Fixing helm hooks for install stage (#3136)

# What this PR does ## Issue At the first run (`helm install ...`) the migration job cannot start the container because cannot find Postgres/Redis/MySQL credentials and ServiceAccount. Workaround: set `.migrate.useHook` value to `false` for the `install` stage, and after you can switch back to `true`. This PR completely resolves this issue. ## Checklist - [x] Unit, integration, and e2e (if applicable) tests updated (doesn't violate anything) - [x] Documentation added (or `pr:no public docs` PR label added if not required) - [x] `CHANGELOG.md` updated (or `pr:no changelog` PR label added if not required) - [x] It is manually tested in the internal environment --------- Co-authored-by: Joey Orlando <joey.orlando@grafana.com> Co-authored-by: Joey Orlando <joseph.t.orlando@gmail.com>
2023-11-21 18:21:33 +01:00 · 2023-11-21 18:21:33 +01:00 · ab561db8a7
commit ab561db8a7
parent b3583cd1a0
10 changed files with 160 additions and 11 deletions
--- a/helm/oncall/templates/engine/job-migrate.yaml
+++ b/helm/oncall/templates/engine/job-migrate.yaml
@ -6,6 +6,7 @@ metadata:
  name: {{ printf "%s-migrate" (include "oncall.engine.fullname" .) }}
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-1"
    {{- with .Values.migrate.annotations }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
--- a/helm/oncall/templates/secrets.yaml
+++ b/helm/oncall/templates/secrets.yaml
@ -5,6 +5,11 @@ metadata:
  name: {{ include "oncall.fullname" . }}
  labels:
    {{- include "oncall.labels" . | nindent 4 }}
+  {{- if .Values.migrate.useHook }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-5"
+  {{- end }}
 type: Opaque
 data:
  {{ include "snippet.oncall.secret.secretKey" . }}: {{ randAlphaNum 40 | b64enc | quote }}
@ -16,6 +21,11 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "oncall.fullname" . }}-mysql-external
+  {{- if .Values.migrate.useHook }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-5"
+  {{- end }}
 type: Opaque
 data:
  mariadb-root-password: {{ required "externalMysql.password is required if not mariadb.enabled and not externalMysql.existingSecret" .Values.externalMysql.password | b64enc | quote }}
@ -26,6 +36,11 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "oncall.fullname" . }}-postgresql-external
+  {{- if .Values.migrate.useHook }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-5"
+  {{- end }}
 type: Opaque
 data:
  postgres-password: {{ required "externalPostgresql.password is required if not postgresql.enabled and not externalPostgresql.existingSecret" .Values.externalPostgresql.password | b64enc | quote }}
@ -36,6 +51,11 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "oncall.fullname" . }}-rabbitmq-external
+  {{- if .Values.migrate.useHook }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-5"
+  {{- end }}
 type: Opaque
 data:
  rabbitmq-password: {{ required "externalRabbitmq.password is required if not rabbitmq.enabled and not externalRabbitmq.existingSecret" .Values.externalRabbitmq.password | b64enc | quote }}
@ -46,6 +66,11 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "oncall.fullname" . }}-redis-external
+  {{- if .Values.migrate.useHook }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-5"
+  {{- end }}
 type: Opaque
 data:
  redis-password: {{ required "externalRedis.password is required if not redis.enabled and not externalRedis.existingSecret" .Values.externalRedis.password | b64enc | quote }}
--- a/helm/oncall/templates/serviceaccount.yaml
+++ b/helm/oncall/templates/serviceaccount.yaml
@ -5,8 +5,14 @@ metadata:
  name: {{ include "oncall.serviceAccountName" . }}
  labels:
    {{- include "oncall.labels" . | nindent 4 }}
-  {{- with .Values.serviceAccount.annotations }}
+  {{- if or (.Values.migrate.useHook) (.Values.serviceAccount.annotations) }}
  annotations:
+    {{- if .Values.migrate.useHook }}
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-5"
+    {{- end }}
+    {{- with .Values.serviceAccount.annotations }}
    {{- toYaml . | nindent 4 }}
+    {{- end }}
  {{- end }}
 {{- end }}
--- a/helm/oncall/tests/migrate_annotations_test.yaml
+++ b/helm/oncall/tests/migrate_annotations_test.yaml
@ -11,14 +11,15 @@ tests:
      - notExists:
          path: metadata.annotations

-  - it: migrate.useHook=true -> should only provide the "helm.sh/hook" annotation
+  - it: migrate.useHook=true -> should provide the "helm.sh/hook" annotations
    set:
      migrate.useHook: true
    asserts:
-      - isSubset:
+      - equal:
          path: metadata.annotations
-          content:
+          value:
            "helm.sh/hook": pre-install,pre-upgrade
+            "helm.sh/hook-weight": "-1"

  - it: migrate.useHook=false and annotations set -> should only contain the custom annotations
    set:
@ -27,24 +28,25 @@ tests:
        some-annotation: some-value
        other-annotation: other-value
    asserts:
-      - isSubset:
+      - equal:
          path: metadata.annotations
-          content:
+          value:
            some-annotation: some-value
            other-annotation: other-value

  - it: >
      migrate.useHook=true and annotations set -> should contain the custom annotations
-      and the "helm.sh/hook" annotation
+      and the "helm.sh/hook" annotations
    set:
      migrate.useHook: true
      migrate.annotations:
        some-annotation: some-value
        other-annotation: other-value
    asserts:
-      - isSubset:
+      - equal:
          path: metadata.annotations
-          content:
+          value:
            "helm.sh/hook": pre-install,pre-upgrade
+            "helm.sh/hook-weight": "-1"
            some-annotation: some-value
            other-annotation: other-value
--- a/helm/oncall/tests/mysql_password_env_test.yaml
+++ b/helm/oncall/tests/mysql_password_env_test.yaml
@ -106,3 +106,27 @@ tests:
              secretKeyRef:
                name: some-mysql-secret
                key: mysql.key
+
+  - it: |
+      mariadb.enabled=false and migrate.useHook=>true -> should add "helm.sh/hook" annotations
+      to secret with MySQL credentials
+    templates:
+      - secrets.yaml
+    set:
+      migrate.useHook: true
+      mariadb.enabled: false
+      externalMysql:
+        user: user123
+        password: abcd123
+    asserts:
+      - containsDocument:
+          kind: Secret
+          apiVersion: v1
+          name: oncall-mysql-external
+        documentIndex: 1
+      - isSubset:
+          path: metadata.annotations
+          content:
+            "helm.sh/hook": pre-install,pre-upgrade
+            "helm.sh/hook-weight": "-5"
+        documentIndex: 1
--- a/helm/oncall/tests/postgres_password_env_test.yaml
+++ b/helm/oncall/tests/postgres_password_env_test.yaml
@ -124,3 +124,31 @@ tests:
              secretKeyRef:
                name: oncall-postgresql
                key: password
+
+  - it: |
+      postgresql.enabled=false and migrate.useHook=>true -> should add "helm.sh/hook" annotations
+      to secret with PostgreSQL credentials
+    templates:
+      - secrets.yaml
+    set:
+      migrate.useHook: true
+      database.type: postgresql
+      postgresql.enabled: false
+      externalPostgresql:
+        host: test-host
+        port: 5555
+        db_name: grafana_oncall
+        user: test_user
+        password: ultrasecretword
+    asserts:
+      - containsDocument:
+          kind: Secret
+          apiVersion: v1
+          name: oncall-postgresql-external
+        documentIndex: 1
+      - isSubset:
+          path: metadata.annotations
+          content:
+            "helm.sh/hook": pre-install,pre-upgrade
+            "helm.sh/hook-weight": "-5"
+        documentIndex: 1
--- a/helm/oncall/tests/rabbitmq_env_test.yaml
+++ b/helm/oncall/tests/rabbitmq_env_test.yaml
@ -268,3 +268,29 @@ tests:
      - failedTemplate:
          errorMessage: externalRabbitmq.host is required if not rabbitmq.enabled
        template: engine/job-migrate.yaml
+
+  - it: |
+      rabbitmq.enabled=false and migrate.useHook=>true -> should add "helm.sh/hook" annotations
+      to secret with rabbitmq credentials
+    templates:
+      - secrets.yaml
+    set:
+      migrate.useHook: true
+      broker.type: rabbitmq
+      rabbitmq.enabled: false
+      externalRabbitmq:
+        host: rabbitmq-host
+        user: user
+        password: password
+    asserts:
+      - containsDocument:
+          kind: Secret
+          apiVersion: v1
+          name: oncall-rabbitmq-external
+        documentIndex: 1
+      - isSubset:
+          path: metadata.annotations
+          content:
+            "helm.sh/hook": pre-install,pre-upgrade
+            "helm.sh/hook-weight": "-5"
+        documentIndex: 1
--- a/helm/oncall/tests/redis_env_test.yaml
+++ b/helm/oncall/tests/redis_env_test.yaml
@ -268,3 +268,30 @@ tests:
          content:
            name: REDIS_SSL_CERT_REQS
            value: "cert_required"
+
+  - it: |
+      redis.enabled=false and migrate.useHook=>true -> should add "helm.sh/hook" annotations
+      to secret with Redis credentials
+    templates:
+      - secrets.yaml
+    set:
+      migrate.useHook: true
+      broker.type: redis
+      rabbitmq.enabled: false
+      redis.enabled: false
+      externalRedis:
+        host: custom-host
+        port: 6379
+        password: custom-password
+    asserts:
+      - containsDocument:
+          kind: Secret
+          apiVersion: v1
+          name: oncall-redis-external
+        documentIndex: 1
+      - isSubset:
+          path: metadata.annotations
+          content:
+            "helm.sh/hook": pre-install,pre-upgrade
+            "helm.sh/hook-weight": "-5"
+        documentIndex: 1
--- a/helm/oncall/tests/service_account_test.yaml
+++ b/helm/oncall/tests/service_account_test.yaml
@ -42,3 +42,13 @@ tests:
          path: metadata.annotations
          content:
            some-annotation: some-value
+
+  - it: migrate.useHook=>true -> should add "helm.sh/hook" annotations to serviceAccount
+    set:
+      migrate.useHook: true
+    asserts:
+      - isSubset:
+          path: metadata.annotations
+          content:
+            "helm.sh/hook": pre-install,pre-upgrade
+            "helm.sh/hook-weight": "-5"
--- a/helm/oncall/values.yaml
+++ b/helm/oncall/values.yaml
@ -98,7 +98,6 @@ engine:
  # - mountPath: /mnt/redis-tls
  #   name: redis-tls

-
 detached_integrations_service:
  enabled: false
  type: LoadBalancer
@ -255,7 +254,8 @@ celery:
 # Telegram polling pod configuration
 telegramPolling:
  enabled: false
-  resources: {}
+  resources:
+    {}
    # limits:
    #   cpu: 100m
    #   memory: 128Mi