Merge pull request #247 from bcgov/feature/VDYP-751

Feature/vdyp 751 Remove bitnami references

Author: pminter-vivid

.github/workflows/.deployer.yml

@@ -141,9 +141,7 @@ jobs:
             --set global.secrets.databasePassword=${{ secrets.POSTGRES_PASSWORD }} \
             --set bitnami-pg.auth.username=${{ vars.POSTGRES_USER }} \
             --set bitnami-pg.auth.database=${{ vars.POSTGRES_DATABASE }} \
-            --set global.secrets.COMS_DB_PASSWORD=${{ secrets.COMS_DB_PASSWORD }} \
             --set global.secrets.VDYP_DB_PASSWORD=${{ secrets.VDYP_DB_PASSWORD }} \
-            --set global.secrets.BATCH_DB_PASSWORD=${{ secrets.BATCH_DB_PASSWORD }} \
             --set backend.env.QUARKUS_OIDC_AUTH_SERVER_URL=${{ secrets.VITE_SSO_AUTH_SERVER_URL }}/realms/${{ secrets.VITE_SSO_REALM }} \
             --set backend.env.VDYP_DB_USER=${{ vars.VDYP_DB_USER }} \
             --set backend.env.VDYP_DB_DATABASE=${{ vars.VDYP_DB_DATABASE }} \
@@ -154,8 +152,6 @@ jobs:
             --set frontend.env.VITE_SSO_REALM=${{ secrets.VITE_SSO_REALM }} \
             --set frontend.env.VITE_SSO_REDIRECT_URI=${{ secrets.VITE_SSO_REDIRECT_URI }} \
             --set frontend.env.VITE_API_URL=${{ secrets.VITE_API_URL }} \
-            --set coms.env.DB_USERNAME=${{ vars.COMS_DB_USER }} \
-            --set coms.env.DB_DATABASE=${{ vars.COMS_DB_DATABASE }} \
             --set-string coms.image.tag=${{ vars.COMS_TAG }} \
             --set-string coms.env.OBJECTSTORAGE_ENABLED=true \
             --set-string coms.env.OBJECTSTORAGE_ACCESSKEYID=${{ vars.OBJECTSTORAGE_ACCESSKEYID }} \

.github/workflows/openshift-deploy-crunchy.yml

@@ -35,6 +35,7 @@ jobs:
           LICENSE_PLATE: 'c50504'
           #Vault path is different for prod than all other environments
           #VAULT_RESOURCE: ${{ inputs.ENVIRONMENT_NAME == 'prod' && 'prod' || 'nonprod'  }}
+          NAMESPACE: ${{ secrets.oc_namespace }}
           ENV: ${{ inputs.ENVIRONMENT_NAME }}
           DB_STORAGE: ${{ vars.DB_STORAGE }}
           DB_MAX_CPU: ${{ vars.DB_MAX_CPU }}
@@ -43,6 +44,10 @@ jobs:
           DB_WAL_VOLUME_SIZE: ${{ vars.DB_WAL_VOLUME_SIZE }}
           DB_BACKUP_VOLUME_SIZE: ${{ vars.DB_BACKUP_VOLUME_SIZE }}
           BOUNCER_REPLICAS: ${{ vars.DB_LOADBALANCER_HA_REPLICAS}}
+          COMS_DB_USER: ${{ vars.COMS_DB_ROLE}}
+          COMS_DB_NAME: ${{ vars.COMS_DB_DATABASE}}
+          BATCH_DB_USER: ${{ vars.BATCH_DB_ROLE}}
+          BATCH_DB_NAME: ${{ vars.BATCH_DB_DATABASE}}
           #S3_ENVIRONMENT: ${{ inputs.ENVIRONMENT_NAME == 'dev' && 'dev'  || (inputs.ENVIRONMENT_NAME == 'test' && 'tst' || (inputs.ENVIRONMENT_NAME == 'prod' && 'prd' || inputs.ENVIRONMENT_NAME)) }}
 
       - name: install helm

charts/app/Chart.yaml

@@ -24,12 +24,6 @@ version: 0.1.0
 # It is recommended to use it with quotes.
 appVersion: "1.16.0"
 
-dependencies:
-  - name: postgresql
-    condition: bitnami-pg.enabled
-    version: 15.5.21
-    repository: https://charts.bitnami.com/bitnami
-    alias: bitnami-pg
 maintainers:
   - name: Om Mishra
     email: omprakash.2.mishra@gov.bc.ca

charts/app/templates/coms/deployment.yaml

@@ -51,18 +51,30 @@ spec:
             - name: BASICAUTH_PASSWORD
               value: {{ .Values.coms.env.BASICAUTH_PASSWORD | quote }}
             - name: DB_PORT
-              value: "5432"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.coms.db_secret }}
+                  key: port
             - name: DB_HOST
-              value: {{$host}}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.coms.db_secret }}
+                  key: host
             - name: DB_NAME
-              value: {{.Values.coms.env.DB_DATABASE }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.coms.db_secret }}
+                  key: dbname
             - name: DB_USERNAME
-              value: {{.Values.coms.env.DB_USERNAME }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.coms.db_secret }}
+                  key: user
             - name: DB_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Release.Name }}
-                  key: COMS_DB_PASSWORD
+                  name: {{ .Values.coms.db_secret }}
+                  key: password
             - name: KC_ENABLED
               value: {{ .Values.coms.env.KC_ENABLED | quote }}
             - name: KC_PUBLICKEY

charts/app/templates/knp.yaml

@@ -68,7 +68,6 @@ spec:
   podSelector:
     matchLabels:
       app.kubernetes.io/name: {{ .Values.global.databaseAlias}}
-      app.kubernetes.io/instance: {{ .Release.Name }}
   ingress:
     - ports:
         - protocol: TCP
@@ -81,6 +80,28 @@ spec:
   policyTypes:
     - Ingress
 
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ .Release.Name }}-allow-coms-to-db
+  labels: {{- include "selectorLabels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: {{ .Values.global.databaseAlias}}
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: 5432
+      from:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/name: coms
+              app.kubernetes.io/instance: {{ .Release.Name }}
+  policyTypes:
+    - Ingress
+
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -103,3 +124,5 @@ spec:
               app.kubernetes.io/instance: {{ .Release.Name }}
   policyTypes:
     - Ingress
+
+

charts/app/templates/postgres-initdb-scripts-secret.yaml

@@ -1,15 +1,11 @@
 {{- if and .Values.global.secrets .Values.global.secrets.enabled}}
 {{- $databaseUser := .Values.global.secrets.databaseUser| default "quickstart"  }}
 {{- $databasePassword := .Values.global.secrets.databasePassword | default (randAlphaNum 10) }}
-{{- $COMS_DB_PASSWORD := .Values.global.secrets.COMS_DB_PASSWORD }}
 {{- $VDYP_DB_PASSWORD := .Values.global.secrets.VDYP_DB_PASSWORD }}
-{{- $BATCH_DB_PASSWORD := .Values.global.secrets.BATCH_DB_PASSWORD }}
 {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace  .Release.Name ) | default dict }}
 {{- $secretData := (get $secretObj "data") | default dict }}
   # set below to existing secret data or generate a random one when not exists
-{{- $COMS_DB_PASSWORD = (get $secretData "COMS_DB_PASSWORD") | default ($COMS_DB_PASSWORD | b64enc) }}
 {{- $VDYP_DB_PASSWORD = (get $secretData "VDYP_DB_PASSWORD") | default ($VDYP_DB_PASSWORD | b64enc) }}
-{{- $BATCH_DB_PASSWORD = (get $secretData "$BATCH_DB_PASSWORD") | default ($BATCH_DB_PASSWORD | b64enc) }}
 {{- $databasePassword = (get $secretData "databasePassword") | default ($databasePassword | b64enc) }}
 {{- $databaseName := .Values.global.secrets.databaseName| default "quickstart" }}
 {{- $host := printf "%s-%s:5432" .Release.Name .Values.global.databaseAlias }}
@@ -43,8 +39,6 @@ data:
   POSTGRES_PASSWORD: {{ $databasePassword | quote }}
   POSTGRES_USER: {{ $databaseUser | b64enc | quote }}
   POSTGRES_DATABASE: {{ $databaseName | b64enc | quote }}
-  COMS_DB_PASSWORD: {{ $COMS_DB_PASSWORD | quote }}
   VDYP_DB_PASSWORD: {{ $VDYP_DB_PASSWORD | quote }}
-  BATCH_DB_PASSWORD: {{ $BATCH_DB_PASSWORD | quote }}
 
 {{- end }}

charts/app/templates/secret.yaml

@@ -23,7 +23,7 @@ global:
   #-- domain of the application, it is required, apps.silver.devops.gov.bc.ca for silver cluster and apps.devops.gov.bc.ca for gold cluster
   domain: "apps.silver.devops.gov.bc.ca" # it is apps.gold.devops.gov.bc.ca for gold cluster
   #-- the database Alias gives a nice way to switch to different databases, crunchy, patroni ... etc.
-  databaseAlias: bitnami-pg
+  databaseAlias: crunchy-postgres-dev
   postgresql:
     auth:
       password: unused
@@ -127,143 +127,6 @@ frontend:
     VITE_SSO_REDIRECT_URI: ~
     VITE_API_URL: ~
 
-crunchy: # enable it for TEST and PROD, for PR based pipelines simply use single postgres
-  enabled: false
-
-  crunchyImage: artifacts.developer.gov.bc.ca/bcgov-docker-local/crunchy-postgres-gis:ubi8-15.2-3.3-0
-
-  postgresVersion: 15
-  postGISVersion: '3.3'
-  imagePullPolicy: Always
-  instances:
-    name: ha # high availability
-    replicas: 1 # 2 or 3 for high availability in TEST and PROD.
-    metadata:
-      annotations:
-        prometheus.io/scrape: 'true'
-        prometheus.io/port: '9187'
-    dataVolumeClaimSpec:
-      storage: 120Mi
-      storageClassName: netapp-block-standard
-    requests:
-      cpu: 25m
-      memory: 256Mi
-    limits:
-      cpu: 100m
-      memory: 512Mi
-    replicaCertCopy:
-      requests:
-        cpu: 1m
-        memory: 32Mi
-      limits:
-        cpu: 50m
-        memory: 64Mi
-
-  pgBackRest:
-    enabled: false
-    image: # it's not necessary to specify an image as the images specified in the Crunchy Postgres Operator will be pulled by default
-    retention: "1" # Ideally a larger number such as 30 backups/days
-    # If retention-full-type set to 'count' then the oldest backups will expire when the number of backups reach the number defined in retention
-    # If retention-full-type set to 'time' then the number defined in retention will take that many days worth of full backups before expiration
-    retentionFullType: count
-    repos:
-      schedules:
-        full: 0 8 * * *
-        incremental: 0 0,4,12,16,20 * * *
-      volume:
-        accessModes: "ReadWriteOnce"
-        storage: 64Mi
-        storageClassName: netapp-file-backup
-    repoHost:
-      requests:
-        cpu: 1m
-        memory: 64Mi
-      limits:
-        cpu: 50m
-        memory: 128Mi
-    sidecars:
-      requests:
-        cpu: 1m
-        memory: 64Mi
-      limits:
-        cpu: 50m
-        memory: 128Mi
-
-  patroni:
-    postgresql:
-      pg_hba: "host all all 0.0.0.0/0 md5"
-      parameters:
-        shared_buffers: 16MB # default is 128MB; a good tuned default for shared_buffers is 25% of the memory allocated to the pod
-        wal_buffers: "64kB" # this can be set to -1 to automatically set as 1/32 of shared_buffers or 64kB, whichever is larger
-        min_wal_size: 32MB
-        max_wal_size: 64MB # default is 1GB
-        max_slot_wal_keep_size: 128MB # default is -1, allowing unlimited wal growth when replicas fall behind
-
-  proxy:
-    pgBouncer:
-      image: # it's not necessary to specify an image as the images specified in the Crunchy Postgres Operator will be pulled by default
-      replicas: 1
-      requests:
-        cpu: 1m
-        memory: 64Mi
-      limits:
-        cpu: 50m
-        memory: 128Mi
-
-  # Postgres Cluster resource values:
-  pgmonitor:
-    enabled: false
-    exporter:
-      image: # it's not necessary to specify an image as the images specified in the Crunchy Postgres Operator will be pulled by default
-      requests:
-        cpu: 1m
-        memory: 64Mi
-      limits:
-        cpu: 50m
-        memory: 128Mi
-
-bitnami-pg:
-  enabled: true
-  image:
-    registry: ghcr.io
-    repository: bcgov/nr-containers/bitnami/postgresql
-    tag: 15.8.0
-  auth:
-    existingSecret: '{{ .Release.Name }}'
-    username: ~
-    database: ~
-  shmVolume:
-    enabled: false
-  backup:
-    enabled: false
-    cronjob:
-      containerSecurityContext: { }
-      podSecurityContext:
-        enabled: false
-      storage:
-        size: 200Mi
-  primary:
-    persistence:
-      enabled: true
-      storageClass: netapp-block-standard
-      accessModes:
-        - ReadWriteOnce
-      size: 100Mi
-    containerSecurityContext:
-      enabled: false
-    podSecurityContext:
-      enabled: false
-    initdb:
-      scriptsSecret: '{{ .Release.Name }}-initdb-scripts'
-
-    resources:
-      requests:
-        cpu: 50m
-        memory: 150Mi
-      limits:
-        cpu: 150m
-        memory: 250Mi
-
 backup:
   enabled: true
   pvc:
@@ -331,6 +194,7 @@ backup:
 
 coms:
   enabled: true
+  db_secret: crunchy-postgres-dev-pguser-coms
   image:
     repository: ghcr.io/bcgov/common-object-management-service
     tag: ~
@@ -358,11 +222,6 @@ coms:
     BASICAUTH_ENABLED: ~
     BASICAUTH_USERNAME: ~
     BASICAUTH_PASSWORD: ~
-    DB_HOST: ~
-    DB_PORT: "5432"
-    DB_USERNAME: ~
-    DB_PASSWORD: ~
-    DB_DATABASE: ~
 
   batch:
     enabled: true