From 252eed1b15289740ba953861076de86ddc99fe4a Mon Sep 17 00:00:00 2001 From: "Florian Rusch (ZF Friedrichshafen AG)" Date: Wed, 22 Nov 2023 15:42:26 +0100 Subject: [PATCH] feat(helm): Make liveness & readiness probes configurable (#99) * feat(helm): Make liveness & readiness probes configurable * Add possibility to disable probes * Update chart README.md * add examples to ingress config * Bump chart version * Update README.md * Add workflow step for checking chart readme changed * Fix readme generation * Add some names to the worflow steps * Rename workflow * Update chart README.md --- ...t-lint-test.yml => chart-verification.yml} | 29 +++++++++++++++-- charts/managed-identity-wallet/README.md | 27 +++++++++++++--- .../managed-identity-wallet/README.md.gotmpl | 3 +- .../templates/deployment.yaml | 27 ++++++++++------ charts/managed-identity-wallet/values.yaml | 32 +++++++++++++++++++ 5 files changed, 99 insertions(+), 19 deletions(-) rename .github/workflows/{chart-lint-test.yml => chart-verification.yml} (84%) diff --git a/.github/workflows/chart-lint-test.yml b/.github/workflows/chart-verification.yml similarity index 84% rename from .github/workflows/chart-lint-test.yml rename to .github/workflows/chart-verification.yml index 620586d1f..5c70c1553 100644 --- a/.github/workflows/chart-lint-test.yml +++ b/.github/workflows/chart-verification.yml @@ -17,7 +17,7 @@ # * SPDX-License-Identifier: Apache-2.0 # ********************************************************************************/ -name: Lint and Test Charts +name: Verify and Test Helm Chart on: workflow_dispatch: @@ -44,7 +44,7 @@ jobs: - name: Add bitnami repo run: | - helm repo add bitnami https://charts.bitnami.com/bitnami + helm repo add bitnami https://charts.bitnami.com/bitnami helm repo update - name: Update Helm dependencies @@ -63,6 +63,29 @@ jobs: - name: Run linting run: ct lint --config charts/chart-testing-config.yaml --charts ./charts/managed-identity-wallet + verify-helm-docs: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Run helm docs command + uses: addnab/docker-run-action@v3 + with: + image: jnorwood/helm-docs:v1.11.3 + options: -v ${{ github.workspace }}/charts:/helm-docs + run: helm-docs + + - name: Verify that no changes are required + run: | + if $(git diff --quiet --exit-code); then + echo "Helm chart docs up to date" + else + echo "Helm chart docs not up to date:" + git diff + exit 1 + fi + chart-test: runs-on: ubuntu-latest steps: @@ -86,7 +109,7 @@ jobs: - name: Add bitnami repo run: | - helm repo add bitnami https://charts.bitnami.com/bitnami + helm repo add bitnami https://charts.bitnami.com/bitnami helm repo update - name: Update Helm dependencies diff --git a/charts/managed-identity-wallet/README.md b/charts/managed-identity-wallet/README.md index 95158bb53..25aa19921 100644 --- a/charts/managed-identity-wallet/README.md +++ b/charts/managed-identity-wallet/README.md @@ -2,7 +2,7 @@ # managed-identity-wallet -![Version: 0.1.0-rc.2](https://img.shields.io/badge/Version-0.1.0--rc.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.0-rc.2](https://img.shields.io/badge/AppVersion-0.1.0--rc.2-informational?style=flat-square) +![Version: 0.2.0-develop.4](https://img.shields.io/badge/Version-0.2.0--develop.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.0-develop.4](https://img.shields.io/badge/AppVersion-0.2.0--develop.4-informational?style=flat-square) Managed Identity Wallet is supposed to supply a secure data source and data sink for Digital Identity Documents (DID), in order to enable Self-Sovereign Identity founding on those DIDs. And at the same it shall support an uninterrupted tracking and tracing and documenting the usage of those DIDs, e.g. within logistical supply chains. @@ -100,8 +100,11 @@ See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command document | keycloak.auth.adminPassword | string | `""` | Keycloak admin password | | keycloak.auth.adminUser | string | `"admin"` | Keycloak admin user | | keycloak.enabled | bool | `true` | Enable to deploy Keycloak | -| keycloak.extraEnvVars[0].name | string | `"KEYCLOAK_HOSTNAME"` | | -| keycloak.extraEnvVars[0].value | string | `"{{ .Release.Name }}-keycloak"` | | +| keycloak.extraEnvVars | list | `[]` | | +| keycloak.ingress.annotations | object | `{}` | | +| keycloak.ingress.enabled | bool | `false` | | +| keycloak.ingress.hosts | list | `[]` | | +| keycloak.ingress.tls | list | `[]` | | | keycloak.keycloakConfigCli.backoffLimit | int | `2` | Number of retries before considering a Job as failed | | keycloak.keycloakConfigCli.enabled | bool | `true` | Enable to create the miw playground realm | | keycloak.keycloakConfigCli.existingConfigmap | string | `"keycloak-realm-config"` | Existing configmap name for the realm configuration | @@ -110,6 +113,12 @@ See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command document | keycloak.postgresql.auth.username | string | `"miw_keycloak"` | Keycloak PostgreSQL user | | keycloak.postgresql.enabled | bool | `true` | Enable to deploy PostgreSQL | | keycloak.postgresql.nameOverride | string | `"keycloak-postgresql"` | Name of the PostgreSQL chart to deploy. Mandatory when the MIW deploys a PostgreSQL chart, too. | +| livenessProbe | object | `{"enabled":true,"failureThreshold":3,"initialDelaySeconds":20,"periodSeconds":5,"timeoutSeconds":15}` | Kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) | +| livenessProbe.enabled | bool | `true` | Enables/Disables the livenessProbe at all | +| livenessProbe.failureThreshold | int | `3` | When a probe fails, Kubernetes will try failureThreshold times before giving up. Giving up in case of liveness probe means restarting the container. | +| livenessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before readiness probe are initiated. | +| livenessProbe.periodSeconds | int | `5` | How often (in seconds) to perform the probe | +| livenessProbe.timeoutSeconds | int | `15` | Number of seconds after which the probe times out. | | miw.authorityWallet.bpn | string | `"BPNL000000000000"` | Authority Wallet BPNL | | miw.authorityWallet.name | string | `""` | Authority Wallet Name | | miw.database.encryptionKey.secret | string | `""` | Existing secret for database encryption key | @@ -128,7 +137,7 @@ See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command document | miw.keycloak.realm | string | `"miw_test"` | Keycloak realm | | miw.keycloak.url | string | `"http://{{ .Release.Name }}-keycloak"` | Keycloak URL | | miw.logging.level | string | `"INFO"` | Log level. Should be ether ERROR, WARN, INFO, DEBUG, or TRACE. | -| miw.ssi.enforceHttpsInDidWebResolution | bool | `false` | Enable to use HTTPS in DID Web Resolution | +| miw.ssi.enforceHttpsInDidWebResolution | bool | `true` | Enable to use HTTPS in DID Web Resolution | | miw.ssi.vcExpiryDate | string | `""` | Verifiable Credential expiry date. Format 'dd-MM-yyyy'. If empty it is set to 31-12- | | nameOverride | string | `""` | String to partially override common.names.fullname template (will maintain the release name) | | nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector configuration | @@ -144,6 +153,13 @@ See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command document | postgresql.backup.conjob.storage.size | string | `"8Gi"` | PVC Storage Request for the backup data volume | | postgresql.backup.enabled | bool | `false` | Enable to create a backup cronjob | | postgresql.enabled | bool | `true` | Enable to deploy Postgresql | +| readinessProbe | object | `{"enabled":true,"failureThreshold":3,"initialDelaySeconds":30,"periodSeconds":5,"successThreshold":1,"timeoutSeconds":5}` | Kubernetes [readiness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) | +| readinessProbe.enabled | bool | `true` | Enables/Disables the readinessProbe at all | +| readinessProbe.failureThreshold | int | `3` | When a probe fails, Kubernetes will try failureThreshold times before giving up. In case of readiness probe the Pod will be marked Unready. | +| readinessProbe.initialDelaySeconds | int | `30` | Number of seconds after the container has started before readiness probe are initiated. | +| readinessProbe.periodSeconds | int | `5` | How often (in seconds) to perform the probe | +| readinessProbe.successThreshold | int | `1` | Minimum consecutive successes for the probe to be considered successful after having failed. | +| readinessProbe.timeoutSeconds | int | `5` | Number of seconds after which the probe times out. | | replicaCount | int | `1` | The amount of replicas to run | | resources.limits.cpu | int | `2` | CPU resource limits | | resources.limits.memory | string | `"1Gi"` | Memory resource limits | @@ -230,9 +246,10 @@ when deploying the MIW in a production environment: | Name | Email | Url | | ---- | ------ | --- | +| Dominik Pinsel | | | | Peter Motzko | | |

(back to top)

---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) +Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs/) diff --git a/charts/managed-identity-wallet/README.md.gotmpl b/charts/managed-identity-wallet/README.md.gotmpl index 6263c171f..eb9cfa76a 100644 --- a/charts/managed-identity-wallet/README.md.gotmpl +++ b/charts/managed-identity-wallet/README.md.gotmpl @@ -155,4 +155,5 @@ when deploying the MIW in a production environment:

(back to top)

-{{ template "helm-docs.versionFooter" . }} +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs/) diff --git a/charts/managed-identity-wallet/templates/deployment.yaml b/charts/managed-identity-wallet/templates/deployment.yaml index 9a1aa38ae..e632ca24a 100644 --- a/charts/managed-identity-wallet/templates/deployment.yaml +++ b/charts/managed-identity-wallet/templates/deployment.yaml @@ -113,26 +113,33 @@ spec: - name: http containerPort: 8080 protocol: TCP + {{- with .Values.livenessProbe }} + {{- if .enabled }} livenessProbe: - failureThreshold: 3 httpGet: path: /actuator/health/liveness port: 8090 scheme: HTTP - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 5 - initialDelaySeconds: 30 + failureThreshold: {{ .failureThreshold }} + initialDelaySeconds: {{ .initialDelaySeconds }} + periodSeconds: {{ .periodSeconds }} + timeoutSeconds: {{ .timeoutSeconds }} + {{- end }} + {{- end }} + {{- with .Values.readinessProbe }} + {{- if .enabled }} readinessProbe: - failureThreshold: 3 httpGet: path: /actuator/health/readiness port: 8090 scheme: HTTP - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 5 - initialDelaySeconds: 30 + failureThreshold: {{ .failureThreshold }} + initialDelaySeconds: {{ .initialDelaySeconds }} + periodSeconds: {{ .periodSeconds }} + successThreshold: {{ .successThreshold }} + timeoutSeconds: {{ .timeoutSeconds }} + {{- end }} + {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} diff --git a/charts/managed-identity-wallet/values.yaml b/charts/managed-identity-wallet/values.yaml index 414099293..806265cea 100644 --- a/charts/managed-identity-wallet/values.yaml +++ b/charts/managed-identity-wallet/values.yaml @@ -61,6 +61,10 @@ ingress: annotations: {} # -- Ingress accepted hostnames hosts: [] + # - host: chart-example.local + # paths: + # - path: / + # pathType: Prefix # -- Ingress TLS configuration tls: [] # - secretName: chart-example-tls @@ -82,6 +86,34 @@ securityContext: # -- Enable to run the container as a non-root user runAsNonRoot: true +# -- Kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) +livenessProbe: + # -- Enables/Disables the livenessProbe at all + enabled: true + # -- When a probe fails, Kubernetes will try failureThreshold times before giving up. Giving up in case of liveness probe means restarting the container. + failureThreshold: 3 + # -- Number of seconds after the container has started before readiness probe are initiated. + initialDelaySeconds: 20 + # -- Number of seconds after which the probe times out. + timeoutSeconds: 15 + # -- How often (in seconds) to perform the probe + periodSeconds: 5 + +# -- Kubernetes [readiness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) +readinessProbe: + # -- Enables/Disables the readinessProbe at all + enabled: true + # -- When a probe fails, Kubernetes will try failureThreshold times before giving up. In case of readiness probe the Pod will be marked Unready. + failureThreshold: 3 + # -- Number of seconds after the container has started before readiness probe are initiated. + initialDelaySeconds: 30 + # -- How often (in seconds) to perform the probe + periodSeconds: 5 + # -- Minimum consecutive successes for the probe to be considered successful after having failed. + successThreshold: 1 + # -- Number of seconds after which the probe times out. + timeoutSeconds: 5 + resources: requests: # -- CPU resource requests