diff --git a/charts/console/deployment.go b/charts/console/deployment.go index 67ed5669df..6d225184de 100644 --- a/charts/console/deployment.go +++ b/charts/console/deployment.go @@ -58,7 +58,7 @@ func Deployment(dot *helmette.Dot) *appsv1.Deployment { replicas = ptr.To(values.ReplicaCount) } - var initContainers []corev1.Container + initContainers := []corev1.Container{} if !helmette.Empty(values.InitContainers.ExtraInitContainers) { initContainers = helmette.UnmarshalYamlArray[corev1.Container](helmette.Tpl(*values.InitContainers.ExtraInitContainers, dot)) } diff --git a/charts/console/templates/_deployment.go.tpl b/charts/console/templates/_deployment.go.tpl index 67aaf598fe..96014f5a29 100644 --- a/charts/console/templates/_deployment.go.tpl +++ b/charts/console/templates/_deployment.go.tpl @@ -38,7 +38,7 @@ {{- if (not $values.autoscaling.enabled) -}} {{- $replicas = ($values.replicaCount | int) -}} {{- end -}} -{{- $initContainers := (coalesce nil) -}} +{{- $initContainers := (list ) -}} {{- if (not (empty $values.initContainers.extraInitContainers)) -}} {{- $initContainers = (fromYamlArray (tpl $values.initContainers.extraInitContainers $dot)) -}} {{- end -}} diff --git a/charts/redpanda/Chart.lock b/charts/redpanda/Chart.lock index b3c6c0a2a7..da4021fa86 100644 --- a/charts/redpanda/Chart.lock +++ b/charts/redpanda/Chart.lock @@ -6,4 +6,4 @@ dependencies: repository: https://charts.redpanda.com version: 0.1.13 digest: sha256:3023f8ca61cf80050d0f0e73f9e86b73ae796717c651be8765c9db90996e5462 -generated: "2024-09-26T22:13:55.854012+02:00" +generated: "2024-10-10T16:19:23.795965+02:00" diff --git a/charts/redpanda/chart.go b/charts/redpanda/chart.go index d198e09d9a..65a7c97862 100644 --- a/charts/redpanda/chart.go +++ b/charts/redpanda/chart.go @@ -21,6 +21,7 @@ import ( certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1" + "github.com/redpanda-data/helm-charts/charts/console" "github.com/redpanda-data/helm-charts/pkg/gotohelm" "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" "github.com/redpanda-data/helm-charts/pkg/kube" @@ -40,7 +41,7 @@ var ( defaultValuesYAML []byte // Chart is the go version of the redpanda helm chart. - Chart = gotohelm.MustLoad(chartYAML, defaultValuesYAML, render) + Chart = gotohelm.MustLoad(chartYAML, defaultValuesYAML, render, console.Chart) ) // +gotohelm:ignore=true @@ -114,6 +115,8 @@ func render(dot *helmette.Dot) []kube.Object { manifests = append(manifests, obj) } + manifests = append(manifests, renderConsole(dot)...) + // NB: This slice may contain nil interfaces! // Filtering happens elsewhere, don't call this function directly if you // can avoid it. diff --git a/charts/redpanda/chart_test.go b/charts/redpanda/chart_test.go index 7afce18614..34b5a60aab 100644 --- a/charts/redpanda/chart_test.go +++ b/charts/redpanda/chart_test.go @@ -14,6 +14,7 @@ import ( "time" "github.com/pkg/errors" + "github.com/redpanda-data/helm-charts/charts/console" "github.com/redpanda-data/helm-charts/charts/redpanda" "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" "github.com/redpanda-data/helm-charts/pkg/helm" @@ -685,7 +686,7 @@ func TestLabels(t *testing.T) { values := &redpanda.PartialValues{ CommonLabels: labels, // This guarantee does not currently extend to console. - Console: &redpanda.PartialConsole{Enabled: ptr.To(false)}, + Console: &console.PartialValues{Enabled: ptr.To(false)}, // Nor connectors. Connectors: &redpanda.PartialConnectors{Enabled: ptr.To(false)}, } @@ -748,7 +749,16 @@ func TestGoHelmEquivalence(t *testing.T) { Enabled: ptr.To(false), } - values.Console = &redpanda.PartialConsole{Enabled: ptr.To(false)} + values.Console = &console.PartialValues{ + Enabled: ptr.To(true), + Secret: &console.PartialSecretConfig{ + Login: &console.PartialLoginSecrets{JWTSecret: ptr.To("SECRET")}, + }, + Ingress: &console.PartialIngressConfig{ + Enabled: ptr.To(true), + }, + Tests: &console.PartialEnableable{Enabled: ptr.To(false)}, + } values.Connectors = &redpanda.PartialConnectors{Enabled: ptr.To(false)} goObjs, err := redpanda.Chart.Render(kube.Config{}, helmette.Release{ @@ -780,7 +790,7 @@ func TestGoHelmEquivalence(t *testing.T) { return strings.Compare(aStr, bStr) }) - const stsIdx = 7 + const stsIdx = 12 // resource.Quantity is a special object. To Ensure they compare correctly, // we'll round trip it through JSON so the internal representations will diff --git a/charts/redpanda/console.tpl.go b/charts/redpanda/console.tpl.go index 910ea8f3f3..3c93d65e45 100644 --- a/charts/redpanda/console.tpl.go +++ b/charts/redpanda/console.tpl.go @@ -20,10 +20,192 @@ import ( "fmt" "github.com/redpanda-data/console/backend/pkg/config" + "github.com/redpanda-data/helm-charts/charts/console" "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" + "github.com/redpanda-data/helm-charts/pkg/kube" + corev1 "k8s.io/api/core/v1" + "k8s.io/utils/ptr" ) -func ConsoleConfig(dot *helmette.Dot) any { +// To connect Console with Redpanda the values are adjusted. +func renderConsole(dot *helmette.Dot) []kube.Object { + v := helmette.UnmarshalInto[Values](dot.Values) + + if !ptr.Deref(v.Console.Enabled, true) { + return nil + } + + consoleDot := dot.Subcharts["console"] + + consoleValue := helmette.UnmarshalInto[console.Values](consoleDot.Values) + if !ptr.Deref(v.Console.Secret.Create, false) { + consoleValue.Secret.Create = true + if license := GetLicenseLiteral(dot); license != "" { + consoleValue.Secret.Enterprise = console.EnterpriseSecrets{License: ptr.To(license)} + } + } + + if !ptr.Deref(v.Console.ConfigMap.Create, false) { + consoleValue.ConfigMap.Create = true + consoleValue.Console.Config = ConsoleConfig(dot) + } + + if !ptr.Deref(v.Console.Deployment.Create, false) { + consoleValue.Deployment.Create = true + extraVolumes := []corev1.Volume{} + extraVolumeMounts := []corev1.VolumeMount{} + extraEnvVars := []corev1.EnvVar{} + if v.Auth.IsSASLEnabled() { + command := append([]string{}, + "sh", + "-c", + "set -e; IFS=':' read -r KAFKA_SASL_USERNAME KAFKA_SASL_PASSWORD KAFKA_SASL_MECHANISM < <(grep \"\" $(find /mnt/users/* -print));", + fmt.Sprintf(" KAFKA_SASL_MECHANISM=${KAFKA_SASL_MECHANISM:-%s};", SASLMechanism(dot)), + " export KAFKA_SASL_USERNAME KAFKA_SASL_PASSWORD KAFKA_SASL_MECHANISM;", + " export KAFKA_SCHEMAREGISTRY_USERNAME=$KAFKA_SASL_USERNAME;", + " export KAFKA_SCHEMAREGISTRY_PASSWORD=$KAFKA_SASL_PASSWORD;", + " export REDPANDA_ADMINAPI_USERNAME=$KAFKA_SASL_USERNAME;", + " export REDPANDA_ADMINAPI_PASSWORD=$KAFKA_SASL_PASSWORD;", + " /app/console $@", + " --") + consoleValue.Deployment.Command = command + extraVolumes = append(extraVolumes, corev1.Volume{ + Name: fmt.Sprintf("%s-users", Fullname(dot)), + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: v.Auth.SASL.SecretRef, + }, + }, + }) + extraVolumeMounts = append(extraVolumeMounts, corev1.VolumeMount{ + Name: fmt.Sprintf("%s-users", Fullname(dot)), + MountPath: "/mnt/users", + ReadOnly: true, + }) + } + + if v.Listeners.Kafka.TLS.IsEnabled(&v.TLS) { + certName := v.Listeners.Kafka.TLS.Cert + cert := v.TLS.Certs.MustGet(certName) + secretName := fmt.Sprintf("%s-%s-cert", Fullname(dot), certName) + if cert.SecretRef != nil { + secretName = cert.SecretRef.Name + } + if cert.CAEnabled { + // TODO (Rafal) That could be removed as Config could be defined in ConfigMap + extraEnvVars = append(extraEnvVars, corev1.EnvVar{ + Name: "KAFKA_TLS_CAFILEPATH", + Value: fmt.Sprintf("/mnt/cert/kafka/%s/ca.crt", certName), + }) + extraVolumes = append(extraVolumes, corev1.Volume{ + Name: fmt.Sprintf("kafka-%s-cert", certName), + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + DefaultMode: ptr.To[int32](0o420), + SecretName: secretName, + }, + }, + }) + extraVolumeMounts = append(extraVolumeMounts, corev1.VolumeMount{ + Name: fmt.Sprintf("kafka-%s-cert", certName), + MountPath: fmt.Sprintf("/mnt/cert/kafka/%s", certName), + ReadOnly: true, + }) + } + } + + if v.Listeners.SchemaRegistry.TLS.IsEnabled(&v.TLS) { + certName := v.Listeners.SchemaRegistry.TLS.Cert + cert := v.TLS.Certs.MustGet(certName) + secretName := fmt.Sprintf("%s-%s-cert", Fullname(dot), certName) + if cert.SecretRef != nil { + secretName = cert.SecretRef.Name + } + if cert.CAEnabled { + // TODO (Rafal) That could be removed as Config could be defined in ConfigMap + extraEnvVars = append(extraEnvVars, corev1.EnvVar{ + Name: "KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH", + Value: fmt.Sprintf("/mnt/cert/schemaregistry/%s/ca.crt", certName), + }) + extraVolumes = append(extraVolumes, corev1.Volume{ + Name: fmt.Sprintf("schemaregistry-%s-cert", certName), + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + DefaultMode: ptr.To[int32](0o420), + SecretName: secretName, + }, + }, + }) + extraVolumeMounts = append(extraVolumeMounts, corev1.VolumeMount{ + Name: fmt.Sprintf("schemaregistry-%s-cert", certName), + MountPath: fmt.Sprintf("/mnt/cert/schemaregistry/%s", certName), + ReadOnly: true, + }) + } + } + + if v.Listeners.Admin.TLS.IsEnabled(&v.TLS) { + certName := v.Listeners.Admin.TLS.Cert + cert := v.TLS.Certs.MustGet(certName) + secretName := fmt.Sprintf("%s-%s-cert", Fullname(dot), certName) + if cert.SecretRef != nil { + secretName = cert.SecretRef.Name + } + if cert.CAEnabled { + extraVolumes = append(extraVolumes, corev1.Volume{ + Name: fmt.Sprintf("adminapi-%s-cert", certName), + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + DefaultMode: ptr.To[int32](0o420), + SecretName: secretName, + }, + }, + }) + extraVolumeMounts = append(extraVolumeMounts, corev1.VolumeMount{ + Name: fmt.Sprintf("adminapi-%s-cert", certName), + MountPath: fmt.Sprintf("/mnt/cert/adminapi/%s", certName), + ReadOnly: true, + }) + } + } + + if secret := GetLicenseSecretReference(dot); secret != nil { + consoleValue.Enterprise = console.Enterprise{ + LicenseSecretRef: console.SecretKeyRef{ + Name: secret.Name, + Key: secret.Key, + }, + } + } + + consoleValue.ExtraEnv = extraEnvVars + consoleValue.ExtraVolumes = extraVolumes + consoleValue.ExtraVolumeMounts = extraVolumeMounts + + consoleDot.Values = helmette.UnmarshalInto[helmette.Values](consoleValue) + cfg := console.ConfigMap(consoleDot) + if consoleValue.PodAnnotations == nil { + consoleValue.PodAnnotations = map[string]string{} + } + consoleValue.PodAnnotations["checksum-redpanda-chart/config"] = helmette.Sha256Sum(helmette.ToYaml(cfg)) + + } + + consoleDot.Values = helmette.UnmarshalInto[helmette.Values](consoleValue) + + manifests := []kube.Object{ + console.Secret(consoleDot), + console.ConfigMap(consoleDot), + console.Deployment(consoleDot), + } + + // NB: This slice may contain nil interfaces! + // Filtering happens elsewhere, don't call this function directly if you + // can avoid it. + return manifests +} + +func ConsoleConfig(dot *helmette.Dot) map[string]any { values := helmette.Unwrap[Values](dot.Values) var schemaURLs []string @@ -48,7 +230,7 @@ func ConsoleConfig(dot *helmette.Dot) any { "sasl": map[string]any{ "enabled": values.Auth.IsSASLEnabled(), }, - "tls": values.Listeners.Kafka.ConsolemTLS(&values.TLS), + "tls": values.Listeners.Kafka.ConsoleTLS(&values.TLS), "schemaRegistry": map[string]any{ "enabled": values.Listeners.SchemaRegistry.Enabled, "urls": schemaURLs, @@ -105,6 +287,12 @@ func ConsoleConfig(dot *helmette.Dot) any { } } + if values.Console.Console == nil { + values.Console.Console = &console.PartialConsole{ + Config: map[string]any{}, + } + } + return helmette.Merge(values.Console.Console.Config, c) } diff --git a/charts/redpanda/templates/_chart.go.tpl b/charts/redpanda/templates/_chart.go.tpl index 88bb1f8d22..83bafd3dde 100644 --- a/charts/redpanda/templates/_chart.go.tpl +++ b/charts/redpanda/templates/_chart.go.tpl @@ -53,6 +53,7 @@ {{- if $_is_returning -}} {{- break -}} {{- end -}} +{{- $manifests = (concat (default (list ) $manifests) (default (list ) (get (fromJson (include "redpanda.renderConsole" (dict "a" (list $dot) ))) "r"))) -}} {{- $_is_returning = true -}} {{- (dict "r" $manifests) | toJson -}} {{- break -}} diff --git a/charts/redpanda/templates/_console.go.tpl b/charts/redpanda/templates/_console.go.tpl index f8498e9986..89055ac9d4 100644 --- a/charts/redpanda/templates/_console.go.tpl +++ b/charts/redpanda/templates/_console.go.tpl @@ -1,5 +1,99 @@ {{- /* Generated from "console.tpl.go" */ -}} +{{- define "redpanda.renderConsole" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $v := $dot.Values -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $v.console.enabled true) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $consoleDot := (index $dot.Subcharts "console") -}} +{{- $consoleValue := $consoleDot.Values -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $v.console.secret.create false) ))) "r")) -}} +{{- $_ := (set $consoleValue.secret "create" true) -}} +{{- $license_1 := (get (fromJson (include "redpanda.GetLicenseLiteral" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $license_1 "") -}} +{{- $_ := (set $consoleValue.secret "enterprise" (mustMergeOverwrite (dict ) (dict "license" $license_1 ))) -}} +{{- end -}} +{{- end -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $v.console.configmap.create false) ))) "r")) -}} +{{- $_ := (set $consoleValue.configmap "create" true) -}} +{{- $_ := (set $consoleValue.console "config" (get (fromJson (include "redpanda.ConsoleConfig" (dict "a" (list $dot) ))) "r")) -}} +{{- end -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $v.console.deployment.create false) ))) "r")) -}} +{{- $_ := (set $consoleValue.deployment "create" true) -}} +{{- $extraVolumes := (list ) -}} +{{- $extraVolumeMounts := (list ) -}} +{{- $extraEnvVars := (list ) -}} +{{- if (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $v.auth) ))) "r") -}} +{{- $command := (concat (default (list ) (list )) (list "sh" "-c" "set -e; IFS=':' read -r KAFKA_SASL_USERNAME KAFKA_SASL_PASSWORD KAFKA_SASL_MECHANISM < <(grep \"\" $(find /mnt/users/* -print));" (printf " KAFKA_SASL_MECHANISM=${KAFKA_SASL_MECHANISM:-%s};" (get (fromJson (include "redpanda.SASLMechanism" (dict "a" (list $dot) ))) "r")) " export KAFKA_SASL_USERNAME KAFKA_SASL_PASSWORD KAFKA_SASL_MECHANISM;" " export KAFKA_SCHEMAREGISTRY_USERNAME=$KAFKA_SASL_USERNAME;" " export KAFKA_SCHEMAREGISTRY_PASSWORD=$KAFKA_SASL_PASSWORD;" " export REDPANDA_ADMINAPI_USERNAME=$KAFKA_SASL_USERNAME;" " export REDPANDA_ADMINAPI_PASSWORD=$KAFKA_SASL_PASSWORD;" " /app/console $@" " --")) -}} +{{- $_ := (set $consoleValue.deployment "command" $command) -}} +{{- $extraVolumes = (concat (default (list ) $extraVolumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" $v.auth.sasl.secretRef )) )) (dict "name" (printf "%s-users" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) )))) -}} +{{- $extraVolumeMounts = (concat (default (list ) $extraVolumeMounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf "%s-users" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "mountPath" "/mnt/users" "readOnly" true )))) -}} +{{- end -}} +{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $v.listeners.kafka.tls $v.tls) ))) "r") -}} +{{- $certName := $v.listeners.kafka.tls.cert -}} +{{- $cert := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $v.tls.certs) $certName) ))) "r") -}} +{{- $secretName := (printf "%s-%s-cert" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $certName) -}} +{{- if (ne (toJson $cert.secretRef) "null") -}} +{{- $secretName = $cert.secretRef.name -}} +{{- end -}} +{{- if $cert.caEnabled -}} +{{- $extraEnvVars = (concat (default (list ) $extraEnvVars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_TLS_CAFILEPATH" "value" (printf "/mnt/cert/kafka/%s/ca.crt" $certName) )))) -}} +{{- $extraVolumes = (concat (default (list ) $extraVolumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "defaultMode" (0o420 | int) "secretName" $secretName )) )) (dict "name" (printf "kafka-%s-cert" $certName) )))) -}} +{{- $extraVolumeMounts = (concat (default (list ) $extraVolumeMounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf "kafka-%s-cert" $certName) "mountPath" (printf "/mnt/cert/kafka/%s" $certName) "readOnly" true )))) -}} +{{- end -}} +{{- end -}} +{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $v.listeners.schemaRegistry.tls $v.tls) ))) "r") -}} +{{- $certName := $v.listeners.schemaRegistry.tls.cert -}} +{{- $cert := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $v.tls.certs) $certName) ))) "r") -}} +{{- $secretName := (printf "%s-%s-cert" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $certName) -}} +{{- if (ne (toJson $cert.secretRef) "null") -}} +{{- $secretName = $cert.secretRef.name -}} +{{- end -}} +{{- if $cert.caEnabled -}} +{{- $extraEnvVars = (concat (default (list ) $extraEnvVars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH" "value" (printf "/mnt/cert/schemaregistry/%s/ca.crt" $certName) )))) -}} +{{- $extraVolumes = (concat (default (list ) $extraVolumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "defaultMode" (0o420 | int) "secretName" $secretName )) )) (dict "name" (printf "schemaregistry-%s-cert" $certName) )))) -}} +{{- $extraVolumeMounts = (concat (default (list ) $extraVolumeMounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf "schemaregistry-%s-cert" $certName) "mountPath" (printf "/mnt/cert/schemaregistry/%s" $certName) "readOnly" true )))) -}} +{{- end -}} +{{- end -}} +{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $v.listeners.admin.tls $v.tls) ))) "r") -}} +{{- $certName := $v.listeners.admin.tls.cert -}} +{{- $cert := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $v.tls.certs) $certName) ))) "r") -}} +{{- $secretName := (printf "%s-%s-cert" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $certName) -}} +{{- if (ne (toJson $cert.secretRef) "null") -}} +{{- $secretName = $cert.secretRef.name -}} +{{- end -}} +{{- if $cert.caEnabled -}} +{{- $extraVolumes = (concat (default (list ) $extraVolumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "defaultMode" (0o420 | int) "secretName" $secretName )) )) (dict "name" (printf "adminapi-%s-cert" $certName) )))) -}} +{{- $extraVolumeMounts = (concat (default (list ) $extraVolumeMounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf "adminapi-%s-cert" $certName) "mountPath" (printf "/mnt/cert/adminapi/%s" $certName) "readOnly" true )))) -}} +{{- end -}} +{{- end -}} +{{- $secret_2 := (get (fromJson (include "redpanda.GetLicenseSecretReference" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $secret_2) "null") -}} +{{- $_ := (set $consoleValue "enterprise" (mustMergeOverwrite (dict "licenseSecretRef" (dict "name" "" "key" "" ) ) (dict "licenseSecretRef" (mustMergeOverwrite (dict "name" "" "key" "" ) (dict "name" $secret_2.name "key" $secret_2.key )) ))) -}} +{{- end -}} +{{- $_ := (set $consoleValue "extraEnv" $extraEnvVars) -}} +{{- $_ := (set $consoleValue "extraVolumes" $extraVolumes) -}} +{{- $_ := (set $consoleValue "extraVolumeMounts" $extraVolumeMounts) -}} +{{- $_ := (set $consoleDot "Values" $consoleValue) -}} +{{- $cfg := (get (fromJson (include "console.ConfigMap" (dict "a" (list $consoleDot) ))) "r") -}} +{{- if (eq (toJson $consoleValue.podAnnotations) "null") -}} +{{- $_ := (set $consoleValue "podAnnotations" (dict )) -}} +{{- end -}} +{{- $_ := (set $consoleValue.podAnnotations "checksum-redpanda-chart/config" (sha256sum (toYaml $cfg))) -}} +{{- end -}} +{{- $_ := (set $consoleDot "Values" $consoleValue) -}} +{{- $manifests := (list (get (fromJson (include "console.Secret" (dict "a" (list $consoleDot) ))) "r") (get (fromJson (include "console.ConfigMap" (dict "a" (list $consoleDot) ))) "r") (get (fromJson (include "console.Deployment" (dict "a" (list $consoleDot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $manifests) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + {{- define "redpanda.ConsoleConfig" -}} {{- $dot := (index .a 0) -}} {{- range $_ := (list 1) -}} @@ -22,7 +116,7 @@ {{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r") -}} {{- $schema = "https" -}} {{- end -}} -{{- $c := (dict "kafka" (dict "brokers" (get (fromJson (include "redpanda.BrokerList" (dict "a" (list $dot ($values.statefulset.replicas | int) ($values.listeners.kafka.port | int)) ))) "r") "sasl" (dict "enabled" (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") ) "tls" (get (fromJson (include "redpanda.KafkaListeners.ConsolemTLS" (dict "a" (list $values.listeners.kafka $values.tls) ))) "r") "schemaRegistry" (dict "enabled" $values.listeners.schemaRegistry.enabled "urls" $schemaURLs "tls" (get (fromJson (include "redpanda.SchemaRegistryListeners.ConsoleTLS" (dict "a" (list $values.listeners.schemaRegistry $values.tls) ))) "r") ) ) "redpanda" (dict "adminApi" (dict "enabled" true "urls" (list (printf "%s://%s:%d" $schema (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") ($values.listeners.admin.port | int))) "tls" (get (fromJson (include "redpanda.AdminListeners.ConsoleTLS" (dict "a" (list $values.listeners.admin $values.tls) ))) "r") ) ) ) -}} +{{- $c := (dict "kafka" (dict "brokers" (get (fromJson (include "redpanda.BrokerList" (dict "a" (list $dot ($values.statefulset.replicas | int) ($values.listeners.kafka.port | int)) ))) "r") "sasl" (dict "enabled" (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") ) "tls" (get (fromJson (include "redpanda.KafkaListeners.ConsoleTLS" (dict "a" (list $values.listeners.kafka $values.tls) ))) "r") "schemaRegistry" (dict "enabled" $values.listeners.schemaRegistry.enabled "urls" $schemaURLs "tls" (get (fromJson (include "redpanda.SchemaRegistryListeners.ConsoleTLS" (dict "a" (list $values.listeners.schemaRegistry $values.tls) ))) "r") ) ) "redpanda" (dict "adminApi" (dict "enabled" true "urls" (list (printf "%s://%s:%d" $schema (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") ($values.listeners.admin.port | int))) "tls" (get (fromJson (include "redpanda.AdminListeners.ConsoleTLS" (dict "a" (list $values.listeners.admin $values.tls) ))) "r") ) ) ) -}} {{- if $values.connectors.enabled -}} {{- $port := (dig "connectors" "connectors" "restPort" (8083 | int) $dot.Values.AsMap) -}} {{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.asintegral" (dict "a" (list $port) ))) "r")) ))) "r") -}} @@ -36,6 +130,9 @@ {{- $connectorsURL := (printf "http://%s.%s.svc.%s:%d" (get (fromJson (include "redpanda.ConnectorsFullName" (dict "a" (list $dot) ))) "r") $dot.Release.Namespace (trimSuffix "." $values.clusterDomain) $p) -}} {{- $_ := (set $c "connect" (mustMergeOverwrite (dict "enabled" false "clusters" (coalesce nil) "connectTimeout" 0 "readTimeout" 0 "requestTimeout" 0 ) (dict "enabled" $values.connectors.enabled "clusters" (list (mustMergeOverwrite (dict "name" "" "url" "" "tls" (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false ) "username" "" "password" "" "token" "" ) (dict "name" "connectors" "url" $connectorsURL "tls" (mustMergeOverwrite (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false ) (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false )) "username" "" "password" "" "token" "" ))) ))) -}} {{- end -}} +{{- if (eq (toJson $values.console.console) "null") -}} +{{- $_ := (set $values.console "console" (mustMergeOverwrite (dict ) (dict "config" (dict ) ))) -}} +{{- end -}} {{- $_is_returning = true -}} {{- (dict "r" (merge (dict ) $values.console.console.config $c)) | toJson -}} {{- break -}} diff --git a/charts/redpanda/templates/_values.go.tpl b/charts/redpanda/templates/_values.go.tpl index 5b802d218b..a680273b45 100644 --- a/charts/redpanda/templates/_values.go.tpl +++ b/charts/redpanda/templates/_values.go.tpl @@ -982,7 +982,7 @@ {{- end -}} {{- end -}} -{{- define "redpanda.KafkaListeners.ConsolemTLS" -}} +{{- define "redpanda.KafkaListeners.ConsoleTLS" -}} {{- $k := (index .a 0) -}} {{- $tls := (index .a 1) -}} {{- range $_ := (list 1) -}} diff --git a/charts/redpanda/templates/console/configmap-and-deployment.yaml b/charts/redpanda/templates/console/configmap-and-deployment.yaml deleted file mode 100644 index 0f4de4a71b..0000000000 --- a/charts/redpanda/templates/console/configmap-and-deployment.yaml +++ /dev/null @@ -1,239 +0,0 @@ -{{/* -Licensed to the Apache Software Foundation (ASF) under one or more -contributor license agreements. See the NOTICE file distributed with -this work for additional information regarding copyright ownership. -The ASF licenses this file to You under the Apache License, Version 2.0 -(the "License"); you may not use this file except in compliance with -the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{/* Secret */}} -{{ $secretConfig := dict ( dict - "create" $.Values.console.secret.create - ) -}} -{{/* if the console chart has the creation of the secret disabled, create it here instead if needed */}} -{{ if and .Values.console.enabled (not .Values.console.secret.create) }} -{{ $licenseKey := ( include "enterprise-license" . ) }} -# before license changes, this was not printing a secret, so we gather in which case to print -# for now only if we have a license do we print, however, this may be an issue for some -# since if we do include a license we MUST also print all secret items. - {{ if ( not (empty $licenseKey ) ) }} -{{/* License and license are set twice here as a work around to a bug in the post-go console chart. */}} -{{ $secretConfig = ( dict - "create" true - "enterprise" ( dict "license" $licenseKey "License" $licenseKey) - ) -}} - -{{ $config := dict - "Values" (dict - "secret" $secretConfig - )}} - -{{ $secretValues := merge $config .Subcharts.console }} -{{ $wrappedSecretValues := (dict "Chart" .Subcharts.console.Chart "Release" .Release "Values" (dict "AsMap" $secretValues.Values)) }} ---- -{{- include "_shims.render-manifest" (list "console.Secret" $wrappedSecretValues) -}} - {{ end }} -{{ end }} - -{{ $configmap := dict }} -{{/* if the console chart has the creation of the configmap disabled, create it here instead */}} -{{ if and .Values.console.enabled (not .Values.console.configmap.create) }} -{{ $consoleConfigmap := dict "create" true }} - -{{ $consoleConfig := merge .Values.console.config (get ((include "redpanda.ConsoleConfig" (dict "a" (list .))) | fromJson) "r") }} - -{{ $config := dict - "Values" (dict - "console" (dict "config" $consoleConfig) - "configmap" $consoleConfigmap - "secret" $secretConfig - ) -}} - -{{ $configMapValues := merge $config .Subcharts.console }} ---- -{{- $wrappedSecretValues := (dict - "Chart" .Subcharts.console.Chart - "Release" .Release - "Values" (dict "AsMap" $configMapValues.Values) - "Template" (dict "BasePath" "" "Name" "") -) -}} -{{- include "_shims.render-manifest" (list "console.ConfigMap" $wrappedSecretValues) -}} -{{ $configmap = include "_shims.render-manifest" (list "console.ConfigMap" $wrappedSecretValues) }} -{{ end }} - -{{/* Deployment */}} -{{ if and .Values.console.enabled (not .Values.console.deployment.create) }} - -{{ $extraVolumes := list }} -{{ $extraVolumeMounts := list }} -{{ $command := list }} -{{ if (include "sasl-enabled" . | fromJson).bool }} - {{ $command = concat $command (list "sh" "-c") }} - {{ $consoleSASLConfig := (printf "set -e; IFS=':' read -r KAFKA_SASL_USERNAME KAFKA_SASL_PASSWORD KAFKA_SASL_MECHANISM < <(grep \"\" $(find /mnt/users/* -print)); KAFKA_SASL_MECHANISM=${KAFKA_SASL_MECHANISM:-%s}; export KAFKA_SASL_USERNAME KAFKA_SASL_PASSWORD KAFKA_SASL_MECHANISM;" ( include "sasl-mechanism" . )) }} - {{ $consoleSASLConfig = cat $consoleSASLConfig " export KAFKA_SCHEMAREGISTRY_USERNAME=$KAFKA_SASL_USERNAME;" }} - {{ $consoleSASLConfig = cat $consoleSASLConfig " export KAFKA_SCHEMAREGISTRY_PASSWORD=$KAFKA_SASL_PASSWORD;" }} - {{ $consoleSASLConfig = cat $consoleSASLConfig " export REDPANDA_ADMINAPI_USERNAME=$KAFKA_SASL_USERNAME;" }} - {{ $consoleSASLConfig = cat $consoleSASLConfig " export REDPANDA_ADMINAPI_PASSWORD=$KAFKA_SASL_PASSWORD;" }} - {{ $consoleSASLConfig = cat $consoleSASLConfig " /app/console $@" }} - {{ $command = append $command $consoleSASLConfig }} - {{ $command = append $command "--" }} - {{ $extraVolumes = append $extraVolumes (dict - "name" (printf "%s-users" (include "redpanda.fullname" .)) - "secret" (dict - "secretName" .Values.auth.sasl.secretRef - ) - )}} - {{ $extraVolumeMounts = append $extraVolumeMounts (dict - "name" (printf "%s-users" (include "redpanda.fullname" .)) - "mountPath" "/mnt/users" - "readOnly" true - ) }} -{{ end }} - -{{ $kafkaTLS := list }} -{{ if (include "kafka-internal-tls-enabled" . | fromJson).bool }} - {{ $service := .Values.listeners.kafka }} - {{ $cert := get .Values.tls.certs $service.tls.cert }} - {{- $secretName := (printf "%s-%s-cert" (include "redpanda.fullname" .) $service.tls.cert) }} - {{- if $cert.secretRef }} - {{- $secretName = $cert.secretRef.name }} - {{- end }} - {{ if $cert.caEnabled }} - {{ $kafkaTLS = append $kafkaTLS (dict - "name" "KAFKA_TLS_CAFILEPATH" - "value" (printf "/mnt/cert/kafka/%s/ca.crt" $service.tls.cert) - )}} - {{ $extraVolumes = append $extraVolumes (dict - "name" (printf "kafka-%s-cert" $service.tls.cert) - "secret" (dict - "defaultMode" 0420 - "secretName" ( $secretName ) - ))}} - {{ $extraVolumeMounts = append $extraVolumeMounts (dict - "name" (printf "kafka-%s-cert" $service.tls.cert) - "mountPath" (printf "/mnt/cert/kafka/%s" $service.tls.cert) - "readOnly" true - )}} - {{ end }} -{{ end }} - -{{ $schemaRegistryTLS := list }} -{{ if (include "schemaRegistry-internal-tls-enabled" . | fromJson).bool }} - {{ $service := .Values.listeners.schemaRegistry }} - {{ $cert := get .Values.tls.certs $service.tls.cert }} - {{- $secretName := (printf "%s-%s-cert" (include "redpanda.fullname" .) $service.tls.cert) }} - {{- if $cert.secretRef }} - {{- $secretName = $cert.secretRef.name }} - {{- end }} - {{ if $cert.caEnabled }} - {{ $schemaRegistryTLS = append $schemaRegistryTLS (dict - "name" "KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH" - "value" (printf "/mnt/cert/schemaregistry/%s/ca.crt" $service.tls.cert) - )}} - {{ $extraVolumes = append $extraVolumes (dict - "name" (printf "schemaregistry-%s-cert" $service.tls.cert) - "secret" (dict - "defaultMode" 0420 - "secretName" ( $secretName ) - ))}} - {{ $extraVolumeMounts = append $extraVolumeMounts (dict - "name" (printf "schemaregistry-%s-cert" $service.tls.cert) - "mountPath" (printf "/mnt/cert/schemaregistry/%s" $service.tls.cert) - "readOnly" true - )}} - {{ end }} -{{ end }} - -{{ $adminAPI := list }} -{{ if (include "admin-internal-tls-enabled" . | fromJson).bool }} - {{ $service := .Values.listeners.admin }} - {{ $cert := get .Values.tls.certs $service.tls.cert }} - {{- $secretName := (printf "%s-%s-cert" (include "redpanda.fullname" .) $service.tls.cert) }} - {{- if $cert.secretRef }} - {{- $secretName = $cert.secretRef.name }} - {{- end }} - {{ if $cert.caEnabled }} - {{ $extraVolumes = append $extraVolumes (dict - "name" (printf "adminapi-%s-cert" $service.tls.cert) - "secret" (dict - "defaultMode" 0420 - "secretName" ( $secretName ) - ))}} - {{ $extraVolumeMounts = append $extraVolumeMounts (dict - "name" (printf "adminapi-%s-cert" $service.tls.cert) - "mountPath" (printf "/mnt/cert/adminapi/%s" $service.tls.cert) - "readOnly" true - )}} - {{ end }} -{{ end }} - -{{ $enterprise := dict }} -{{ if ( include "enterprise-secret" .) }} - {{ $enterprise = dict - "licenseSecretRef" ( dict - "name" ( include "enterprise-secret-name" . ) - "key" ( include "enterprise-secret-key" . ) - ) - }} -{{ end }} - -{{ $extraEnv := concat $kafkaTLS $schemaRegistryTLS $adminAPI .Values.console.extraEnv }} -{{ $extraVolumes = concat $extraVolumes .Values.console.extraVolumes }} -{{ $extraVolumeMounts = concat $extraVolumeMounts .Values.console.extraVolumeMounts }} -{{ $consoleValues := dict - "Values" (dict - "extraVolumes" $extraVolumes - "extraVolumeMounts" $extraVolumeMounts - "extraEnv" $extraEnv - "secret" $secretConfig - "enterprise" $enterprise - "image" $.Values.console.image - "autoscaling" .Values.console.autoscaling - "replicaCount" .Values.console.replicaCount - "strategy" .Values.console.strategy - "podAnnotations" .Values.console.podAnnotations - "podLabels" .Values.console.podLabels - "imagePullSecrets" .Values.console.imagePullSecrets - "podSecurityContext" .Values.console.podSecurityContext - "secretMounts" .Values.console.secretMounts - "initContainers" .Values.console.initContainers - "extraArgs" .Values.console.extraArgs - "securityContext" .Values.console.securityContext - "livenessProbe" .Values.console.livenessProbe - "readinessProbe" .Values.console.readinessProbe - "resources" .Values.console.resources - "extraContainers" .Values.console.extraContainers - "nodeSelector" .Values.console.nodeSelector - "affinity" .Values.console.affinity - "topologySpreadConstraints" .Values.console.topologySpreadConstraints - "priorityClassName" .Values.console.priorityClassName - "tolerations" .Values.console.tolerations -)}} - -{{ if not (empty $command) }} - {{ $consoleValues := merge $consoleValues (dict "Values" (dict "deployment" (dict "command" $command))) }} -{{ end }} -{{ $consoleValues := merge $consoleValues (dict "Values" (dict "deployment" (dict "create" (not .Values.console.deployment.create)))) }} - -{{ if and .Values.console.enabled (not .Values.console.configmap.create) }} -{{ $consoleValues := merge $consoleValues (dict "Values" (dict "podAnnotations" (dict "checksum-redpanda-chart/config" ( $configmap | toYaml | sha256sum )))) }} -{{ end }} - -{{ $deploymentValues := merge $consoleValues .Subcharts.console }} -{{ $wrappedDeploymentValues := (dict "Chart" .Subcharts.console.Chart "Release" .Release "Template" (dict "BasePath" "" "Name" "") "Values" (dict "AsMap" $deploymentValues.Values)) }} - ---- -{{- include "_shims.render-manifest" (list "console.Deployment" $wrappedDeploymentValues) -}} -{{ end }} diff --git a/charts/redpanda/values.go b/charts/redpanda/values.go index 2c90f8f549..45d56bde71 100644 --- a/charts/redpanda/values.go +++ b/charts/redpanda/values.go @@ -7,7 +7,6 @@ import ( cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" "github.com/invopop/jsonschema" monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1" - "github.com/redpanda-data/console/backend/pkg/config" "github.com/redpanda-data/helm-charts/charts/console" "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" orderedmap "github.com/wk8/go-ordered-map/v2" @@ -1118,8 +1117,16 @@ type AdminListeners struct { TLS InternalTLS `json:"tls" jsonschema:"required"` } -func (l *AdminListeners) ConsoleTLS(tls *TLS) config.RedpandaAdminAPITLS { - t := config.RedpandaAdminAPITLS{Enabled: l.TLS.IsEnabled(tls)} +type RedpandaAdminAPITLS struct { + Enabled bool `json:"enabled"` + CaFilepath string `json:"caFilepath"` + CertFilepath string `json:"certFilepath"` + KeyFilepath string `json:"keyFilepath"` + InsecureSkipTLSVerify bool `json:"insecureSkipTlsVerify"` +} + +func (l *AdminListeners) ConsoleTLS(tls *TLS) RedpandaAdminAPITLS { + t := RedpandaAdminAPITLS{Enabled: l.TLS.IsEnabled(tls)} if !t.Enabled { return t } @@ -1450,8 +1457,16 @@ func (l *KafkaListeners) TrustStores(tls *TLS) []*TrustStore { return tss } -func (k *KafkaListeners) ConsolemTLS(tls *TLS) config.KafkaTLS { - t := config.KafkaTLS{Enabled: k.TLS.IsEnabled(tls)} +type KafkaTLS struct { + Enabled bool `json:"enabled"` + CaFilepath string `json:"caFilepath"` + CertFilepath string `json:"certFilepath"` + KeyFilepath string `json:"keyFilepath"` + InsecureSkipTLSVerify bool `json:"insecureSkipTlsVerify"` +} + +func (k *KafkaListeners) ConsoleTLS(tls *TLS) KafkaTLS { + t := KafkaTLS{Enabled: k.TLS.IsEnabled(tls)} if !t.Enabled { return t } @@ -1596,8 +1611,16 @@ func (l *SchemaRegistryListeners) TrustStores(tls *TLS) []*TrustStore { return tss } -func (sr *SchemaRegistryListeners) ConsoleTLS(tls *TLS) config.SchemaTLS { - t := config.SchemaTLS{Enabled: sr.TLS.IsEnabled(tls)} +type SchemaTLS struct { + Enabled bool `json:"enabled"` + CaFilepath string `json:"caFilepath"` + CertFilepath string `json:"certFilepath"` + KeyFilepath string `json:"keyFilepath"` + InsecureSkipTLSVerify bool `json:"insecureSkipTlsVerify"` +} + +func (sr *SchemaRegistryListeners) ConsoleTLS(tls *TLS) SchemaTLS { + t := SchemaTLS{Enabled: sr.TLS.IsEnabled(tls)} if !t.Enabled { return t }