helm chart for cht sync #90
Conversation
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| # Add environment variables and volume mounts as needed | ||
| env: | ||
| - name: PGRST_DB_URI | ||
| value: "postgres://postgres:postgres@postgres:5432/data" |
Check failure
Code scanning / SonarCloud
PostgreSQL database passwords should not be disclosed High
There was a problem hiding this comment.
It seems that sonar really wants to not share dummy passwords. Can we try something like:
postgres://<pguser>:<pgpassword>@postgres:5432/data
| inner.service: postgrest | ||
| spec: | ||
| containers: | ||
| - name: postgrest |
Check warning
Code scanning / SonarCloud
CPU limits should be enforced Medium
| inner.service: postgrest | ||
| spec: | ||
| containers: | ||
| - name: postgrest |
Check warning
Code scanning / SonarCloud
Memory limits should be enforced Medium
| labels: | ||
| app: cht-sync | ||
| inner.service: postgrest | ||
| spec: |
Check warning
Code scanning / SonarCloud
Service account tokens should not be mounted in pods Medium
| app: cht-sync | ||
| spec: | ||
| containers: | ||
| - name: logstash |
Check warning
Code scanning / SonarCloud
CPU limits should be enforced Medium
| app: cht-sync | ||
| spec: | ||
| containers: | ||
| - name: logstash |
Check warning
Code scanning / SonarCloud
Memory limits should be enforced Medium
| metadata: | ||
| labels: | ||
| app: cht-sync | ||
| spec: |
Check warning
Code scanning / SonarCloud
Service account tokens should not be mounted in pods Medium
| metadata: | ||
| labels: | ||
| app: cht-sync | ||
| spec: |
Check warning
Code scanning / SonarCloud
Service account tokens should not be mounted in pods Medium
| app: cht-sync | ||
| spec: | ||
| containers: | ||
| - name: dbt |
Check warning
Code scanning / SonarCloud
CPU limits should be enforced Medium
| app: cht-sync | ||
| spec: | ||
| containers: | ||
| - name: dbt |
Check warning
Code scanning / SonarCloud
Memory limits should be enforced Medium
|
this is not totally final because there isn't a good way to access the postgres db in the cluster (see #87). but I want to merge this to main since #79 depends on it and the github build task in main keeps overwriting the latest images with feature branches. |
|
@witash, is this PR ready for re-review? If yes, re-request review from @dianabarsan or any other people who should have a look at this. |
| memory: {{ (.Values.postgrest).memory_limit | default "500Mi" }} | ||
| env: | ||
| - name: PGRST_DB_URI | ||
| value: | |
There was a problem hiding this comment.
This causes the error below. Setting the value to {{ printf "postgres://%s:%s@%s:5432/%s" .Values.postgres.user .Values.postgres.password .Values.postgres.host .Values.postgres.db }} works though.
{"code":"PGRST000","details":"connection to server at \"postgres\" (172.20.202.161), port 5432 failed: FATAL: database \"data\n\" does not exist\n","hint":null,"message":"Database connection error. Retrying the connection."}
dbt/dbt-run.py
Outdated
| {os.getenv('POSTGRES_SCHEMA')} | ||
| {os.getenv('POSTGRES_SCHEMA')}; | ||
|
|
||
| CREATE TABLE IF NOT EXISTS {os.getenv('POSTGRES_SCHEMA')}.{os.getenv('POSTGRES_TABLE')} ( |
There was a problem hiding this comment.
I think we should totally aim not not create tables and such in code. I believe the whole allure of dbt is that you can have these versioned clean schema files, but here we're just inlining the table create in python?
Is there a way we can use dbt to create these and keep the schema in its own file?
There was a problem hiding this comment.
Also, how is this connected to the helm chart?
There was a problem hiding this comment.
its not related to the the helm chart and was already merged to main separately.
dbt mainly creates tables by wrapping select from existing tables in create table statements, the assumption is that there's some source db that dbt is not managing.
but it is possible to just run raw sql, including ddl and yea i agree in this case probably makes more sense to do that instead of creating the table here. Also then could just have one "root" table instead of two.
related to medic/cht-pipeline#84
| - name: POSTGRES_SCHEMA | ||
| value: {{ $.Values.postgres.schema }} | ||
| - name: COUCHDB_USER | ||
| value: {{ $.Values.couchdb.user }} |
There was a problem hiding this comment.
The user can vary between instances
| - name: COUCHDB_HOST | ||
| value: {{ $service.host }} | ||
| - name: COUCHDB_DBS | ||
| value: {{ $.Values.couchdb.dbs }} |
There was a problem hiding this comment.
We could also vary between which databases we sync from every instance.
| - name: COUCHDB_DBS | ||
| value: {{ $.Values.couchdb.dbs }} | ||
| - name: COUCHDB_PORT | ||
| value: {{ $.Values.couchdb.port | quote }} |
There was a problem hiding this comment.
Same for port and secure.
We can't assume all instances will be the same.
deploy/cht_sync/values.yaml.template
Outdated
| # values for each couchdb instance | ||
| # host and password are required | ||
| # other values can be ommitted if common to all couchdb instances and specified above | ||
| couchdbs: # values for in |
There was a problem hiding this comment.
This doesn't really exemplify of how I would add multiple couchdb servers to sync from.
There was a problem hiding this comment.
can you elaborate on this? what specifically does not exemplify how would you add multiple couchdb servers to sync from?
There was a problem hiding this comment.
As a reader I'm not imagining how this would look like.
Is it like:
couchdbs: # values for in
- host: "host1"
password: ""
user: ""
dbs: "medic medic-sentinel"
port: "5984"
secure: "true"
- host: "host2"
password: ""
user: ""
dbs: "medic medic-users"
port: "5984"
secure: "true"
I think it would be helpful if we add an example, because these iterator types are weird in yml
There was a problem hiding this comment.
yes, that's what its supposed to be.
There is a section couchdb for shared values, and couchdbs for a list of values which are not shared.
which makes it a little more complicated, but otherwise when user,dbs,port and secure are NOT different, like for MoH Kenya, have to copy them 47 times, and don't like copy/pasting that much.
added an example to values.yaml.template
couchdbs:
- host: "host1" # required for all couchdb instances
password: "" # required for all couchdb instances
- host: "host2"
password: ""
- host: "host3"
password: ""
user: "user2" # required if different than above
dbs: "medic medic_sentinel" # required if different than above
port: "5984" # required if different than above
secure: "true" # required if different than above
There was a problem hiding this comment.
thanks a lot, I think this example is super helpful.
* add helm chart * fix typos * add volumeClaim and remove serviceName * changing postgres service to load balancer for access * add redis and redis-worker * fix sonar issues and resource limits * fix defaults and allow configurable limts * tag images with branch and allow use in templates * initialize table in dbt container * remove external load balancer * remove defaults in values template * change redis port * remove newline from env var * remove old templates and add couch2pg * multiple instances for couch2pg * allow user,dbs,port, and secure to vary * adding multi instance example
|
🎉 This PR is included in version 1.0.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
this branch contains
a helm chart for deploying cht sync on kubernetes.
including logstash, postgrest, and dbt containers for all deployments
optionally a postgres db and service
and experimentally a redis instance and the redis worker to copy data from it
change to the github task which was building and pushing images with the :latest tag on every push on every branch, which causes problems for deploying on kubernetes; for now, it just tags images with the branch name, we can make additional changes in its own branch after this is merged.
creates the couchdb database in the dbt worker.
Closes #75