From aeef8276c78b3ce7053646a279b367f76d0de850 Mon Sep 17 00:00:00 2001 From: Andrey Zhavoronkov Date: Fri, 23 Dec 2022 13:46:25 +0200 Subject: [PATCH] Updated documentation "How to use preexisting secrets for external DB and Redis" (#5505) --- cvat/settings/production.py | 2 +- helm-chart/Chart.yaml | 6 +- helm-chart/templates/cvat-postgres-secret.yml | 11 ++- helm-chart/templates/cvat-redis-secret.yml | 12 +++ .../cvat_worker_webhooks/deployment.yml | 36 ++++---- .../cvat_backend/server/deployment.yml | 36 ++++---- .../cvat_backend/utils/deployment.yml | 36 ++++---- .../worker_default/deployment.yml | 36 ++++---- .../cvat_backend/worker_low/deployment.yml | 36 ++++---- helm-chart/values.yaml | 23 +++--- .../advanced/k8s_deployment_with_helm.md | 82 ++++++++++++++++++- supervisord/utils.conf | 2 +- 12 files changed, 198 insertions(+), 120 deletions(-) create mode 100644 helm-chart/templates/cvat-redis-secret.yml diff --git a/cvat/settings/production.py b/cvat/settings/production.py index 9b8d21fc..3288a93d 100644 --- a/cvat/settings/production.py +++ b/cvat/settings/production.py @@ -11,9 +11,9 @@ INSTALLED_APPS += [ ] NUCLIO['HOST'] = os.getenv('CVAT_NUCLIO_HOST', 'nuclio') - for key in RQ_QUEUES: RQ_QUEUES[key]['HOST'] = os.getenv('CVAT_REDIS_HOST', 'cvat_redis') + RQ_QUEUES[key]['PASSWORD'] = os.getenv('CVAT_REDIS_PASSWORD', '') # Django-sendfile: # https://github.com/moggers87/django-sendfile2 diff --git a/helm-chart/Chart.yaml b/helm-chart/Chart.yaml index a7a64934..53bebece 100644 --- a/helm-chart/Chart.yaml +++ b/helm-chart/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.4.5 +version: 0.5.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to @@ -26,12 +26,12 @@ appVersion: latest dependencies: - name: redis - version: "16.13.*" + version: "17.3.*" repository: https://charts.bitnami.com/bitnami condition: redis.enabled - name: postgresql - version: "10.16.*" + version: "12.1.*" repository: https://charts.bitnami.com/bitnami condition: postgresql.enabled diff --git a/helm-chart/templates/cvat-postgres-secret.yml b/helm-chart/templates/cvat-postgres-secret.yml index fcfb6b9f..a44dac4d 100644 --- a/helm-chart/templates/cvat-postgres-secret.yml +++ b/helm-chart/templates/cvat-postgres-secret.yml @@ -8,10 +8,9 @@ metadata: {{- include "cvat.labels" . | nindent 4 }} type: generic stringData: - postgresql-hostname: "{{ .Release.Name }}-postgresql" - postgresql-database: {{ .Values.postgresql.postgresqlDatabase }} - postgresql-username: {{ .Values.postgresql.postgresqlUsername }} - postgresql-password: {{ .Values.postgresql.secret.password }} - postgresql-postgres-password: {{ .Values.postgresql.secret.postgres_password }} - postgresql-replication-password: {{ .Values.postgresql.secret.replication_password }} + database: {{ .Values.postgresql.auth.database }} + username: {{ .Values.postgresql.auth.username }} + password: {{ .Values.postgresql.secret.password }} + postgres-password: {{ .Values.postgresql.secret.postgres_password }} + replication-password: {{ .Values.postgresql.secret.replication_password }} {{- end }} diff --git a/helm-chart/templates/cvat-redis-secret.yml b/helm-chart/templates/cvat-redis-secret.yml new file mode 100644 index 00000000..d2c0a771 --- /dev/null +++ b/helm-chart/templates/cvat-redis-secret.yml @@ -0,0 +1,12 @@ +{{- if .Values.redis.secret.create }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ tpl (.Values.redis.secret.name) . }}" + namespace: {{ .Release.Namespace }} + labels: + {{- include "cvat.labels" . | nindent 4 }} +type: generic +stringData: + redis-password: {{ .Values.redis.secret.password }} +{{- end }} diff --git a/helm-chart/templates/cvat_backend/cvat_worker_webhooks/deployment.yml b/helm-chart/templates/cvat_backend/cvat_worker_webhooks/deployment.yml index 20e68177..402a6287 100644 --- a/helm-chart/templates/cvat_backend/cvat_worker_webhooks/deployment.yml +++ b/helm-chart/templates/cvat_backend/cvat_worker_webhooks/deployment.yml @@ -59,39 +59,37 @@ spec: - name: CVAT_REDIS_HOST value: "{{ .Values.redis.external.host }}" {{- end }} - {{- if .Values.postgresql.enabled }} - - name: CVAT_POSTGRES_HOST + - name: CVAT_REDIS_PASSWORD valueFrom: secretKeyRef: - name: "{{ tpl (.Values.postgresql.secret.name) . }}" - key: postgresql-hostname + name: "{{ tpl (.Values.redis.secret.name) . }}" + key: redis-password + {{- if .Values.postgresql.enabled }} + - name: CVAT_POSTGRES_HOST + value: "{{ .Release.Name }}-postgresql" + - name: CVAT_POSTGRES_PORT + value: "{{ .Values.postgresql.service.ports.postgresql }}" + {{- else }} + - name: CVAT_POSTGRES_HOST + value: "{{ .Values.postgresql.external.host }}" + - name: CVAT_POSTGRES_PORT + value: "{{ .Values.postgresql.external.port }}" + {{- end }} - name: CVAT_POSTGRES_USER valueFrom: secretKeyRef: name: "{{ tpl (.Values.postgresql.secret.name) . }}" - key: postgresql-username + key: username - name: CVAT_POSTGRES_DBNAME valueFrom: secretKeyRef: name: "{{ tpl (.Values.postgresql.secret.name) . }}" - key: postgresql-database + key: database - name: CVAT_POSTGRES_PASSWORD valueFrom: secretKeyRef: name: "{{ tpl (.Values.postgresql.secret.name) . }}" - key: postgresql-password - {{- else }} - - name: CVAT_POSTGRES_HOST - value: "{{ .Values.postgresql.external.host }}" - - name: CVAT_POSTGRES_USER - value: "{{ .Values.postgresql.external.user }}" - - name: CVAT_POSTGRES_DBNAME - value: "{{ .Values.postgresql.external.dbname }}" - - name: CVAT_POSTGRES_PASSWORD - value: "{{ .Values.postgresql.external.password }}" - - name: CVAT_POSTGRES_PORT - value: "{{ .Values.postgresql.external.port }}" - {{- end }} + key: password {{- with .Values.cvat.backend.worker.webhooks.additionalEnv }} {{- toYaml . | nindent 10 }} {{- end }} diff --git a/helm-chart/templates/cvat_backend/server/deployment.yml b/helm-chart/templates/cvat_backend/server/deployment.yml index 688400e0..1afd05c1 100644 --- a/helm-chart/templates/cvat_backend/server/deployment.yml +++ b/helm-chart/templates/cvat_backend/server/deployment.yml @@ -89,39 +89,37 @@ spec: - name: CVAT_REDIS_HOST value: "{{ .Values.redis.external.host }}" {{- end }} - {{- if .Values.postgresql.enabled }} - - name: CVAT_POSTGRES_HOST + - name: CVAT_REDIS_PASSWORD valueFrom: secretKeyRef: - name: "{{ tpl (.Values.postgresql.secret.name) . }}" - key: postgresql-hostname + name: "{{ tpl (.Values.redis.secret.name) . }}" + key: redis-password + {{- if .Values.postgresql.enabled }} + - name: CVAT_POSTGRES_HOST + value: "{{ .Release.Name }}-postgresql" + - name: CVAT_POSTGRES_PORT + value: "{{ .Values.postgresql.service.ports.postgresql }}" + {{- else }} + - name: CVAT_POSTGRES_HOST + value: "{{ .Values.postgresql.external.host }}" + - name: CVAT_POSTGRES_PORT + value: "{{ .Values.postgresql.external.port }}" + {{- end }} - name: CVAT_POSTGRES_USER valueFrom: secretKeyRef: name: "{{ tpl (.Values.postgresql.secret.name) . }}" - key: postgresql-username + key: username - name: CVAT_POSTGRES_DBNAME valueFrom: secretKeyRef: name: "{{ tpl (.Values.postgresql.secret.name) . }}" - key: postgresql-database + key: database - name: CVAT_POSTGRES_PASSWORD valueFrom: secretKeyRef: name: "{{ tpl (.Values.postgresql.secret.name) . }}" - key: postgresql-password - {{- else }} - - name: CVAT_POSTGRES_HOST - value: "{{ .Values.postgresql.external.host }}" - - name: CVAT_POSTGRES_USER - value: "{{ .Values.postgresql.external.user }}" - - name: CVAT_POSTGRES_DBNAME - value: "{{ .Values.postgresql.external.dbname }}" - - name: CVAT_POSTGRES_PASSWORD - value: "{{ .Values.postgresql.external.password }}" - - name: CVAT_POSTGRES_PORT - value: "{{ .Values.postgresql.external.port }}" - {{- end }} + key: password {{- if .Values.nuclio.enabled }} - name: CVAT_SERVERLESS value: "1" diff --git a/helm-chart/templates/cvat_backend/utils/deployment.yml b/helm-chart/templates/cvat_backend/utils/deployment.yml index 7dd19d7b..94e433f1 100644 --- a/helm-chart/templates/cvat_backend/utils/deployment.yml +++ b/helm-chart/templates/cvat_backend/utils/deployment.yml @@ -60,39 +60,37 @@ spec: - name: CVAT_REDIS_HOST value: "{{ .Values.redis.external.host }}" {{- end }} - {{- if .Values.postgresql.enabled }} - - name: CVAT_POSTGRES_HOST + - name: CVAT_REDIS_PASSWORD valueFrom: secretKeyRef: - name: "{{ tpl (.Values.postgresql.secret.name) . }}" - key: postgresql-hostname + name: "{{ tpl (.Values.redis.secret.name) . }}" + key: redis-password + {{- if .Values.postgresql.enabled }} + - name: CVAT_POSTGRES_HOST + value: "{{ .Release.Name }}-postgresql" + - name: CVAT_POSTGRES_PORT + value: "{{ .Values.postgresql.service.ports.postgresql }}" + {{- else }} + - name: CVAT_POSTGRES_HOST + value: "{{ .Values.postgresql.external.host }}" + - name: CVAT_POSTGRES_PORT + value: "{{ .Values.postgresql.external.port }}" + {{- end }} - name: CVAT_POSTGRES_USER valueFrom: secretKeyRef: name: "{{ tpl (.Values.postgresql.secret.name) . }}" - key: postgresql-username + key: username - name: CVAT_POSTGRES_DBNAME valueFrom: secretKeyRef: name: "{{ tpl (.Values.postgresql.secret.name) . }}" - key: postgresql-database + key: database - name: CVAT_POSTGRES_PASSWORD valueFrom: secretKeyRef: name: "{{ tpl (.Values.postgresql.secret.name) . }}" - key: postgresql-password - {{- else }} - - name: CVAT_POSTGRES_HOST - value: "{{ .Values.postgresql.external.host }}" - - name: CVAT_POSTGRES_USER - value: "{{ .Values.postgresql.external.user }}" - - name: CVAT_POSTGRES_DBNAME - value: "{{ .Values.postgresql.external.dbname }}" - - name: CVAT_POSTGRES_PASSWORD - value: "{{ .Values.postgresql.external.password }}" - - name: CVAT_POSTGRES_PORT - value: "{{ .Values.postgresql.external.port }}" - {{- end }} + key: password {{- if .Values.nuclio }} - name: CVAT_SERVERLESS value: "1" diff --git a/helm-chart/templates/cvat_backend/worker_default/deployment.yml b/helm-chart/templates/cvat_backend/worker_default/deployment.yml index 2ab187b5..253674b7 100644 --- a/helm-chart/templates/cvat_backend/worker_default/deployment.yml +++ b/helm-chart/templates/cvat_backend/worker_default/deployment.yml @@ -59,39 +59,37 @@ spec: - name: CVAT_REDIS_HOST value: "{{ .Values.redis.external.host }}" {{- end }} - {{- if .Values.postgresql.enabled }} - - name: CVAT_POSTGRES_HOST + - name: CVAT_REDIS_PASSWORD valueFrom: secretKeyRef: - name: "{{ tpl (.Values.postgresql.secret.name) . }}" - key: postgresql-hostname + name: "{{ tpl (.Values.redis.secret.name) . }}" + key: redis-password + {{- if .Values.postgresql.enabled }} + - name: CVAT_POSTGRES_HOST + value: "{{ .Release.Name }}-postgresql" + - name: CVAT_POSTGRES_PORT + value: "{{ .Values.postgresql.service.ports.postgresql }}" + {{- else }} + - name: CVAT_POSTGRES_HOST + value: "{{ .Values.postgresql.external.host }}" + - name: CVAT_POSTGRES_PORT + value: "{{ .Values.postgresql.external.port }}" + {{- end }} - name: CVAT_POSTGRES_USER valueFrom: secretKeyRef: name: "{{ tpl (.Values.postgresql.secret.name) . }}" - key: postgresql-username + key: username - name: CVAT_POSTGRES_DBNAME valueFrom: secretKeyRef: name: "{{ tpl (.Values.postgresql.secret.name) . }}" - key: postgresql-database + key: database - name: CVAT_POSTGRES_PASSWORD valueFrom: secretKeyRef: name: "{{ tpl (.Values.postgresql.secret.name) . }}" - key: postgresql-password - {{- else }} - - name: CVAT_POSTGRES_HOST - value: "{{ .Values.postgresql.external.host }}" - - name: CVAT_POSTGRES_USER - value: "{{ .Values.postgresql.external.user }}" - - name: CVAT_POSTGRES_DBNAME - value: "{{ .Values.postgresql.external.dbname }}" - - name: CVAT_POSTGRES_PASSWORD - value: "{{ .Values.postgresql.external.password }}" - - name: CVAT_POSTGRES_PORT - value: "{{ .Values.postgresql.external.port }}" - {{- end }} + key: password {{- if .Values.nuclio }} - name: CVAT_SERVERLESS value: "1" diff --git a/helm-chart/templates/cvat_backend/worker_low/deployment.yml b/helm-chart/templates/cvat_backend/worker_low/deployment.yml index 08ef0340..37883c78 100644 --- a/helm-chart/templates/cvat_backend/worker_low/deployment.yml +++ b/helm-chart/templates/cvat_backend/worker_low/deployment.yml @@ -59,39 +59,37 @@ spec: - name: CVAT_REDIS_HOST value: "{{ .Values.redis.external.host }}" {{- end }} - {{- if .Values.postgresql.enabled }} - - name: CVAT_POSTGRES_HOST + - name: CVAT_REDIS_PASSWORD valueFrom: secretKeyRef: - name: "{{ tpl (.Values.postgresql.secret.name) . }}" - key: postgresql-hostname + name: "{{ tpl (.Values.redis.secret.name) . }}" + key: redis-password + {{- if .Values.postgresql.enabled }} + - name: CVAT_POSTGRES_HOST + value: "{{ .Release.Name }}-postgresql" + - name: CVAT_POSTGRES_PORT + value: "{{ .Values.postgresql.service.ports.postgresql }}" + {{- else }} + - name: CVAT_POSTGRES_HOST + value: "{{ .Values.postgresql.external.host }}" + - name: CVAT_POSTGRES_PORT + value: "{{ .Values.postgresql.external.port }}" + {{- end }} - name: CVAT_POSTGRES_USER valueFrom: secretKeyRef: name: "{{ tpl (.Values.postgresql.secret.name) . }}" - key: postgresql-username + key: username - name: CVAT_POSTGRES_DBNAME valueFrom: secretKeyRef: name: "{{ tpl (.Values.postgresql.secret.name) . }}" - key: postgresql-database + key: database - name: CVAT_POSTGRES_PASSWORD valueFrom: secretKeyRef: name: "{{ tpl (.Values.postgresql.secret.name) . }}" - key: postgresql-password - {{- else }} - - name: CVAT_POSTGRES_HOST - value: "{{ .Values.postgresql.external.host }}" - - name: CVAT_POSTGRES_USER - value: "{{ .Values.postgresql.external.user }}" - - name: CVAT_POSTGRES_DBNAME - value: "{{ .Values.postgresql.external.dbname }}" - - name: CVAT_POSTGRES_PASSWORD - value: "{{ .Values.postgresql.external.password }}" - - name: CVAT_POSTGRES_PORT - value: "{{ .Values.postgresql.external.port }}" - {{- end }} + key: password {{- if .Values.nuclio }} - name: CVAT_SERVERLESS value: "1" diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml index 1a8a8e66..2fd01529 100644 --- a/helm-chart/values.yaml +++ b/helm-chart/values.yaml @@ -185,23 +185,20 @@ postgresql: external: host: 127.0.0.1 port: 5432 - user: postgres - password: postgres - dbname: cvat # If not external following config will be applied by default - global: - postgresql: - existingSecret: "{{ .Release.Name }}-postgres-secret" + auth: + existingSecret: "{{ .Release.Name }}-postgres-secret" + username: cvat + database: cvat + service: + ports: + postgresql: 5432 secret: create: true name: "{{ .Release.Name }}-postgres-secret" password: cvat_postgresql postgres_password: cvat_postgresql_postgres replication_password: cvat_postgresql_replica - postgresqlDatabase: cvat - postgresqlUsername: cvat - service: - port: 5432 redis: #See https://github.com/bitnami/charts/blob/master/bitnami/redis/ for more info @@ -209,7 +206,11 @@ redis: external: host: 127.0.0.1 auth: - enabled: false + existingSecret: "{{ .Release.Name }}-redis-secret" + secret: + create: true + name: "{{ .Release.Name }}-redis-secret" + password: cvat_redis cluster: enabled: false diff --git a/site/content/en/docs/administration/advanced/k8s_deployment_with_helm.md b/site/content/en/docs/administration/advanced/k8s_deployment_with_helm.md index e0955b59..f7003148 100644 --- a/site/content/en/docs/administration/advanced/k8s_deployment_with_helm.md +++ b/site/content/en/docs/administration/advanced/k8s_deployment_with_helm.md @@ -226,9 +226,85 @@ See ``` ### How to understand what diff will be inflicted by 'helm upgrade'? You can use for that -### I want to use my own postgresql/redis with your chart. -Just set `postgresql.enabled` or `redis.enabled` to `false`, as described below. -Then - put your instance params to "external" field +### I want to use my own postgresql with your chart. +Just set `postgresql.enabled` to `false` in the override file, then put the parameters of your database +instance in the `external` field. +You may also need to configure `username`, `database` and `password` fields +to connect to your own database: +```yml +postgresql: + enabled: false + external: + host: postgresql.default.svc.cluster.local + port: 5432 + auth: + username: cvat + database: cvat + secret: + password: cvat_postgresql +``` +In example above corresponding secret will be created automatically, but if you want to use existing secret change `secret.create` to `false` and set `name` of existing secret: +```yml +postgresql: + enabled: false + external: + host: postgresql.default.svc.cluster.local + port: 5432 + secret: + create: false + name: "my-postgresql-secret" +``` +The secret must contain the `database`, `username` and `password` +keys to access to the database +like: +```yml +apiVersion: v1 +kind: Secret +metadata: + name: "my-postgresql-secret" + namespace: default +type: generic +stringData: + database: cvat + username: cvat + password: secretpassword +``` + +### I want to use my own redis with your chart. +Just set `redis.enabled` to `false` in the override file, then put the parameters of your Redis +instance in the `external` field. +You may also need to configure `password` field to connect to your own Redis: +```yml +redis: + enabled: false + external: + host: redis.hostname.local + secret: + password: cvat_redis +``` +In the above example the corresponding secret will be created automatically, but if you want to use an existing secret +change `secret.create` to `false` and set `name` of the existing secret: +```yml +redis: + enabled: false + external: + host: redis.hostname.local + secret: + create: false + name: "my-redis-secret" +``` +The secret must contain the `redis-password` key like: +```yml +apiVersion: v1 +kind: Secret +metadata: + name: "my-redis-secret" + namespace: default +type: generic +stringData: + redis-password: secretpassword +``` + ### I want to override some settings in values.yaml. Just create file `values.override.yaml` and place your changes here, using same structure as in `values.yaml`. Then reference it in helm update/install command using `-f` flag diff --git a/supervisord/utils.conf b/supervisord/utils.conf index 6ed7d04d..d5bfafd1 100644 --- a/supervisord/utils.conf +++ b/supervisord/utils.conf @@ -30,7 +30,7 @@ numprocs=1 [program:rqscheduler] command=%(ENV_HOME)s/wait-for-it.sh %(ENV_CVAT_REDIS_HOST)s:6379 -t 0 -- bash -ic \ - "python3 /opt/venv/bin/rqscheduler --host %(ENV_CVAT_REDIS_HOST)s -i 30" + "python3 /opt/venv/bin/rqscheduler --host %(ENV_CVAT_REDIS_HOST)s --password %(ENV_CVAT_REDIS_PASSWORD)s -i 30" environment=SSH_AUTH_SOCK="/tmp/ssh-agent.sock" numprocs=1