Bridgeman-Accessible/services.bridgemanaccessible.ca-helm
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Initial code commit

Browse source
This commit is contained in:
Alan Bridgeman 2025-05-12 19:22:55 -05:00
parent 5b71cecab6
commit b3382d880b
37 changed files with 1778 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

9
templates/acs-email-secret.yaml Normal file
View file

@ -0,0 +1,9 @@
{{- if and (.Values.comms.email.enabled) (eq .Values.comms.email.type "acs") -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-email-secret
type: opaque
data:
connection-string: {{ .Values.comms.email.connectionString | b64enc }}
{{- end -}}

12
templates/cache-configmap.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-cache-configmap
namespace: {{ .Release.Namespace }}
data:
{{- if and (eq .Values.cache.type "redis") (.Values.cache.create) }}
hostname: {{ .Release.Name }}-redis
{{- else }}
hostname: {{ .Values.cache.hostname }}
{{- end }}
port: {{ .Values.cache.port | quote }}

7
templates/cache-credentials-secret.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-cache-credentials
type: Opaque
data:
password: {{ .Values.cache.password | b64enc }}

37
templates/database.yaml Normal file
View file

@ -0,0 +1,37 @@
{{- if and (eq .Values.database.type "postgres") (.Values.database.create) -}}
apiVersion: postgresql.org/v1
kind: PostgresDatabase
metadata:
name: {{ .Release.Name }}-db
namespace: {{ .Release.Namespace }}
spec:
dbName:
envFrom:
configMapKeyRef:
- name: {{ .Release.Name }}-db-credentials
namespace: postgres-controller
key: db-name
dbRoleName:
envFrom:
configMapKeyRef:
- name: {{ .Release.Name }}-db-credentials
namespace: postgres-controller
key: db-user
dbRolePassword:
envFrom:
secretKeyRef:
- name: {{ .Release.Name }}-db-password
namespace: postgres-controller
key: password
# Because we've adopted a "throw away"/"ephemeral"/"container-esk" approach to our database, we want it to be dropped/deleted when everything else is deleted.
# This is because we re-create it and restore from a backup on every deploy.
# Which helps keep the data current and reinforces the utility of the backup and restore systems.
onDeletion:
# Whether to drop the database when the resource is deleted
dropDB: true
# Whether to drop the role when the resource is deleted
dropRole: true
{{- if .Values.database.instance_id }}
dbInstanceId: {{ .Values.database.instance_id }}
{{- end }}
{{- end -}}

16
templates/db-credentials-config-map-postgres-controller.yaml Normal file
View file

@ -0,0 +1,16 @@
{{- if and (eq .Values.database.type "postgres") (.Values.database.create) -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-db-credentials
namespace: postgres-controller
data:
db-host: {{ .Values.database.host }}
db-name: {{ .Values.database.name }}
db-user: {{ .Values.database.user }}
{{- if .Values.database.port }}
db-port: {{ .Values.database.port | quote }}
{{- else }}
db-port: "5432"
{{- end }}
{{- end -}}

13
templates/db-credentials-config-map.yaml Normal file
View file

@ -0,0 +1,13 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-db-credentials
data:
db-host: {{ .Values.database.host }}
db-name: {{ .Values.database.name }}
db-user: {{ .Values.database.user }}
{{- if .Values.database.port }}
db-port: {{ .Values.database.port | quote }}
{{- else }}
db-port: "5432"
{{- end }}

10
templates/db-password-secret-postgres-controller.yaml Normal file
View file

@ -0,0 +1,10 @@
{{- if and (eq .Values.database.type "postgres") (.Values.database.create) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-db-password
namespace: postgres-controller
type: Opaque
data:
password: {{ .Values.database.password | b64enc }}
{{- end -}}

7
templates/db-password-secret.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-db-password
type: Opaque
data:
password: {{ .Values.database.password | b64enc }}

418
templates/deployment.yaml Normal file
View file

@ -0,0 +1,418 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}
labels:
app: {{ .Release.Name }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: {{ .Release.Name }}
template:
metadata:
labels:
app: {{ .Release.Name }}
spec:
containers:
- name: {{ .Release.Name }}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- containerPort: {{ .Values.container.port }}
env:
- name: NODE_ENV
value: {{ .Values.container.env }}
- name: PORT
value: "{{ .Values.container.port }}"
- name: DOMAIN
value: "bridgemanaccessible.ca"
- name: ACCOUNTS_DEV_PORT
value: "9010"
- name: ACCOUNTS_SUBDOMAIN_PREFIX
value: "account"
# OAuth Implementation Stuff
- name: BASE_APP_URL
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-oauth-credentials
key: base-app-url
- name: APP_ABBRV
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-oauth-credentials
key: app-abbreviation
- name: APP_NAME
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-oauth-credentials
key: app-name
- name: SERVICE_NAME
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-oauth-credentials
key: service-name
- name: DEV_PORT
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-oauth-credentials
key: dev-port
# Database credentials
- name: DB_HOST
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-db-credentials
key: db-host
- name: DB_NAME
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-db-credentials
key: db-name
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-db-password
key: password
- name: DB_PORT
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-db-credentials
key: db-port
- name: DB_USER
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-db-credentials
key: db-user
# NoSQL Credentials
{{- if eq .Values.nosql.type "mongodb" }}
- name: STORAGE_ACCOUNT_CONNECTION_STRING
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-mongo-credentials
key: connection-string
{{- else if eq .Values.nosql.type "azure" }}
- name: STORAGE_ACCOUNT_KEY
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-azure-tables-credentials
key: key
- name: STORAGE_ACCOUNT_NAME
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-azure-tables-config
key: name
{{- end }}
# NoSQL Grouping Names
- name: ACCESS_PROPERTIES_STORAGE_TABLE_NAME
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-nosql-grouping
key: access-properties
- name: LOCALE_PROPERTIES_STORAGE_TABLE_NAME
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-nosql-grouping
key: locales
- name: ORDER_PROPERTIES_STORAGE_TABLE_NAME
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-nosql-grouping
key: order-properties
- name: PRICE_PROPERTIES_STORAGE_TABLE_NAME
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-nosql-grouping
key: price-properties
- name: SERVICE_CATEGORY_PROPERTIES_STORAGE_TABLE_NAME
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-nosql-grouping
key: service-category-properties
- name: SERVICE_PROPERTIES_STORAGE_TABLE_NAME
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-nosql-grouping
key: service-properties
# -- Secrets Vault (Hashicorp Vault OR Azure Key Vault) --
{{- if .Values.vault.enabled }}
{{- if eq .Values.vault.type "azure" }}
- name: KEYVAULT_CLIENT_ID
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-vault-secret
key: client-id
- name: KEYVAULT_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-vault-secret
key: client-secret
- name: KEYVAULT_NAME
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-vault-secret
key: name
- name: KEYVAULT_TENANT_ID
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-vault-secret
key: tenant-id
{{- else if eq .Values.vault.type "hashicorp" }}
- name: VAULT_NAME
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-vault-secret
key: vault-name
- name: VAULT_PORT
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-vault-secret
key: vault-port
{{- end }}
{{- end }}
# Caching Server Variables
- name: CACHE_HOSTNAME
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-cache-configmap
key: hostname
- name: CACHE_PORT
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-cache-configmap
key: port
- name: CACHE_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-cache-credentials
key: password
# Email (Azure Communication Services API credentials, etc...)
{{- if and (.Values.comms.email.enabled) (eq .Values.comms.email.type "acs") }}
- name: EMAIL_CONNECTION_STRING
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-email-secret
key: connection-string
{{- end }}
# Third-Party Integrations
{{- if .Values.thirdParty.stripe.enabled }}
- name: STRIPE_PUBLIC_KEY
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-stripe-secret
key: public-key
- name: STRIPE_SECRET_KEY
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-stripe-secret
key: secret-key
- name: STRIPE_TEST_PUBLIC_KEY
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-stripe-secret
key: test-public-key
- name: STRIPE_TEST_SECRET_KEY
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-stripe-secret
key: test-secret-key
{{- end }}
{{- if .Values.thirdParty.moneris.enabled }}
- name: MONERIS_MERCHANT_ID
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-moneris-secret
key: merchant-id
- name: MONERIS_STORE_ID
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-moneris-secret
key: store-id
- name: MONERIS_HT_PROFILE_ID
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-moneris-secret
key: ht-profile-id
- name: MONERIS_APP_ID
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-moneris-secret
key: app-id
- name: MONERIS_APP_SECRET
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-moneris-secret
key: app-secret
- name: MONERIS_TEST_MERCHANT_ID
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-moneris-secret
key: test-merchant-id
- name: MONERIS_TEST_STORE_ID
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-moneris-secret
key: test-store-id
- name: MONERIS_TEST_HT_PROFILE_ID
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-moneris-secret
key: test-ht-profile-id
- name: MONERIS_TEST_APP_ID
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-moneris-secret
key: test-app-id
- name: MONERIS_TEST_APP_SECRET
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-moneris-secret
key: test-app-secret
{{- end }}
# Logging Sidecar related environment variables
{{- if .Values.loggingSidecar.enabled }}
- name: LOGGING_SIDE_CAR_PORT
value: {{ .Values.loggingSidecar.port | quote }}
{{- end }}
# Due to subtleties related to how the entrypoint scripts detects how/when to proceed
# This environment variable indicates if the entrypoint should wait for a restore to complete
{{- if ne .Values.container.restoreFromBackup "" }}
- name: RESTORE_FROM_BACKUP
value: {{ .Values.container.restoreFromBackup | quote }}
{{- end }}
{{- if .Values.vault.create.enabled }}
volumeMounts:
# Mount for a shared volume for app's vault credentials
# Note, this is required because the credentials are created as part of the vault's setup and not known ahead of time
# This seems a better approach than passing, as an example, a preset root token as an environment variable for a few reasons:
# 1. This way even if the app's credentials become compromised their more limited in scope/permissions
# 2. This creates a semi-unintentional wait lock for the app until the vault is ready (and the credentials are created)
- name: role-vars
mountPath: /role_vars
readOnly: true
{{- end }}
# Logging sidecar for sending logs to a log aggregator
{{- if .Values.loggingSidecar.enabled }}
- name: {{ .Values.loggingSidecar.name }}
image: {{ .Values.loggingSidecar.image.repository }}:{{ .Values.loggingSidecar.image.tag }}
imagePullPolicy: {{ .Values.loggingSidecar.image.pullPolicy }}
ports:
- containerPort: {{ .Values.loggingSidecar.port }}
env:
- name: PORT
value: {{ .Values.loggingSidecar.port | quote }}
# Log aggregator (OpenObserve) auth variables
- name: LOGGER_AUTH_USERNAME
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-logging-sidecar-credentials
key: username
- name: LOGGER_AUTH_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-logging-sidecar-password
key: password
{{- end }}
# Backup sidecar for backing up service data
{{- if .Values.backupSidecar.enabled }}
- name: {{ .Values.backupSidecar.name }}
image: {{ .Values.backupSidecar.image.repository }}:{{ .Values.backupSidecar.image.tag }}
imagePullPolicy: {{ .Values.backupSidecar.image.pullPolicy }}
ports:
- containerPort: {{ .Values.backupSidecar.port }}
env:
# Release name (used to identify the service/release the backups came from in remote storage)
- name: RELEASE_NAME
value: {{ .Release.Name }}
# Database related environment variables
- name: DB_HOST
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-db-credentials
key: db-host
- name: DB_NAME
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-db-credentials
key: db-name
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-db-password
key: password
- name: DB_PORT
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-db-credentials
key: db-port
- name: DB_USER
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-db-credentials
key: db-user
{{- if .Values.vault.create.snapshotServer.enabled }}
- name: VAULT_NAME
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-pass-vault-secret
key: vault-name
- name: VAULT_SNAPSHOT_SERVER_PORT
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-vault-snapshot-config
key: port
{{- end }}
# NoSQL storage related environment variables
# Note, we only worry about self-hosted options as cloud-based should have their own backups etc...
{{- if eq .Values.nosql.type "mongodb" }}
- name: STORAGE_ACCOUNT_CONNECTION_STRING
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-mongo-credentials
key: connection-string
{{- end }}
# Redis related environment variables
# Redis is used for BullMQ, which is how we schedule backups
# We use this instead of, for instance cron jobs, as it lets us deal with failures
- name: REDIS_HOSTNAME
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-cache-configmap
key: hostname
- name: REDIS_PORT
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-cache-configmap
key: port
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-cache-credentials
key: password
{{- if .Values.passVault.create.snapshotServer.enabled }}
volumeMounts:
# Mount for a shared volume for Vault credentials
# This is separate from the app's `role vars` volume because it includes other credentials
# In particular, the unseal keys which we require when/if we restore from the backup
# This volume is also read-only where the `role-vars` is read-write (see description below for why)
- name: creds
mountPath: /vault-creds
readOnly: true
# Mount for a shared volume for the Vault's role variables for the app
# This is required by the backup sidecar because if a restart of the app occurs AFTER a vault has been reset (ex. vault using a different container instance),
# despite the vault data being restored the app would receive incorrect credentials (because this is ONLY written during setup of the vault)
# The backup sidecar mitigates this by doing it's own write (to overwrite) once it's done a restore
- name: role-vars
mountPath: /role_vars
{{- end }}
{{- end }}
{{- if .Values.vault.create.enabled }}
volumes:
- name: role-vars
persistentVolumeClaim:
claimName: {{ .Release.Name }}-vault-role-vars
{{- if .Values.vault.create.snapshotServer.enabled }}
- name: creds
persistentVolumeClaim:
claimName: {{ .Release.Name }}-vault-creds
{{- end }}
{{- end }}

21
templates/ingress.yaml Normal file
View file

@ -0,0 +1,21 @@
{{- if .Values.ingress.enabled -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ .Release.Name }}
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: {{ .Values.ingress.host }}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: {{ .Release.Name }}
port:
number: 80
ingressClassName: {{ .Values.ingress.class }}
{{- end -}}

10
templates/logging-sidecar-credentials-configmap.yaml Normal file
View file

@ -0,0 +1,10 @@
{{- if .Values.loggingSidecar.enabled -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-logging-sidecar-credentials
labels:
app: {{ .Values.loggingSidecar.name }}
data:
username: {{ .Values.loggingSidecar.auth.username | quote }}
{{- end -}}

11
templates/logging-sidecar-password-secret.yaml Normal file
View file

@ -0,0 +1,11 @@
{{- if .Values.loggingSidecar.enabled -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-logging-sidecar-password
labels:
app: {{ .Values.loggingSidecar.name }}
type: opaque
data:
password: {{ .Values.loggingSidecar.auth.password | b64enc | quote }}
{{- end -}}

20
templates/moneris-secret.yaml Normal file
View file

@ -0,0 +1,20 @@
{{- if .Values.thirdParty.moneris.enabled -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-moneris-secret
labels:
app: {{ .Release.Name }}
type: Opaque
data:
merchant-id: {{ .Values.thirdParty.moneris.merchantId | b64enc }}
store-id: {{ .Values.thirdParty.moneris.storeId | b64enc }}
ht-profile-id: {{ .Values.thirdParty.moneris.htProfileId | b64enc }}
app-id: {{ .Values.thirdParty.moneris.appId | b64enc }}
app-secret: {{ .Values.thirdParty.moneris.appSecret | b64enc }}
test-merchant-id: {{ .Values.thirdParty.moneris.testMerchantId | b64enc }}
test-store-id: {{ .Values.thirdParty.moneris.testStoreId | b64enc }}
test-ht-profile-id: {{ .Values.thirdParty.moneris.testHtProfileId | b64enc }}
test-app-id: {{ .Values.thirdParty.moneris.testAppId | b64enc }}
test-app-secret: {{ .Values.thirdParty.moneris.testAppSecret | b64enc }}
{{- end -}}

15
templates/mongo-credentials-secret.yaml Normal file
View file

@ -0,0 +1,15 @@
{{- if eq .Values.nosql.type "mongodb" -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-mongo-credentials
type: Opaque
data:
user: {{ .Values.nosql.user | b64enc }}
password: {{ .Values.nosql.password | b64enc }}
{{- if and (.Values.nosql.connectionString) (not .values.nosql.create) }}
connection-string: {{ .Values.nosql.connectionString | b64enc }}
{{- else if .Values.nosql.create }}
connection-string: {{ printf "mongodb://%s:%s@%s-mongo-svc.%s.svc.cluster.local:27017/%s?replicaSet=%s-mongo" .Values.nosql.user .Values.nosql.password .Release.Name .Release.Namespace .Values.nosql.name .Release.Name | b64enc }}
{{- end }}
{{- end -}}

16
templates/mongo-role-binding-database.yaml Normal file
View file

@ -0,0 +1,16 @@
{{- if and (eq .Values.nosql.type "mongodb") (.Values.nosql.create) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: mongodb-database
namespace: {{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: mongodb-database
namespace: {{ .Release.Namespace }}
roleRef:
kind: Role
name: mongodb-database
namespace: {{ .Release.Namespace }}
apiGroup: rbac.authorization.k8s.io
{{- end -}}

22
templates/mongo-role-database.yaml Normal file
View file

@ -0,0 +1,22 @@
{{- if and (eq .Values.nosql.type "mongodb") (.Values.nosql.create) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: mongodb-database
namespace: {{ .Release.Namespace }}
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- apiGroups:
- ""
resources:
- pods
verbs:
- patch
- delete
- get
{{- end -}}

7
templates/mongo-service-account-database.yaml Normal file
View file

@ -0,0 +1,7 @@
{{- if and (eq .Values.nosql.type "mongodb") (.Values.nosql.create) -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: mongodb-database
namespace: {{ .Release.Namespace }}
{{- end -}}

31
templates/mongo.yaml Normal file
View file

@ -0,0 +1,31 @@
{{- if and (eq .Values.nosql.type "mongodb") (.Values.nosql.create) -}}
apiVersion: mongodbcommunity.mongodb.com/v1
kind: MongoDBCommunity
metadata:
name: {{ .Release.Name }}-mongo
namespace: {{ .Release.Namespace }}
spec:
members: {{ .Values.nosql.replicaCount }}
type: ReplicaSet
version: 4.4.0
security:
authentication:
ignoreUnknownUsers: true
modes:
- SCRAM
tls:
enabled: {{ .Values.nosql.tls.enabled }}
readinessProbe:
initialDelaySeconds: 30
periodSeconds: 10
users:
- name: {{ .Values.nosql.user }}
db: {{ .Values.nosql.name }}
passwordSecretRef:
name: {{ .Release.Name }}-mongo-credentials
key: password
roles:
- name: readWrite
db: {{ .Values.nosql.name }}
scramCredentialsSecretName: {{ .Release.Name }}-mongo-scram
{{- end -}}

13
templates/nosql-grouping-config-map.yaml Normal file
View file

@ -0,0 +1,13 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-nosql-grouping
labels:
app: {{ .Release.Name }}
data:
access-properties: {{ .Values.nosql.grouping.accessProperties }}
locales: {{ .Values.nosql.grouping.locales }}
order-properties: {{ .Values.nosql.grouping.orderProperties }}
price-properties: {{ .Values.nosql.grouping.priceProperties }}
service-category-properties: {{ .Values.nosql.grouping.serviceCategoryProperties }}
service-properties: {{ .Values.nosql.grouping.serviceProperties }}

12
templates/oauth-credentials-config-map.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-oauth-credentials
labels:
app: {{ .Release.Name }}
data:
base-app-url: {{ .Values.oauth.baseAppUrl }}
app-abbreviation: {{ .Values.oauth.appAbbreviation }}
app-name: {{ .Values.oauth.appName }}
service-name: {{ .Values.oauth.serviceName }}
dev-port: {{ .Values.oauth.devPort | quote }}

49
templates/redis-deployment.yaml Normal file
View file

@ -0,0 +1,49 @@
{{- if and (eq .Values.cache.type "redis") (.Values.cache.create) -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-redis
labels:
app: redis
spec:
replicas: {{ .Values.cache.replicaCount }}
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
spec:
containers:
- name: redis
image: {{ .Values.cache.image.repository | default "bitnami/redis" }}:{{ .Values.cache.image.tag | default "7.0.5" }}
ports:
- containerPort: {{ .Values.cache.port }}
{{- if .Values.cache.tls.enabled }}
- containerPort: {{ .Values.cache.tls.port }}
{{- end }}
env:
- name: ALLOW_EMPTY_PASSWORD
value: "false"
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-cache-credentials
key: password
- name: REDIS_DISABLE_COMMANDS
value: "FLUSHDB,FLUSHALL"
# TLS configuration
#- name: REDIS_TLS_ENABLED
# value: "{{ .Values.cache.tls.enabled }}"
#- name: REDIS_TLS_AUTH_CLIENTS
# value: "yes"
#- name: REDIS_TLS_PORT_NUMBER
# value: "{{ .Values.cache.tls.port }}"
volumeMounts:
- name: redis-data
mountPath: /bitnami/redis
volumes:
- name: redis-data
emptyDir: {}
{{- end -}}

15
templates/redis-service.yaml Normal file
View file

@ -0,0 +1,15 @@
{{- if and (eq .Values.cache.type "redis") (.Values.cache.create) -}}
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}-redis
labels:
app: redis
spec:
ports:
- port: {{ .Values.cache.port }}
targetPort: {{ .Values.cache.port }}
selector:
app: redis
type: ClusterIP
{{- end -}}

11
templates/service.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}
spec:
selector:
app: {{ .Release.Name }}
ports:
- protocol: TCP
port: 80
targetPort: {{ .Values.container.port }}

14
templates/stripe-secret.yaml Normal file
View file

@ -0,0 +1,14 @@
{{- if .Values.thirdParty.stripe.enabled -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-stripe-secret
labels:
app: {{ .Release.Name }}
type: Opaque
data:
public-key: {{ .Values.thirdParty.stripe.publicKey | b64enc }}
secret-key: {{ .Values.thirdParty.stripe.secretKey | b64enc }}
test-public-key: {{ .Values.thirdParty.stripe.testPublicKey | b64enc }}
test-secret-key: {{ .Values.thirdParty.stripe.testSecretKey | b64enc }}
{{- end -}}

15
templates/vault-creds-persistant-volume-claim.yaml Normal file
View file

@ -0,0 +1,15 @@
{{- if .Values.vault.create.enabled -}}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ .Release.Name }}-vault-creds
labels:
app: {{ .Release.Name }}-vault
spec:
storageClassName: {{ .Values.vault.storage.storageClass }}
accessModes:
- ReadWriteMany
resources:
requests:
storage: {{ .Values.vault.create.storage.size }}
{{- end -}}

66
templates/vault-deployment.yaml Normal file
View file

@ -0,0 +1,66 @@
{{- if and (.Values.vault.create.enabled) (eq .Values.vault.type "hashicorp") -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-vault
labels:
app: {{ .Release.Name }}-vault
spec:
replicas: 1
selector:
matchLabels:
app: {{ .Release.Name }}-vault
template:
metadata:
labels:
app: {{ .Release.Name }}-vault
spec:
containers:
- name: {{ .Release.Name }}-vault
image: {{ .Values.vault.create.image.repository }}:{{ .Values.vault.create.image.tag }}
ports:
- containerPort: 8200
- containerPort: 8201
{{- if .Values.vault.create.snapshotServer.enabled }}
- containerPort: {{ .Values.vault.create.snapshotServer.internalPort }}
{{- end }}
env:
- name: VAULT_ADDR
value: http://0.0.0.0:8200
- name: POLICY_CAPABILITIES
value: {{ .Values.vault.create.policyCapabilities | join "," }}
- name: ROLE_ID_SECRET_NAME
value: VAULT_ROLE_ID
- name: SECRET_ID_SECRET_NAME
value: VAULT_SECRET_ID
{{- if .Values.vault.create.snapshotServer.enabled }}
- name: SNAPSHOT_SERVER_PORT
value: {{ .Values.vault.create.snapshotServer.internalPort | quote }}
{{- end }}
volumeMounts:
- name: vault-data
mountPath: /vault/data
- name: vault-log
mountPath: /vault/logs
- name: vault-creds
mountPath: /vault/creds
- name: vault-role-vars
mountPath: /role_vars
capAdd:
- IPC_LOCK
volumes:
- name: vault-data
emptyDir: {}
- name: vault-log
emptyDir: {}
- name: vault-creds
{{- if .Values.vault.create.snapshotServer.enabled }}
persistentVolumeClaim:
claimName: {{ .Release.Name }}-vault-creds
{{- else }}
emptyDir: {}
{{- end }}
- name: vault-role-vars
persistentVolumeClaim:
claimName: {{ .Release.Name }}-vault-role-vars
{{- end -}}

24
templates/vault-hashicorp-secret.yaml Normal file
View file

@ -0,0 +1,24 @@
{{- if and (.Values.vault.enabled) (eq .Values.vault.type "hashicorp") -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-vault-secret
type: opaque
data:
{{- if .Values.vault.create.enabled }}
# Because we create the Hashicorp Vault instance as part of the Helm chart,
# we can use the name of the created resource (utilizing k8s built-in container connections)
# to connect to the Vault instance without having to hard-code the Vault name.
vault-name: {{ printf "%s-vault" .Release.Name | b64enc }}
# Because we create the Hashicorp Vault instance as part of the Helm chart,
# We know the port that the Vault instance is running on.
vault-port: {{ printf "%d" 80 | b64enc }}
{{- else }}
# Because the Vault wasn't created as part of the Helm chart,
# we need the deployer to specify the name of the Vault instance to connect to.
vault-name: {{ .Values.vault.vaultName | b64enc }}
# Because the Vault wasn't created as part of the Helm chart,
# we need the deployer to specify the port that the Vault instance is running on.
vault-port: {{ .Values.passVault.vaultPort | b64enc }}
{{- end }}
{{- end -}}

21
templates/vault-ingress.yaml Normal file
View file

@ -0,0 +1,21 @@
{{- if .Values.vault.create.ingress.enabled -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ .Release.Name }}-vault-ingress
labels:
app: {{ .Release.Name }}-vault
spec:
ingressClassName: nginx
rules:
- host: {{ .Values.vault.create.ingress.host }}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: {{ .Release.Name }}-vault
port:
number: 80
{{- end -}}

15
templates/vault-role-vars-persistent-volume-claim.yaml Normal file
View file

@ -0,0 +1,15 @@
{{- if .Values.vault.create.enabled -}}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ .Release.Name }}-vault-role-vars
labels:
app: {{ .Release.Name }}-vault
spec:
storageClassName: {{ .Values.vault.create.storage.storageClass }}
accessModes:
- ReadWriteMany
resources:
requests:
storage: {{ .Values.vault.create.storage.size }}
{{- end -}}

22
templates/vault-service.yaml Normal file
View file

@ -0,0 +1,22 @@
{{- if .Values.vault.create.enabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}-vault
labels:
app: {{ .Release.Name }}-vault
spec:
selector:
app: {{ .Release.Name }}-vault
ports:
{{- if .Values.vault.create.snapshotServer.enabled }}
- name: custom-snapshot-server
protocol: TCP
port: {{ .Values.vault.create.snapshotServer.externalPort }}
targetPort: {{ .Values.vault.create.snapshotServer.internalPort }}
{{- end }}
- name: http
protocol: TCP
port: 80
targetPort: 8200
{{- end -}}

8
templates/vault-snapshot-server-configmap.yaml Normal file
View file

@ -0,0 +1,8 @@
{{- if .Values.vault.create.snapshotServer.enabled -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-vault-snapshot-config
data:
port: {{ .Values.vault.create.snapshotServer.externalPort | quote }}
{{- end -}}