%s" .Chart.AppVersion "data") }}"
+        {{- include "influxdb-enterprise.image" (dict "chart" .Chart "imageroot" .Values.image "podvals" .Values.data "podtype" "data") | indent 8 }}
        imagePullPolicy: {{ .Values.data.image.pullPolicy }}
        # Exposing these environment variables makes this command idempotent
        # as even if the authentication has been setup, we can still execute the command
@@ -68,7 +68,7 @@ spec:
      {{ end }}
      {{- if .Values.bootstrap.ddldml.configMap }}
      - name: ddl
-        image: "{{ .Values.data.image.repository | default "influxdb" }}:{{ .Values.data.image.tag | default (printf "%s-%s" .Chart.AppVersion "data") }}"
+        {{- include "influxdb-enterprise.image" (dict "chart" .Chart "imageroot" .Values.image "podvals" .Values.data "podtype" "data") | indent 8 }}
        imagePullPolicy: {{ .Values.data.image.pullPolicy }}
        {{- if .Values.bootstrap.auth.secretName }}
        env:
@@ -105,7 +105,7 @@ spec:
      {{ end }}
      {{- if .Values.bootstrap.ddldml.configMap }}
      - name: dml
-        image: "{{ .Values.data.image.repository | default "influxdb" }}:{{ .Values.data.image.tag | default (printf "%s-%s" .Chart.AppVersion "data") }}"
+        {{- include "influxdb-enterprise.image" (dict "chart" .Chart "imageroot" .Values.image "podvals" .Values.data "podtype" "data") | indent 8 }}
        imagePullPolicy: {{ .Values.data.image.pullPolicy }}
        {{- if .Values.bootstrap.auth.secretName }}
        env:
@@ -142,7 +142,7 @@ spec:
      {{ end }}
      containers:
      - name: success
-        image: "{{ .Values.data.image.repository | default "influxdb" }}:{{ .Values.data.image.tag | default (printf "%s-%s" .Chart.AppVersion "data") }}"
+        {{- include "influxdb-enterprise.image" (dict "chart" .Chart "imageroot" .Values.image "podvals" .Values.data "podtype" "data") | indent 8 }}
        imagePullPolicy: {{ .Values.data.image.pullPolicy }}
        command:
          - echo

--- a/charts/influxdb-enterprise/templates/data-configmap.yaml
+++ b/charts/influxdb-enterprise/templates/data-configmap.yaml
@@ -69,6 +69,17 @@ data:
    $ENV{INFLUXDB_HOSTNAME} = `hostname -f`;
    $ENV{INFLUXDB_HOSTNAME} =~ s/\n$//;
+    {{ if .Values.data.preruncmds }}
+    # These are commands that will run before influxdb is initialized
+    {{- range .Values.data.preruncmds }}
+    {{ if .description }}
+    # {{ .description }}
+    {{- end }}
+    system('{{ .cmd }}');
+    {{- end }}
+    {{ end }}
    $pid = fork();
    # Inside this conditional is our child process, which

--- a/charts/influxdb-enterprise/templates/data-statefulset.yaml
+++ b/charts/influxdb-enterprise/templates/data-statefulset.yaml
@@ -60,6 +60,20 @@ spec:
          {{ end }}
          {{ end }}
      {{ end }}
+      {{- if and .Values.data.https.enabled .Values.data.https.secret }}
+      {{- if .Values.data.https.secret.ca -}}
+      - name: tls-ca
+        secret:
+          {{ if .Values.data.https.secret.caSecret -}}
+          secretName: {{ .Values.data.https.secret.caSecret }}
+          {{ else }}
+          secretName: {{ .Values.data.https.secret.name }}
+          {{ end }}
+          items:
+            - key: {{ .Values.data.https.secret.ca }}
+              path: ca.crt
+      {{ end }}
+      {{ end }}
      containers:
        - name: {{ .Chart.Name }}
          command:
@@ -68,7 +82,7 @@ spec:
          - "/etc/influxdb/entrypoint.pl"
          securityContext:
            {{- toYaml .Values.data.securityContext | nindent 12 }}
-          image: "{{ .Values.data.image.repository | default "influxdb" }}:{{ .Values.data.image.tag | default (printf "%s-%s" .Chart.AppVersion "data") }}"
+          {{- include "influxdb-enterprise.image" (dict "chart" .Chart "imageroot" .Values.image "podvals" .Values.data "podtype" "data") | indent 10 }}
          imagePullPolicy: {{ .Values.data.image.pullPolicy }}
          env:
          - name: RELEASE_NAME
@@ -120,6 +134,13 @@ spec:
          - name: tls
            mountPath: /var/run/secrets/tls/
          {{ end }}
+          {{- if and .Values.data.https.enabled .Values.data.https.secret }}
+          {{- if .Values.data.https.secret.ca -}}
+          - name: tls-ca
+            mountPath: /etc/ssl/certs/ca-certificates.crt
+            subPath: ca.crt
+          {{ end }}
+          {{ end }}
          resources:
            {{- toYaml .Values.data.resources | nindent 12 }}
      {{- with .Values.data.nodeSelector }}

--- a/charts/influxdb-enterprise/templates/meta-configmap.yaml
+++ b/charts/influxdb-enterprise/templates/meta-configmap.yaml
@@ -48,8 +48,20 @@ data:
    $ENV{INFLUXDB_HOSTNAME} = `hostname -f`;
    $ENV{INFLUXDB_HOSTNAME} =~ s/\n$//;
+    {{ if .Values.meta.preruncmds }}
+    # These are commands that will run before influxdb is initialized
+    {{- range .Values.meta.preruncmds }}
+    {{ if .description }}
+    # {{ .description }}
+    {{- end }}
+    system('{{ .cmd }}');
+    {{- end }}
+    {{ end }}
    $pid = fork();
    # Inside this conditional is our child process, which
    # will return `influxd-meta`
    if($pid == 0) {

--- a/charts/influxdb-enterprise/templates/meta-statefulset.yaml
+++ b/charts/influxdb-enterprise/templates/meta-statefulset.yaml
@@ -60,6 +60,20 @@ spec:
          {{ end }}
          {{ end }}
      {{ end }}
+      {{- if and .Values.meta.https.enabled .Values.meta.https.secret }}
+      {{- if .Values.meta.https.secret.ca -}}
+      - name: tls-ca
+        secret:
+          {{ if .Values.meta.https.secret.caSecret -}}
+          secretName: {{ .Values.meta.https.secret.caSecret }}
+          {{ else }}
+          secretName: {{ .Values.meta.https.secret.name }}
+          {{ end }}
+          items:
+            - key: {{ .Values.meta.https.secret.ca }}
+              path: ca.crt
+      {{ end }}
+      {{ end }}
      containers:
        - name: {{ .Chart.Name }}
          command:
@@ -68,7 +82,7 @@ spec:
          - "/etc/influxdb/entrypoint.pl"
          securityContext:
            {{- toYaml .Values.meta.securityContext | nindent 12 }}
-          image: "{{ .Values.meta.image.repository | default "influxdb" }}:{{ .Values.meta.image.tag | default (printf "%s-%s" .Chart.AppVersion "meta") }}"
+          {{- include "influxdb-enterprise.image" (dict "chart" .Chart "imageroot" .Values.image "podvals" .Values.meta "podtype" "meta") | indent 10 }}
          imagePullPolicy: {{ .Values.meta.image.pullPolicy }}
          env:
            - name: INFLUXDB_META_INTERNAL_SHARED_SECRET
@@ -110,6 +124,13 @@ spec:
          - name: tls
            mountPath: /var/run/secrets/tls/
          {{ end }}
+          {{- if and .Values.meta.https.enabled .Values.meta.https.secret }}
+          {{- if .Values.meta.https.secret.ca -}}
+          - name: tls-ca
+            mountPath: /usr/share/ca-certificates/selfsigned/ca.crt
+            subPath: ca.crt
+          {{ end }}
+          {{ end }}
          resources:
            {{- toYaml .Values.meta.resources | nindent 12 }}
      {{- with .Values.meta.nodeSelector }}

--- a/charts/influxdb-enterprise/values.yaml
+++ b/charts/influxdb-enterprise/values.yaml
@@ -43,20 +43,32 @@ bootstrap:
    # configMap: ddl-dml
    # resources: {}
+# Sets the tagged version of the docker image that you want to run, will default to latest
+# The suffix is if you are pulling from influx repo, example images will be influxdb:1.8.0-meta and influxdb:1.8.0-data
+# If set to true, the suffix won't be added
+#image:
+#  tag: v1.eg.whatever
+#  ignoresuffix: true | false
 meta:
  replicas: 1
  image: {}
    # override: true
    # pullPolicy: IfNotPresent
    # repository: influxdb
-    # tag: "meta"
  # nodeSelector: {}
  # tolerations: []
  # affinity: {}
  # podAnnotations: {}
+  #
  # podSecurityContext: {}
  #   fsGroup: 2000
+  #
+  # This allows you to run the pods as a non-privileged user, set to the uid
  # securityContext: {}
+  #   runAsUser: 2000
+  #   runAsGroup: 2000
  #  capabilities:
  #    drop:
  #    - ALL
@@ -64,7 +76,12 @@ meta:
  # runAsNonRoot: true
  # runAsUser: 1000
  #
-  #
+  # These are the commands that will be run before influxdb is started
+  # preruncmds:
+  #   - cmd: ls -l
+  #     description: We want to see what's in the directory
+  #   - cmd: stat $HOME/somefile
+  #     description: And we run a second command
  # This secret needs a key called "secret" and it should be a long random string
  # Please see docs for shared-internal-secret:
  # https://docs.influxdata.com/enterprise_influxdb/v1.8/administration/config-data-nodes/#meta-internal-shared-secret
@@ -107,6 +124,8 @@ meta:
      name: tls-secret
      # crt: tls.crt
      # key: tls.key
+      # ca: ca.crt
+      # caSecret: secret-name # only use if different from the above
    insecure: true
@@ -116,20 +135,36 @@ data:
    # override: true
    # pullPolicy: IfNotPresent
    # repository: influxdb
-    # tag: "data"
  # nodeSelector: {}
  # tolerations: []
  # affinity: {}
  # podAnnotations: {}
+  #
  # podSecurityContext: {}
  #   fsGroup: 2000
+  #
+  # This allows you to run the pods as a non-privileged user, set to the uid
  # securityContext: {}
+  #   runAsUser: 2000
+  #   runAsGroup: 2000
  #  capabilities:
  #    drop:
  #    - ALL
+  #  capabilities:
+  #    drop:
+  #    - ALL
+  #
  # readOnlyRootFilesystem: true
  # runAsNonRoot: true
  # runAsUser: 1000
+  #
+  # These are the commands that will be run before influxdb is started
+  # preruncmds:
+  #   - cmd: ls -l
+  #     description: We want to see what's in the directory
+  #   - cmd: stat $HOME/somefile
+  #     description: And we run a second command
+  #
  ## Persist data to a persistent volume
  ##
  persistence:
@@ -162,4 +197,6 @@ data:
      name: tls-secret
      # crt: tls.crt
      # key: tls.key
+      # ca: ca.crt
+      # caSecret: secret-name # only use if different from the above
    insecure: true