Make ingress more generalized, remove roll and config override

google · Sep 23, 2024 · c1582a5 · c1582a5
1 parent 8678403
commit c1582a5
Show file tree

Hide file tree

Showing 12 changed files with 87 additions and 442 deletions.
diff --git a/charts/timesketch/Chart.lock b/charts/timesketch/Chart.lock
@@ -9,4 +9,4 @@ dependencies:
   repository: https://opensearch-project.github.io/helm-charts/
   version: 2.20.0
 digest: sha256:3fbaef8755ed79056d10a0c93cf5d278a47bb5f55b9a98802922edef4faa0610
-generated: "2024-05-16T13:22:27.139681-07:00"
+generated: "2024-09-23T13:14:31.525789-07:00"
diff --git a/charts/timesketch/Chart.yaml b/charts/timesketch/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: timesketch
-version: 1.0.7
+version: 1.0.8
 description: A Helm chart for Timesketch Kubernetes deployments.
 keywords:
 - timesketch

diff --git a/charts/timesketch/README.md b/charts/timesketch/README.md
@@ -40,34 +40,21 @@ helm repo add osdfir-charts https://google.github.io/osdfir-infrastructure/
 helm repo update
 ```
 
-To install the chart, specify any release name of your choice. For example, using `my-release` as the release name, run:
+To install the chart, specify any release name of your choice. For example,
+using `my-release` as the release name, run:
 
 ```console
 helm install my-release osdfir-charts/timesketch
 ```
 
-The command deploys Timesketch on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured
-during installation or see [Installating for Production](#installing-for-production)
-for a recommended production installation.
+The command deploys Timesketch on the Kubernetes cluster in the default configuration.
+The [Parameters](#parameters) section lists the parameters that can be configured
+during installation.
 
-> **Tip**:  You can override the default Timesketch configuration by pulling the Helm
-chart locally and adding a `configs/` directory at the root of the Helm chart with user-provided configs.
+> **Tip**:  See the [Managing and updating Timesketch configs](#managing-and-updating-timesketch-configs)
+section for more details on managing the Timesketch configs.
 
-## Installing for Production
-
-Pull the chart locally then cd into `/timesketch` and review the `values-production.yaml` file for a list of values that will be used for production.
-
-```console
-helm pull osdfir-charts/timesketch --untar
-```
-
-Install the chart with the base values in `values.yaml` and the production values in `values-production.yaml`, then using a release name such as `my-release`, run:
-
-```console
-helm install my-release ../timesketch -f values.yaml -f values-production.yaml
-```
-
-### Enabling GKE Ingress and OIDC Authentication
+## Enabling GKE Ingress and OIDC Authentication
 
 Follow these steps to externally expose Timesketch and enable Google Cloud OIDC
 to control user access to Timesketch.
@@ -115,6 +102,7 @@ OAuth client.
     helm upgrade my-release ../timesketch \
         -f values-production.yaml \
         --set ingress.enabled=true \
+        --set ingress.className="gce" \
         --set ingress.host=<DOMAIN_NAME> \
         --set ingress.gcp.staticIPName=<STATIC_IP_NAME> \
         --set ingress.gcp.managedCertificates=true \
@@ -318,8 +306,8 @@ helm install my-release osdfir-charts/timesketch --set opensearch.replicas=3
 
 The above command installs Timesketch with 3 Opensearch Replicas.
 
-Alternatively, the `values.yaml` and `values-production.yaml` file can be
-directly updated if the Helm chart was pulled locally. For example,
+Alternatively, the `values.yaml` file can be directly updated if the Helm chart
+was pulled locally. For example,
 
 ```console
 helm pull osdfir-charts/timesketch --untar
@@ -358,100 +346,61 @@ image tag to `latest` and increasing persistent volume size of an existing volum
 to 10 Terabytes. Note that existing data will not be deleted and instead triggers an expansion
 of the volume that backs the underlying PersistentVolume. See [here](https://kubernetes.io/docs/concepts/storage/persistent-volumes/).
 
-### Managing and updating Timesketch configs
-
-This section outlines how to deploy and manage Timesketch configuration files within OSDFIR infrastructure. There are three primary methods:
-
-1. **Using Default Configurations**
-
-    If you don't provide your own Timesketch config files during deployment,
-    the Timesketch deployment will automatically retrieve the latest default configs
-    from the Timesketch Github repository. This method requires no further action from you.
-
-    > **NOTE:**  When using the default method, you cannot update the Timesketch config files directly.
-
-2. **Embedding Timesketch configs in the Helm Chart**
-
-    To customize Timesketch with your own config files and include them directly in the Helm chart deployment, follow these steps:
-
-    1. Download and Extract the Helm chart:
+## Managing and updating Timesketch configs
 
-        ```console
-        helm pull osdfir-charts/timesketch --untar
-        cd timesketch/
-        ```
+This section outlines how to deploy and manage Timesketch configuration files
+within OSDFIR infrastructure.
 
-    2. Download the default Timesketch configs:
+There are two primary methods:
 
-        ```console
-        ./tools/download-timesketch-configs.sh
-        ```
+### Using Default Configurations**
 
-        This script downloads the default Timesketch configuration files to the `config/` directory within the extracted Helm chart directory.
+If you don't provide your own Timesketch config files during deployment,
+the Timesketch deployment will automatically retrieve the latest default configs
+from the Timesketch Github repository. This method requires no further action from you.
 
-    3. Modify config files then deploy the Helm chart:
+> **NOTE:**  When using the default method, you cannot update the Timesketch config files directly.
 
-        ```console
-        helm install my-release ../timesketch 
-        ```
+### Managing Timesketch configs externally
 
-        > **NOTE**: The Helm chart checks the path specified in `config.override` for existing config files. By default this path is set to `configs/` within the Helm chart directory.
+For more advanced configuration management, you can manage Timesketch config
+files independently of the Helm chart:
 
-    To update configs changes using this method:
+1. Prepare your Config Files:
 
-    1. Modify Configuration Files
+    Organize all the Timesketch configuration files in a directory with your
+    desired customizations.
 
-        Make the necessary changes to your configuration files in the `config/` directory.
+2. Create a ConfigMap:
 
-    2. Upgrade the Helm Release:
-
-        ```console
-        helm upgrade my-release ../timesketch
-        ```
-
-        This will automatically apply the updated config changes and restart the Timesketch deployment so the changes can be picked up.
-
-
-3. **Managing Timesketch configs externally**
-
-    For more advanced configuration management, you can manage Timesketch config
-    files independently of the Helm chart:
-
-    1. Prepare your Config Files:
-
-        Organize all the Timesketch configuration files in a directory with your
-        desired customizations.
-
-    2. Create a ConfigMap:
-
-        ```console
-        kubectl create configmap timesketch-configs --from-file=./my-configs/
-        ```
+    ```console
+    kubectl create configmap timesketch-configs --from-file=./timesketch-configs/
+    ```
 
-        Replace `./my-configs/` with the actual path to your configuration files.
+    Replace `./timesketch-configs/` with the actual path to your configuration files.
 
-    3. Install or Upgrade the Helm Chart:
+3. Install or Upgrade the Helm Chart:
 
-        ```console
-        helm install my-release osdfir-charts/timesketch --set config.existingConfigMap="timesketch-configs"
-        ```
+    ```console
+    helm install my-release osdfir-charts/timesketch --set config.existingConfigMap="timesketch-configs"
+    ```
 
-        This command instructs the Helm chart to use the `timesketch-configs` ConfigMap for
-        Timesketch's config files.
+    This command instructs the Helm chart to use the `timesketch-configs` ConfigMap for
+    Timesketch's config files.
 
-    To update the config changes using this method:
+To update the config changes using this method:
 
-    1. Update the ConfigMap:
+1. Update the ConfigMap:
 
-        ```console
-        kubectl create configmap timesketch-configs --from-file=./my-configs/ --dry-run -o yaml | kubectl replace -f -
-        ```
+    ```console
+    kubectl create configmap timesketch-configs --from-file=./my-configs/ --dry-run -o yaml | kubectl replace -f -
+    ```
 
-    2. Restart the Timesketch deployment to apply the new configs
+2. Restart the Timesketch deployment to apply the new configs
 
-        ```console
-        kubectl rollout restart deployment -l app.kubernetes.io/name=timesketch
-        ```
+    ```console
+    kubectl rollout restart deployment -l app.kubernetes.io/name=timesketch
+    ```
 
 ### Upgrade Timesketch Database Schema
 

diff --git a/charts/timesketch/templates/_helpers.tpl b/charts/timesketch/templates/_helpers.tpl
@@ -28,11 +28,10 @@ Return the proper persistence volume claim name
 */}}
 {{- define "timesketch.pvc.name" -}}
 {{- $pvcName := .Values.persistence.name -}}
-{{- if .Values.global -}}
-    {{- if .Values.global.existingPVC -}}
-        {{- $pvcName = .Values.global.existingPVC -}}
-    {{- end -}}
-{{- printf "%s-%s" $pvcName "claim" }}
+{{- if and .Values.global .Values.global.existingPVC -}}
+{{- .Values.global.existingPVC -}}
+{{- else -}}
+{{- printf "%s-%s-claim" .Release.Name $pvcName }}
 {{- end -}}
 {{- end -}}
 
@@ -93,10 +92,10 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 Create the name of the service account to use
 */}}
 {{- define "timesketch.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "timesketch.fullname" .) .Values.serviceAccount.name }}
+{{- if .Values.serviceAccount.name }}
+{{- .Values.serviceAccount.name }}
 {{- else }}
-{{- default "default" .Values.serviceAccount.name }}
+{{- printf "%s-%s" .Release.Name "timesketch" }}
 {{- end }}
 {{- end }}
 
@@ -172,11 +171,3 @@ Timesketch service port
 {{- printf "%s-access-list" (include "timesketch.fullname" .) -}}
 {{- end -}}
 {{- end -}}
-
-{{- define "timesketch.configmap" -}}
-{{- if .Values.config.existingConfigMap -}}
-{{- .Values.config.existingConfigMap -}}
-{{- else -}}
-{{- include "timesketch.fullname" . }}-configmap
-{{- end -}}
-{{- end -}}
diff --git a/charts/timesketch/templates/_initContainer.tpl b/charts/timesketch/templates/_initContainer.tpl
@@ -59,11 +59,13 @@ Worker pod upon startup.
       name: init-timesketch
     - mountPath: /etc/timesketch
       name: timesketch-configs
+    {{- if .Values.config.existingConfigMap }}
     - mountPath: /tmp/timesketch
       name: uploaded-configs
-  {{- if .Values.config.oidc.authenticatedEmailsFile.enabled }}
+    {{- end }}
+    {{- if .Values.config.oidc.authenticatedEmailsFile.enabled }}
     - name: authenticated-emails
       mountPath: /init/authenticated-emails
       readOnly: true
-  {{- end }}
+    {{- end }}
 {{- end }}
diff --git a/charts/timesketch/templates/configmap.yaml b/charts/timesketch/templates/configmap.yaml
diff --git a/charts/timesketch/templates/ingress.yaml b/charts/timesketch/templates/ingress.yaml
@@ -8,19 +8,19 @@ metadata:
     {{- include "timesketch.labels" . | nindent 4 }}
   annotations:
     kubernetes.io/ingressClassName: {{ .Values.ingress.className }}
-    {{- if .Values.ingress.gcp.managedCertificates }}
-    networking.gke.io/managed-certificates: {{ include "timesketch.fullname" . }}-managed-ssl
-    {{- end }}
     {{- if .Values.ingress.certManager }}
     kubernetes.io/tls-acme: "true"
     cert-manager.io/issuer: {{ include "timesketch.fullname" . }}-letsencrypt-production
     {{- end }}
+    # GKE specific annotations
     {{- if (eq .Values.ingress.className "gce") }}
     {{- if .Values.ingress.gcp.staticIPName }}
     kubernetes.io/ingress.global-static-ip-name: {{ .Values.ingress.gcp.staticIPName }}
     networking.gke.io/v1beta1.FrontendConfig: {{ include "timesketch.fullname" . }}-frontend-config
-    {{- else }}
-    {{- fail "A valied .Values.ingress.gcp.staticIPName entry is required when using the GCE Ingress" }}
+    {{- end }}
+    {{- if .Values.ingress.gcp.managedCertificates }}
+    networking.gke.io/managed-certificates: {{ include "timesketch.fullname" . }}-managed-ssl
+    networking.gke.io/v1beta1.FrontendConfig: {{ include "timesketch.fullname" . }}-frontend-config
     {{- end }}
     {{- end }}
 spec:
@@ -31,7 +31,7 @@ spec:
       secretName: {{ include "timesketch.fullname" . }}-tls
   {{- end }}
   rules:
-    - host: {{ required "A valid .Values.ingress.host entry is required!" .Values.ingress.host }}
+    - host: {{ .Values.ingress.host }}
       http:
         paths:
           - path: /
@@ -58,19 +58,18 @@ metadata:
     {{- include "timesketch.labels" . | nindent 4 }}
   annotations:
     kubernetes.io/ingressClassName: {{ .Values.ingress.className }}
-    {{- if .Values.ingress.gcp.managedCertificates }}
-    networking.gke.io/managed-certificates: {{ include "timesketch.fullname" . }}-managed-ssl
-    {{- end }}
     {{- if .Values.ingress.certManager }}
     kubernetes.io/tls-acme: "true"
     cert-manager.io/issuer: {{ include "timesketch.fullname" . }}-letsencrypt-production
     {{- end }}
+    # GKE specific annotations
     {{- if (eq .Values.ingress.className "gce") }}
     {{- if .Values.ingress.gcp.staticIPV6Name }}
     kubernetes.io/ingress.global-static-ip-name: {{ .Values.ingress.gcp.staticIPV6Name }}
+    {{- end }}
+    {{- if .Values.ingress.gcp.managedCertificates }}
+    networking.gke.io/managed-certificates: {{ include "timesketch.fullname" . }}-managed-ssl
     networking.gke.io/v1beta1.FrontendConfig: {{ include "timesketch.fullname" . }}-frontend-config
-    {{- else }}
-    {{- fail "A valied .Values.ingress.gcp.staticIPV6Name entry is required when using the GCE Ingress" }}
     {{- end }}
     {{- end }}
 spec:
@@ -81,7 +80,7 @@ spec:
       secretName: {{ include "timesketch.fullname" . }}-tls
   {{- end }}
   rules:
-    - host: {{ required "A valid .Values.ingress.host entry is required!" .Values.ingress.host }}
+    - host: {{ .Values.ingress.host }}
       http:
         paths:
           - path: /

diff --git a/charts/timesketch/templates/serviceaccount.yaml b/charts/timesketch/templates/serviceaccount.yaml
@@ -9,4 +9,5 @@ metadata:
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
+automountServiceAccountToken: false
 {{- end }}
diff --git a/charts/timesketch/templates/web-deployment.yaml b/charts/timesketch/templates/web-deployment.yaml
@@ -15,8 +15,8 @@ spec:
   template:
     metadata:
       annotations:
-        # Have Deployment restart after each upgrade
-        roll: {{ randAlphaNum 5 | quote }}
+        # Restart pod if values.yaml parameters that affect the config were changed
+        checksum/config: {{  include (print $.Template.BasePath "/init-configmap.yaml") . | sha256sum }}
         {{- if .Values.metrics.enabled }} 
         prometheus.io/port: {{ .Values.metrics.port | quote }}
         prometheus.io/scrape: "true"
@@ -83,10 +83,11 @@ spec:
             defaultMode: 0744
         - name: timesketch-configs
           emptyDir: {}
+        {{- if .Values.config.existingConfigMap }}
         - name: uploaded-configs
           configMap:
-            name: {{ include "timesketch.configmap" . }}
-            optional: true
+            name: {{ .Values.config.existingConfigMap }}
+        {{- end }}
         {{- if .Values.config.oidc.authenticatedEmailsFile.enabled }}
         - name: authenticated-emails
           secret: