From ab561db8a71b80933971dacde7004079ef9baa09 Mon Sep 17 00:00:00 2001 From: Andre Buryndin Date: Tue, 21 Nov 2023 18:21:33 +0100 Subject: [PATCH] Fixing helm hooks for install stage (#3136) # What this PR does ## Issue At the first run (`helm install ...`) the migration job cannot start the container because cannot find Postgres/Redis/MySQL credentials and ServiceAccount. Workaround: set `.migrate.useHook` value to `false` for the `install` stage, and after you can switch back to `true`. This PR completely resolves this issue. ## Checklist - [x] Unit, integration, and e2e (if applicable) tests updated (doesn't violate anything) - [x] Documentation added (or `pr:no public docs` PR label added if not required) - [x] `CHANGELOG.md` updated (or `pr:no changelog` PR label added if not required) - [x] It is manually tested in the internal environment --------- Co-authored-by: Joey Orlando Co-authored-by: Joey Orlando --- helm/oncall/templates/engine/job-migrate.yaml | 1 + helm/oncall/templates/secrets.yaml | 25 +++++++++++++++++ helm/oncall/templates/serviceaccount.yaml | 8 +++++- .../tests/migrate_annotations_test.yaml | 18 ++++++------ .../oncall/tests/mysql_password_env_test.yaml | 24 ++++++++++++++++ .../tests/postgres_password_env_test.yaml | 28 +++++++++++++++++++ helm/oncall/tests/rabbitmq_env_test.yaml | 26 +++++++++++++++++ helm/oncall/tests/redis_env_test.yaml | 27 ++++++++++++++++++ helm/oncall/tests/service_account_test.yaml | 10 +++++++ helm/oncall/values.yaml | 4 +-- 10 files changed, 160 insertions(+), 11 deletions(-) diff --git a/helm/oncall/templates/engine/job-migrate.yaml b/helm/oncall/templates/engine/job-migrate.yaml index 5f1b716e..09782954 100644 --- a/helm/oncall/templates/engine/job-migrate.yaml +++ b/helm/oncall/templates/engine/job-migrate.yaml @@ -6,6 +6,7 @@ metadata: name: {{ printf "%s-migrate" (include "oncall.engine.fullname" .) }} annotations: "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-1" {{- with .Values.migrate.annotations }} {{- toYaml . | nindent 4 }} {{- end }} diff --git a/helm/oncall/templates/secrets.yaml b/helm/oncall/templates/secrets.yaml index 05f437c2..821592fa 100644 --- a/helm/oncall/templates/secrets.yaml +++ b/helm/oncall/templates/secrets.yaml @@ -5,6 +5,11 @@ metadata: name: {{ include "oncall.fullname" . }} labels: {{- include "oncall.labels" . | nindent 4 }} + {{- if .Values.migrate.useHook }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-5" + {{- end }} type: Opaque data: {{ include "snippet.oncall.secret.secretKey" . }}: {{ randAlphaNum 40 | b64enc | quote }} @@ -16,6 +21,11 @@ apiVersion: v1 kind: Secret metadata: name: {{ include "oncall.fullname" . }}-mysql-external + {{- if .Values.migrate.useHook }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-5" + {{- end }} type: Opaque data: mariadb-root-password: {{ required "externalMysql.password is required if not mariadb.enabled and not externalMysql.existingSecret" .Values.externalMysql.password | b64enc | quote }} @@ -26,6 +36,11 @@ apiVersion: v1 kind: Secret metadata: name: {{ include "oncall.fullname" . }}-postgresql-external + {{- if .Values.migrate.useHook }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-5" + {{- end }} type: Opaque data: postgres-password: {{ required "externalPostgresql.password is required if not postgresql.enabled and not externalPostgresql.existingSecret" .Values.externalPostgresql.password | b64enc | quote }} @@ -36,6 +51,11 @@ apiVersion: v1 kind: Secret metadata: name: {{ include "oncall.fullname" . }}-rabbitmq-external + {{- if .Values.migrate.useHook }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-5" + {{- end }} type: Opaque data: rabbitmq-password: {{ required "externalRabbitmq.password is required if not rabbitmq.enabled and not externalRabbitmq.existingSecret" .Values.externalRabbitmq.password | b64enc | quote }} @@ -46,6 +66,11 @@ apiVersion: v1 kind: Secret metadata: name: {{ include "oncall.fullname" . }}-redis-external + {{- if .Values.migrate.useHook }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-5" + {{- end }} type: Opaque data: redis-password: {{ required "externalRedis.password is required if not redis.enabled and not externalRedis.existingSecret" .Values.externalRedis.password | b64enc | quote }} diff --git a/helm/oncall/templates/serviceaccount.yaml b/helm/oncall/templates/serviceaccount.yaml index 88184b27..d0a5a9eb 100644 --- a/helm/oncall/templates/serviceaccount.yaml +++ b/helm/oncall/templates/serviceaccount.yaml @@ -5,8 +5,14 @@ metadata: name: {{ include "oncall.serviceAccountName" . }} labels: {{- include "oncall.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} + {{- if or (.Values.migrate.useHook) (.Values.serviceAccount.annotations) }} annotations: + {{- if .Values.migrate.useHook }} + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-5" + {{- end }} + {{- with .Values.serviceAccount.annotations }} {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- end }} diff --git a/helm/oncall/tests/migrate_annotations_test.yaml b/helm/oncall/tests/migrate_annotations_test.yaml index e104bf80..4786a189 100644 --- a/helm/oncall/tests/migrate_annotations_test.yaml +++ b/helm/oncall/tests/migrate_annotations_test.yaml @@ -11,14 +11,15 @@ tests: - notExists: path: metadata.annotations - - it: migrate.useHook=true -> should only provide the "helm.sh/hook" annotation + - it: migrate.useHook=true -> should provide the "helm.sh/hook" annotations set: migrate.useHook: true asserts: - - isSubset: + - equal: path: metadata.annotations - content: + value: "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-1" - it: migrate.useHook=false and annotations set -> should only contain the custom annotations set: @@ -27,24 +28,25 @@ tests: some-annotation: some-value other-annotation: other-value asserts: - - isSubset: + - equal: path: metadata.annotations - content: + value: some-annotation: some-value other-annotation: other-value - it: > migrate.useHook=true and annotations set -> should contain the custom annotations - and the "helm.sh/hook" annotation + and the "helm.sh/hook" annotations set: migrate.useHook: true migrate.annotations: some-annotation: some-value other-annotation: other-value asserts: - - isSubset: + - equal: path: metadata.annotations - content: + value: "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-1" some-annotation: some-value other-annotation: other-value diff --git a/helm/oncall/tests/mysql_password_env_test.yaml b/helm/oncall/tests/mysql_password_env_test.yaml index 05f791e7..6624b1aa 100644 --- a/helm/oncall/tests/mysql_password_env_test.yaml +++ b/helm/oncall/tests/mysql_password_env_test.yaml @@ -106,3 +106,27 @@ tests: secretKeyRef: name: some-mysql-secret key: mysql.key + + - it: | + mariadb.enabled=false and migrate.useHook=>true -> should add "helm.sh/hook" annotations + to secret with MySQL credentials + templates: + - secrets.yaml + set: + migrate.useHook: true + mariadb.enabled: false + externalMysql: + user: user123 + password: abcd123 + asserts: + - containsDocument: + kind: Secret + apiVersion: v1 + name: oncall-mysql-external + documentIndex: 1 + - isSubset: + path: metadata.annotations + content: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-5" + documentIndex: 1 diff --git a/helm/oncall/tests/postgres_password_env_test.yaml b/helm/oncall/tests/postgres_password_env_test.yaml index c1a72432..5d6466ed 100644 --- a/helm/oncall/tests/postgres_password_env_test.yaml +++ b/helm/oncall/tests/postgres_password_env_test.yaml @@ -124,3 +124,31 @@ tests: secretKeyRef: name: oncall-postgresql key: password + + - it: | + postgresql.enabled=false and migrate.useHook=>true -> should add "helm.sh/hook" annotations + to secret with PostgreSQL credentials + templates: + - secrets.yaml + set: + migrate.useHook: true + database.type: postgresql + postgresql.enabled: false + externalPostgresql: + host: test-host + port: 5555 + db_name: grafana_oncall + user: test_user + password: ultrasecretword + asserts: + - containsDocument: + kind: Secret + apiVersion: v1 + name: oncall-postgresql-external + documentIndex: 1 + - isSubset: + path: metadata.annotations + content: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-5" + documentIndex: 1 diff --git a/helm/oncall/tests/rabbitmq_env_test.yaml b/helm/oncall/tests/rabbitmq_env_test.yaml index 9ecdc766..5ef8b790 100644 --- a/helm/oncall/tests/rabbitmq_env_test.yaml +++ b/helm/oncall/tests/rabbitmq_env_test.yaml @@ -268,3 +268,29 @@ tests: - failedTemplate: errorMessage: externalRabbitmq.host is required if not rabbitmq.enabled template: engine/job-migrate.yaml + + - it: | + rabbitmq.enabled=false and migrate.useHook=>true -> should add "helm.sh/hook" annotations + to secret with rabbitmq credentials + templates: + - secrets.yaml + set: + migrate.useHook: true + broker.type: rabbitmq + rabbitmq.enabled: false + externalRabbitmq: + host: rabbitmq-host + user: user + password: password + asserts: + - containsDocument: + kind: Secret + apiVersion: v1 + name: oncall-rabbitmq-external + documentIndex: 1 + - isSubset: + path: metadata.annotations + content: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-5" + documentIndex: 1 diff --git a/helm/oncall/tests/redis_env_test.yaml b/helm/oncall/tests/redis_env_test.yaml index ba4dd3fa..325bb705 100644 --- a/helm/oncall/tests/redis_env_test.yaml +++ b/helm/oncall/tests/redis_env_test.yaml @@ -268,3 +268,30 @@ tests: content: name: REDIS_SSL_CERT_REQS value: "cert_required" + + - it: | + redis.enabled=false and migrate.useHook=>true -> should add "helm.sh/hook" annotations + to secret with Redis credentials + templates: + - secrets.yaml + set: + migrate.useHook: true + broker.type: redis + rabbitmq.enabled: false + redis.enabled: false + externalRedis: + host: custom-host + port: 6379 + password: custom-password + asserts: + - containsDocument: + kind: Secret + apiVersion: v1 + name: oncall-redis-external + documentIndex: 1 + - isSubset: + path: metadata.annotations + content: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-5" + documentIndex: 1 diff --git a/helm/oncall/tests/service_account_test.yaml b/helm/oncall/tests/service_account_test.yaml index c60aabc0..0cebd438 100644 --- a/helm/oncall/tests/service_account_test.yaml +++ b/helm/oncall/tests/service_account_test.yaml @@ -42,3 +42,13 @@ tests: path: metadata.annotations content: some-annotation: some-value + + - it: migrate.useHook=>true -> should add "helm.sh/hook" annotations to serviceAccount + set: + migrate.useHook: true + asserts: + - isSubset: + path: metadata.annotations + content: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-5" diff --git a/helm/oncall/values.yaml b/helm/oncall/values.yaml index b741b1a4..e5323893 100644 --- a/helm/oncall/values.yaml +++ b/helm/oncall/values.yaml @@ -98,7 +98,6 @@ engine: # - mountPath: /mnt/redis-tls # name: redis-tls - detached_integrations_service: enabled: false type: LoadBalancer @@ -255,7 +254,8 @@ celery: # Telegram polling pod configuration telegramPolling: enabled: false - resources: {} + resources: + {} # limits: # cpu: 100m # memory: 128Mi