Added helm hooks for database schema upgrades.

Author: PJEstrada

templates/default/configmap.yaml

@@ -12,4 +12,5 @@ data:
   CLOUD_STORAGE_BUCKET:  {{ .Values.diffgramSettings.CLOUD_STORAGE_BUCKET }}
   ML__CLOUD_STORAGE_BUCKET:  {{ .Values.diffgramSettings.ML__CLOUD_STORAGE_BUCKET }}
   URL_BASE: {{ .Values.diffgramDomain }}
-  PYTHONPATH: /app
+  SERVICE_ACCOUNT_FULL_PATH: {{ .Values.diffgramSettings.SERVICE_ACCOUNT_FULL_PATH }}
+  PYTHONPATH: "/app:/app/shared:/"

templates/default/deployment.yaml

@@ -38,16 +38,6 @@ spec:
         {{ if eq .Values.dbSettings.dbProvider "azure"}}
         command: ['sh', '-c', 'until pg_isready -h postgres-azure-service -p 5432; do echo waiting for database; sleep 2; done;']
         {{ end }}
-      - name: run-migrations
-        imagePullPolicy: Always
-        image: gcr.io/diffgram-enterprise/default:{{ .Values.diffgramVersion }}
-        envFrom:
-        - configMapRef:
-            name: diffgram-default-configmap
-        - secretRef:
-            name: diffgram-default-secrets
-        command: ["sh","-c", "cd shared; export PYTHONPATH=/app; pip install sqlalchemy-utils==0.36.6;python /app/testing_and_other/create_database.py; alembic upgrade head"]
-
       containers:
       - image: gcr.io/diffgram-enterprise/default:{{ .Values.diffgramVersion }}
         imagePullPolicy: Always

templates/hooks/configmap_db_migrations.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade, pre-rollback
+    "helm.sh/hook-weight": "1" # we use a smaller weight so it's created before the job
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded
+  name: db-migrations-configmap
+data:
+  USERDOMAIN: {{ .Values.diffgramSettings.USERDOMAIN }}
+  DIFFGRAM_SYSTEM_MODE: {{ .Values.diffgramSettings.DIFFGRAM_SYSTEM_MODE }}
+  DIFFGRAM_STATIC_STORAGE_PROVIDER: {{ .Values.diffgramSettings.DIFFGRAM_STATIC_STORAGE_PROVIDER }}
+  DIFFGRAM_S3_BUCKET_NAME: {{ .Values.diffgramSettings.DIFFGRAM_S3_BUCKET_NAME }}
+  ML__DIFFGRAM_S3_BUCKET_NAME: {{ .Values.diffgramSettings.ML__DIFFGRAM_S3_BUCKET_NAME }}
+  GOOGLE_APPLICATION_CREDENTIALS: /etc/gcp/sa_credentials.json # Check the volume in deployment.yaml and service_account_secret.yaml
+  CLOUD_STORAGE_BUCKET:  {{ .Values.diffgramSettings.CLOUD_STORAGE_BUCKET }}
+  ML__CLOUD_STORAGE_BUCKET:  {{ .Values.diffgramSettings.ML__CLOUD_STORAGE_BUCKET }}
+  URL_BASE: {{ .Values.diffgramDomain }}
+  SERVICE_ACCOUNT_FULL_PATH: {{ .Values.diffgramSettings.SERVICE_ACCOUNT_FULL_PATH }}
+  PYTHONPATH: /app

templates/hooks/database_pre_install.yaml

@@ -0,0 +1,49 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ .Release.Name }}-pre-install"
+  labels:
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+  annotations:
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-weight": "2"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  template:
+    metadata:
+      name: "{{ .Release.Name }}"
+      labels:
+        app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+        app.kubernetes.io/instance: {{ .Release.Name | quote }}
+        helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    spec:
+      restartPolicy: Never
+      imagePullSecrets:
+      - name: db-migrations-pull-secret
+      volumes:
+      - name: service-account-credentials-volume-hook
+        secret:
+          secretName: gcp-service-account-credentials-hook
+          items:
+          - key: sa_json
+            path: sa_credentials.json
+      containers:
+      - image: gcr.io/diffgram-enterprise/default:{{ .Values.diffgramVersion }}
+        imagePullPolicy: Always
+        name: pre-upgrade-alembic-hook
+        volumeMounts:
+        - name: service-account-credentials-volume-hook
+          mountPath: /etc/gcp
+          readOnly: true
+        envFrom:
+        - configMapRef:
+            name: db-migrations-configmap
+        - secretRef:
+            name:  db-migrations-secret
+        # The actual migrations command
+        command: ["sh","-c", "cd shared; export PYTHONPATH=/app; pip install sqlalchemy-utils==0.36.6;python /app/testing_and_other/create_database.py; alembic upgrade head"]

templates/hooks/database_pre_upgrade.yaml

@@ -1,7 +1,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: "{{ .Release.Name }}"
+  name: "{{ .Release.Name }}-pre-upgrade"
   labels:
     app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
     app.kubernetes.io/instance: {{ .Release.Name | quote }}
@@ -11,7 +11,7 @@ metadata:
     # This is what defines this resource as a hook. Without this line, the
     # job is considered part of the release.
     "helm.sh/hook": pre-upgrade
-    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-weight": "2"
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 spec:
   template:
@@ -26,9 +26,9 @@ spec:
       imagePullSecrets:
       - name: diffgramsecret
       volumes:
-      - name: service-account-credentials-volume
+      - name: service-account-credentials-volume-hook
         secret:
-          secretName: gcp-service-account-credentials
+          secretName: gcp-service-account-credentials-hook
           items:
           - key: sa_json
             path: sa_credentials.json
@@ -37,27 +37,13 @@ spec:
         imagePullPolicy: Always
         name: pre-upgrade-alembic-hook
         volumeMounts:
-        - name: service-account-credentials-volume
+        - name: service-account-credentials-volume-hook
           mountPath: /etc/gcp
           readOnly: true
         envFrom:
         - configMapRef:
-            name: diffgram-default-configmap
+            name: db-migrations-configmap
         - secretRef:
-            name: diffgram-default-secrets
-        initContainers:
-        - name: check-db-ready
-          image: postgres:9.6.5
-          {{ if eq .Values.dbSettings.dbProvider "local"}}
-          command: ['sh', '-c',
-                    'until pg_isready -h diffgram-postgres -p 5432;
-            do echo waiting for database; sleep 2; done;']
-          {{ end }}
-          {{ if eq .Values.dbSettings.dbProvider "rds"}}
-          command: ['sh', '-c', 'until pg_isready -h postgres-rds-service -p 5432; do echo waiting for database; sleep 2; done;']
-          {{ end }}
-          {{ if eq .Values.dbSettings.dbProvider "azure"}}
-          command: ['sh', '-c', 'until pg_isready -h postgres-azure-service -p 5432; do echo waiting for database; sleep 2; done;']
-          {{ end }}
+            name:  db-migrations-secret
         # The actual migrations command
-        command: ["sh","-c", "cd shared; export PYTHONPATH=/app; pip install sqlalchemy-utils==0.36.6;python /app/testing_and_other/create_database.py; alembic upgrade head"]
+        command: ["sh","-c", "cd shared; export PYTHONPATH=/app; pip install sqlalchemy-utils==0.36.6;python /app/testing_and_other/create_database.py;"]

templates/hooks/db_service_migrations.yaml

@@ -0,0 +1,105 @@
+{{ if eq .Values.dbSettings.dbProvider "azure"}}
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    "helm.sh/hook": pre-install, pre-upgrade, pre-rollback
+    "helm.sh/hook-weight": "0"
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded
+  labels:
+    app: postgres-azure-service-hook
+  name: postgres-azure-service-hook
+spec:
+  externalName: {{ .Values.dbSettings.azureSqlEndpoint }}
+  selector:
+    app: postgres-azure-service-hook
+  type: ExternalName
+status:
+  loadBalancer: {}
+{{ end }}
+{{ if eq .Values.dbSettings.dbProvider "rds"}}
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    "helm.sh/hook": pre-install, pre-upgrade, pre-rollback
+    "helm.sh/hook-weight": "0"
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded
+  labels:
+    app: postgres-rds-service-hook
+  name: postgres-rds-service-hook
+spec:
+  externalName: {{ .Values.dbSettings.rdsEndpoint }}
+  selector:
+    app: ppostgres-rds-service-hook
+  type: ExternalName
+status:
+  loadBalancer: {}
+{{ end }}
+
+{{ if eq .Values.dbSettings.dbProvider "local"}}
+apiVersion: "apps/v1"
+kind: "Deployment"
+metadata:
+  annotations:
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    "helm.sh/hook": pre-install, pre-upgrade, pre-rollback
+    "helm.sh/hook-weight": "0"
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded
+  name: "postgres-hook"
+  namespace: "default"
+  labels:
+    app: "postgres-hook"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: "postgres"
+  template:
+    metadata:
+      labels:
+        app: "postgres"
+    spec:
+      containers:
+      - name: "postgres"
+        image: "postgres:9.6.2"
+        env:
+        - name: "POSTGRES_DB"
+          value: {{ .Values.dbSettings.dbName }}
+        - name: "POSTGRES_USER"
+          value: {{ .Values.dbSettings.dbUser }}
+        - name: "POSTGRES_PASSWORD"
+          value: {{ .Values.dbSettings.dbPassword }}
+        ports:
+          - containerPort: 5432
+            name: postgres
+        volumeMounts:
+          - name: postgres-storage
+            mountPath: /var/lib/postgresql/db-data
+      volumes:
+        - name: postgres-storage
+          persistentVolumeClaim:
+            claimName: postgres-pv-claim
+{{ end }}
+{{ if eq .Values.dbSettings.dbProvider "local"}}
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    "helm.sh/hook": pre-install, pre-upgrade, pre-rollback
+    "helm.sh/hook-weight": "0"
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded
+  name: diffgram-postgres-hook
+spec:
+  ports:
+    - port: 5432
+  selector:
+    app: diffgram-postgres-hook
+{{ end }}

templates/hooks/secret_gcp_service_account_hook.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gcp-service-account-credentials-hook
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade, pre-rollback
+    "helm.sh/hook-weight": "1" # we use a smaller weight so it's created before the job
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded
+type: Opaque
+data:
+  # This is the JSON file encoded in base64. It will be mounted as a volume on the container.
+  sa_json: {{ .Values.diffgramSecrets.SERVICE_ACCOUNT_JSON_B64 }}

templates/hooks/secret_gcr_db_migrations.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+data:
+  .dockerconfigjson: {{ .Values.imagePullCredentials.gcrCredentials }}
+kind: Secret
+
+metadata:
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade, pre-rollback
+    "helm.sh/hook-weight": "1"
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded
+  managedFields:
+  - apiVersion: v1
+    fieldsType: FieldsV1
+    fieldsV1:
+      f:data:
+        .: {}
+        f:.dockerconfigjson: {}
+      f:type: {}
+    manager: kubectl
+    operation: Update
+  name: db-migrations-pull-secret
+  namespace: default
+type: kubernetes.io/dockerconfigjson

templates/hooks/secrets_db_migrations.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Secret
+
+metadata:
+  annotations:
+    "helm.sh/hook": pre-install, pre-upgrade, pre-rollback
+    "helm.sh/hook-weight": "1"
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded
+  name: db-migrations-secret
+type: Opaque
+stringData:
+  STRIPE_API_KEY: {{ .Values.diffgramSecrets.STRIPE_API_KEY }}
+  DIFFGRAM_AWS_ACCESS_KEY_SECRET: {{ .Values.diffgramSecrets.DIFFGRAM_AWS_ACCESS_KEY_SECRET }}
+  _ANALYTICS_WRITE_KEY: {{ .Values.diffgramSecrets._ANALYTICS_WRITE_KEY }}
+  MAILGUN_KEY: {{ .Values.diffgramSecrets.MAILGUN_KEY }}
+  HUB_SPOT_KEY: {{ .Values.diffgramSecrets.HUB_SPOT_KEY }}
+  SECRET_KEY: {{ .Values.diffgramSecrets.SECRET_KEY }}
+  INTER_SERVICE_SECRET: {{ .Values.diffgramSecrets.INTER_SERVICE_SECRET }}
+  {{ if eq .Values.dbSettings.dbProvider "local"}}
+  DATABASE_URL:  "postgresql+psycopg2://{{ .Values.dbSettings.dbUser }}:{{ .Values.dbSettings.dbPassword }}@diffgram-postgres/{{ .Values.dbSettings.dbName }}"
+  {{ end }}
+  {{ if eq .Values.dbSettings.dbProvider "rds"}}
+  DATABASE_URL:  "postgresql+psycopg2://{{ .Values.dbSettings.dbUser }}:{{ .Values.dbSettings.dbPassword }}@{{ .Values.dbSettings.rdsEndpoint }}/{{ .Values.dbSettings.dbName }}"
+  {{ end }}
+  {{ if eq .Values.dbSettings.dbProvider "azure"}}
+  DATABASE_URL:  "postgresql+psycopg2://{{ .Values.dbSettings.dbUser }}:{{ .Values.dbSettings.dbPassword }}@{{ .Values.dbSettings.azureSqlEndpoint }}/{{ .Values.dbSettings.dbName }}"
+  {{ end }}
+  USER_PASSWORDS_SECRET:  {{ .Values.diffgramSecrets.USER_PASSWORDS_SECRET }}

templates/walrus/configmap.yaml

@@ -12,4 +12,5 @@ data:
   CLOUD_STORAGE_BUCKET:  {{ .Values.diffgramSettings.CLOUD_STORAGE_BUCKET }}
   ML__CLOUD_STORAGE_BUCKET:  {{ .Values.diffgramSettings.ML__CLOUD_STORAGE_BUCKET }}
   PYTHONPATH: /app
-  URL_BASE: {{ .Values.diffgramDomain }}
+  URL_BASE: {{ .Values.diffgramDomain }}
+  SERVICE_ACCOUNT_FULL_PATH: {{ .Values.diffgramSettings.SERVICE_ACCOUNT_FULL_PATH }}