History

Andre Buryndin d9c3d084be feature: Hardening the Helm deployment with Redis and Postgres TLS (#3029 ) # What this PR does Short summary: this PR improves security and configuration management for Helm deployment. Please take a look at the details below. ## Which issue(s) this PR fixes Issues: - Cannot explicitly define redis database (only 0 and 1 numbers are used) - Cannot securely use TLS for Redis (cannot set CA certificate; cannot set client certificates) - Cannot securely use TLS for Postgres (cannot set CA certificate; cannot set client certificates; cannot set `verify-full` validation) - ~~Chart option `securityContext.readOnlyRootFilesystem: true` issues CrashLoopBack pod state~~ will be moved to new PR ## Checklist - [x] ~~Unit, integration, and e2e (if applicable) tests updated~~ (not required) - [x] Documentation added (or `pr:no public docs` PR label added if not required) - [x] `CHANGELOG.md` updated (or `pr:no changelog` PR label added if not required) - [x] Helm tests are fixed and updated - [x] Manually verified the features: - [x] postgres TLS connection with `verify-full` validation - [x] redis TLS connection with `cert_required` validation - [x] redis protocol and database number controls - [x] all containers properly work in read-only root filesystem - [x] all changes are backward compatible (doesn't break old deployments) ## Changelog - Fixed helm tests - Added configuration options for secure TLS communication with dependencies like Redis, MySQL, and Postgres - ~~Added configuration option for relocating `celerybeat` database file (read-only root filesystem issue)~~ will be moved to new PR - Improved redis database configuration options - Now only single redis database is used - Added ability to mount custom volumes (with CA certificates, for example) into Helm chart - ~~Fixed issue with read-only root filesystem for Helm chart~~ will be moved to new PR - Add ability to work with Redis ACL (and AWS ElastiCache)		2023-10-03 09:25:28 -04:00
..
oncall	feature: Hardening the Helm deployment with Redis and Postgres TLS (#3029 )	2023-10-03 09:25:28 -04:00
cr.yaml	configure yamllint pre-commit step (#2728 )	2023-08-03 02:35:08 -04:00
ct.yaml	configure yamllint pre-commit step (#2728 )	2023-08-03 02:35:08 -04:00
kind.yml	Use Tilt for local development (#1396 )	2023-09-07 19:38:19 +08:00
README.md	Use Tilt for local development (#1396 )	2023-09-07 19:38:19 +08:00
simple.yml	first UI integration test - phone verification + receive SMS alert flow (#900 )	2023-03-06 16:28:52 +00:00

README.md

How to run the chart locally

Create the cluster with kind

Make sure ports 30001 and 30002 are free on your machine
```
kind create cluster --image kindest/node:v1.24.7 --config kind.yml
```
(Optional) Build oncall image locally and load it to kind cluster

docker build ../engine -t oncall/engine:latest --target dev
kind load docker-image oncall/engine:latest

Install the helm chart

   helm install helm-testing \
   --wait \
   --values ./simple.yml \
   ./oncall

Get credentials

echo "\n\nOpen Grafana on localhost:30002 with credentials - user: admin, password: $(kubectl get secret --namespace default helm-testing-grafana -o jsonpath="{.data.admin-password}" | base64 --decode ; echo)"
echo "Open Plugins -> Grafana OnCall -> fill form: backend url: http://host.docker.internal:30001"

Clean up If you happen to helm uninstall helm-testing be sure to delete all the Persistent Volume Claims, as Postgres stores the auto-generated password on disk, and the next helm install will fail.
```
kubectl delete pvc --all
kubectl delete pv --all
```
This, of course, will delete all the PVs and PVCs also :-)
```
kind delete cluster
```