redpanda: add console as subchart to redpanda (#275)

* redpanda: add console as subchart to redpanda * use my fork until we can get changes upstream use my fork for chart-testing until a change can be merged upstream to not use the `--reuse-values` flag helm/chart-testing#525 * allow postStart first-sasl-user hack to run even with only one replica * fix: type * Delete admin.conf --------- Co-authored-by: alejandroesc <[email protected]>
redpanda-data · Feb 13, 2023 · 1b7f820 · 1b7f820
1 parent 50558b0
commit 1b7f820
Show file tree

Hide file tree

Showing 12 changed files with 229 additions and 18 deletions.
diff --git a/.github/ct.yaml b/.github/ct.yaml
@@ -16,4 +16,6 @@ debug: true
 remote: origin
 target-branch: main
 helm-extra-args: --timeout 600s
+chart-repos:
+  - redpanda=https://charts.redpanda.com
 
diff --git a/.github/workflows/pull_requests.yaml b/.github/workflows/pull_requests.yaml
@@ -31,10 +31,12 @@ jobs:
       - name: Set up Helm
         uses: azure/setup-helm@v3
         with:
-          version: v3.10.2
+          version: v3.11.1
 
       - name: Set up chart-testing
-        uses: helm/[email protected]
+        uses: joejulian/[email protected]
+        with:
+          version: v3.7.1-1
 
       - name: Run chart-testing (lint)
         run: ct lint --config .github/ct.yaml
@@ -52,7 +54,9 @@ jobs:
           version: v3.11.1
 
       - name: Set up chart-testing
-        uses: helm/[email protected]
+        uses: joejulian/[email protected]
+        with:
+          version: v3.7.1-1
 
       # we're excluding console from the install test until we have a way to test it with Redpanda
       - name: Run chart-testing (list-changed)

diff --git a/.gitignore b/.gitignore
@@ -3,3 +3,5 @@
 */**/*.tfstate*
 ansible/playbooks/grafana_dashboards/redpanda-grafana.json
 .idea/
+
+charts/*/charts/*.tgz
diff --git a/charts/redpanda/Chart.lock b/charts/redpanda/Chart.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: console
+  repository: https://charts.redpanda.com
+  version: 0.5.0
+digest: sha256:7fd70de57651b2f1857f3eb519c427dbbcad8fc6ea656925651bb0c10839b035
+generated: "2023-02-09T08:51:15.13722333-08:00"
diff --git a/charts/redpanda/Chart.yaml b/charts/redpanda/Chart.yaml
@@ -23,14 +23,21 @@ type: application
 # The chart version and the app version are not the same and will not track
 # together. The chart version is a semver representation of changes to this
 # chart.
-version: 2.8.7
+version: 2.9.0
 
 # The app version is the default version of Redpanda to install.
 appVersion: v22.3.12
 # kubeVersion must be suffixed with "-0" to be able to match cloud providers
 # kubernetes versions like "v1.23.8-gke.1900". Their suffix is interpreted as a
 # pre-release. Our "-0" allows pre-releases to be matched.
 kubeVersion: "^1.21.0-0"
+
+dependencies:
+  - name: console
+    condition: console.enabled
+    version: ">=0.5 <1.0"
+    repository: https://charts.redpanda.com
+
 icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg
 sources:
   - https://github.com/redpanda-data/helm-charts

diff --git a/charts/redpanda/templates/_helpers.tpl b/charts/redpanda/templates/_helpers.tpl
@@ -525,3 +525,16 @@ return a warning if the chart is configured with insufficient memory
     {{- printf "%d is below the minimum recommended value for Redpanda" $result -}}
   {{- end -}}
 {{- end -}}
+
+
+{{- define "seed-server-list" -}}
+  {{- $brokers := list -}}
+  {{- range $ordinal := until (.Values.statefulset.replicas | int) -}}
+    {{- $brokers = append $brokers (printf "%s-%d.%s"
+        (include "redpanda.fullname" $)
+        $ordinal
+        (include "redpanda.internal.domain" $))
+    -}}
+  {{- end -}}
+  {{- toJson $brokers -}}
+{{- end -}}
diff --git a/charts/redpanda/templates/configmap.yaml b/charts/redpanda/templates/configmap.yaml
@@ -191,9 +191,9 @@ data:
   {{- end }}
 {{- end }}
       seed_servers:
-{{- range untilStep 0 (.Values.statefulset.replicas|int) 1 }}
+{{- range (include "seed-server-list" . | mustFromJson) }}
         - host:
-            address: "{{ template "redpanda.fullname" $ }}-{{ . }}.{{ template "redpanda.internal.domain" $ }}"
+            address: {{ . }}
             port: {{ $values.listeners.rpc.port }}
 {{- end }}
 {{- if and (include "is-licensed" . | fromJson).bool .Values.storage.tieredConfig.cloud_storage_enabled }}

diff --git a/charts/redpanda/templates/console/configmap.yaml b/charts/redpanda/templates/console/configmap.yaml
@@ -0,0 +1,60 @@
+{{ $values := .Values }}
+
+{{/* if the console chart has the creation of the configmap disabled, create it here instead */}}
+{{ if not .Values.console.configmap.create }}
+{{ $consoleConfigmap := dict "create" true }}
+
+{{/* kafka section */}}
+
+{{/* brokers */}}
+{{ $kafkaBrokers := list }}
+{{ range (include "seed-server-list" . | mustFromJson) }}
+  {{ $kafkaBrokers = append $kafkaBrokers (printf "%s:%d" . (int $values.listeners.kafka.port)) }}
+{{ end }}
+
+{{/* sasl */}}
+{{/* the rest of sasl is configured through the secret */}}
+{{ $kafkaSASL := dict "enabled" (include "sasl-enabled" . | fromJson).bool }}
+
+{{/* tls */}}
+{{/* the rest of tls is configured through the secret */}}
+{{ $kafkaTLS := dict "enabled" (include "kafka-internal-tls-enabled" . | fromJson).bool }}
+
+{{/* schemaRegistry */}}
+{{- $urls := list -}}
+{{ $proto := "http" }}
+{{ if (include "schemaRegistry-internal-tls-enabled" . | fromJson).bool }}
+  {{ $proto = "https" }}
+{{ end }}
+{{ $port := int $values.listeners.schemaRegistry.port }}
+{{ range (include "seed-server-list" . | mustFromJson) }}
+  {{ $urls = append $urls (printf "%s://%s:%d" $proto . $port) }}
+{{ end }}
+{{/* tls */}}
+{{/* the rest of tls is configured through the secret */}}
+{{ $schemaRegistryTLS := dict "enabled" (include "schemaRegistry-internal-tls-enabled" . | fromJson).bool }}
+
+{{ $kafkaSchemaRegistry := dict
+      "enabled" .Values.listeners.schemaRegistry.enabled
+      "urls" $urls
+      "tls" $schemaRegistryTLS
+}}
+{{ $consoleConfigKafka := dict
+      "brokers" $kafkaBrokers
+      "sasl" $kafkaSASL
+      "tls" $kafkaTLS
+      "schemaRegistry" $kafkaSchemaRegistry
+}}
+{{ $consoleConfig := dict "kafka" $consoleConfigKafka }}
+{{ $config := dict
+    "Values" (dict
+      "console" (dict "config" $consoleConfig)
+      "configmap" $consoleConfigmap
+    )
+}}
+
+{{ $console := deepCopy .Subcharts.console }}
+{{ $console := merge $config $console }}
+
+{{ include (print .Subcharts.console.Template.BasePath "/configmap.yaml") $console }}
+{{ end }}
diff --git a/charts/redpanda/templates/console/deployment.yaml b/charts/redpanda/templates/console/deployment.yaml
@@ -0,0 +1,108 @@
+{{ if (not .Values.console.deployment.create) }}
+
+{{ $extraVolumes := list }}
+{{ $extraVolumeMounts := list }}
+{{ $command := list }}
+{{ if (include "sasl-enabled" . | fromJson).bool }}
+  {{ $command = concat $command (list "sh" "-xc") }}
+  {{ $command = append $command (printf "set -e; IFS=: read -r KAFKA_SASL_USERNAME KAFKA_SASL_PASSWORD KAFKA_SASL_MECHANISM < /mnt/users/users.txt; KAFKA_SASL_MECHANISM=${KAFKA_SASL_MECHANISM:-%s}; export KAFKA_SASL_USERNAME KAFKA_SASL_PASSWORD KAFKA_SASL_MECHANISM; /app/console $@" ( include "sasl-mechanism" . )) }}
+  {{ $command = append $command "--" }}
+  {{ $extraVolumes = append $extraVolumes (dict
+    "name" (printf "%s-users" (include "redpanda.fullname" .))
+    "secret" (dict
+      "secretName" .Values.auth.sasl.secretRef
+    )
+  )}}
+  {{ $extraVolumeMounts = append $extraVolumeMounts (dict
+    "name" (printf "%s-users" (include "redpanda.fullname" .))
+    "mountPath" "/mnt/users"
+    "readOnly" true
+  ) }}
+{{ end }}
+
+{{ $kafkaTLS := list }}
+{{ if (include "kafka-internal-tls-enabled" . | fromJson).bool }}
+  {{ $service := .Values.listeners.kafka }}
+  {{ $cert := get .Values.tls.certs $service.tls.cert }}
+  {{ if $cert.caEnabled }}
+    {{ $kafkaTLS = append $kafkaTLS (dict
+      "name" "KAFKA_TLS_CAFILEPATH"
+      "value" (printf "/mnt/cert/kafka/%s/ca.crt" $service.tls.cert)
+    )}}
+    {{ $extraVolumes = append $extraVolumes (dict
+        "name" (printf "kafka-%s-cert" $service.tls.cert)
+        "secret" (dict
+          "defaultMode" 0420
+          "items" (list (dict "key" "ca.crt" "path" "ca.crt") )
+          "secretName" (printf "%s-%s-cert" (include "redpanda.fullname" .) $service.tls.cert)
+    ))}}
+    {{ $extraVolumeMounts = append $extraVolumeMounts (dict
+        "name" (printf "kafka-%s-cert" $service.tls.cert)
+        "mountPath" (printf "/mnt/cert/kafka/%s" $service.tls.cert)
+        "readOnly" true
+    )}}
+  {{ end }}
+{{ end }}
+
+{{ $schemaRegistryTLS := list }}
+{{ if (include "schemaRegistry-internal-tls-enabled" . | fromJson).bool }}
+  {{ $service := .Values.listeners.schemaRegistry }}
+  {{ $cert := get .Values.tls.certs $service.tls.cert }}
+  {{ if $cert.caEnabled }}
+    {{ $schemaRegistryTLS = append $schemaRegistryTLS (dict
+      "name" "KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH"
+      "value" (printf "/mnt/cert/schemaregistry/%s/ca.crt" $service.tls.cert)
+    )}}
+    {{ $extraVolumes = append $extraVolumes (dict
+        "name" (printf "schemaregistry-%s-cert" $service.tls.cert)
+        "secret" (dict
+          "defaultMode" 0420
+          "items" (list (dict "key" "ca.crt" "path" "ca.crt") )
+          "secretName" (printf "%s-%s-cert" (include "redpanda.fullname" .) $service.tls.cert)
+    ))}}
+    {{ $extraVolumeMounts = append $extraVolumeMounts (dict
+        "name" (printf "schemaregistry-%s-cert" $service.tls.cert)
+        "mountPath" (printf "/mnt/cert/schemaregistry/%s" $service.tls.cert)
+        "readOnly" true
+    )}}
+  {{ end }}
+{{ end }}
+
+{{ $adminTLS := list }}
+{{ if (include "admin-internal-tls-enabled" . | fromJson).bool }}
+  {{ $service := .Values.listeners.admin }}
+  {{ $cert := get .Values.tls.certs $service.tls.cert }}
+  {{ if $cert.caEnabled }}
+    {{ $adminTLS = append $adminTLS (dict
+      "name" "REDPANDA_ADMINAPI_TLS_CAFILEPATH"
+      "value" (printf "/mnt/cert/adminapi/%s/ca.crt" $service.tls.cert)
+    )}}
+    {{ $extraVolumes = append $extraVolumes (dict
+        "name" (printf "adminapi-%s-cert" $service.tls.cert)
+        "secret" (dict
+          "defaultMode" 0420
+          "items" (list (dict "key" "ca.crt" "path" "ca.crt") )
+          "secretName" (printf "%s-%s-cert" (include "redpanda.fullname" .) $service.tls.cert)
+    ))}}
+    {{ $extraVolumeMounts = append $extraVolumeMounts (dict
+        "name" (printf "adminapi-%s-cert" $service.tls.cert)
+        "mountPath" (printf "/mnt/cert/adminapi/%s" $service.tls.cert)
+        "readOnly" true
+    )}}
+  {{ end }}
+{{ end }}
+
+{{ $extraEnv := concat $kafkaTLS $adminTLS $schemaRegistryTLS }}
+{{ $consoleValues := dict "Values" (dict
+  "extraVolumes" $extraVolumes
+  "extraVolumeMounts" $extraVolumeMounts
+  "extraEnv" $extraEnv
+)}}
+{{ if not (empty $command) }}
+  {{ $consoleValues := merge $consoleValues (dict "Values" (dict "deployment" (dict "command" $command))) }}
+{{ end }}
+{{ $consoleValues := merge $consoleValues (dict "Values" (dict "deployment" (dict "create" (not .Values.console.deployment.create)))) }}
+{{ $helmVars := deepCopy .Subcharts.console }}
+{{ $helmVars := merge $consoleValues $helmVars }}
+{{ include (print .Subcharts.console.Template.BasePath "/deployment.yaml") $helmVars }}
+{{ end }}
diff --git a/charts/redpanda/templates/secrets.yaml b/charts/redpanda/templates/secrets.yaml
@@ -14,7 +14,6 @@
   See the License for the specific language governing permissions and
   limitations under the License.
 */}}
-{{- if gt ( .Values.statefulset.replicas | int64 ) 2 }}
 ---
 apiVersion: v1
 kind: Secret
@@ -54,21 +53,23 @@ stringData:
         sleep 0.5
     done
 
+{{- if gt ( .Values.statefulset.replicas | int64 ) 2 }}
     echo "Clearing maintenance mode on node ${NODE_ID}"
     CURL_MAINTENANCE_DELETE_CMD="${CURL_MAINTENANCE_DELETE_CMD_PREFIX} {{ include "admin-tls-curl-flags" . }} ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance"
     # a 400 here would mean not in maintenance mode
     until [ "${status:-}" = '"200"' ] || [ "${status:-}" = '"400"' ]; do
         status=$(${CURL_MAINTENANCE_DELETE_CMD})
         sleep 0.5
     done
-    
+{{- end }}
+
     {{- if and .Values.auth.sasl.enabled (not (empty .Values.auth.sasl.secretRef )) }}
     # Setup and export SASL bootstrap-user
-    IFS=":" read -r USERNAME PASSWORD MECHANISM < /etc/secrets/users/users.txt
-    MECHANISM=${MECHANISM:-{{- include "sasl-mechanism" . }}}  
+    IFS=":" read -r USER_NAME PASSWORD MECHANISM < /etc/secrets/users/users.txt
+    MECHANISM=${MECHANISM:-{{- include "sasl-mechanism" . }}}
     rpk acl user create ${USER_NAME} --password=${PASSWORD} --mechanism ${MECHANISM} {{ template "rpk-flags-no-sasl" $ }} || true
     {{- end }}
-    
+
 
   preStop.sh: |-
     #!/usr/bin/env bash
@@ -80,6 +81,7 @@ stringData:
 
     set -ex
 
+{{- if gt ( .Values.statefulset.replicas | int64 ) 2 }}
     until NODE_ID=$(${CURL_NODE_ID_CMD} | grep -o '\"node_id\":[^,}]*' | grep -o '[^: ]*$'); do
         sleep 0.5
     done
@@ -120,4 +122,4 @@ stringData:
     {{- end }}
   {{- end }}
     # intentional empty line
-{{- end }}
+{{- end }}
diff --git a/charts/redpanda/templates/statefulset.yaml b/charts/redpanda/templates/statefulset.yaml
@@ -174,15 +174,13 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: status.hostIP
-{{- if gt ( .Values.statefulset.replicas | int64 ) 2 }}
           lifecycle:
             postStart:
               exec:
                 command: ["/bin/bash", "-c", "./var/lifecycle/postStart.sh"]
             preStop:
               exec:
                 command: ["/bin/bash", "-c", "./var/lifecycle/preStop.sh"]
-{{- end }}
           startupProbe:
             exec:
               command:
@@ -287,10 +285,8 @@ spec:
 {{- end }}
           securityContext: {{ include "container-security-context" . | nindent 12 }}
           volumeMounts:
-{{- if gt ( .Values.statefulset.replicas | int64 ) 2 }}
             - name: lifecycle-scripts
               mountPath: /var/lifecycle
-{{- end }}
             - name: datadir
               mountPath: /var/lib/redpanda/data
 {{- if and (include "is-licensed" . | fromJson).bool .Values.storage.tieredConfig.cloud_storage_enabled }}
@@ -320,12 +316,10 @@ spec:
               cpu: {{ .Values.resources.cpu.cores }}
               memory: {{ .Values.resources.memory.container.max }}
       volumes:
-{{- if gt ( .Values.statefulset.replicas | int64 ) 2 }}
         - name: lifecycle-scripts
           secret:
             secretName: {{ (include "redpanda.fullname" . | trunc 50 ) }}-sts-lifecycle
             defaultMode: 0774
-{{- end }}
         - name: datadir
 {{- if .Values.storage.persistentVolume.enabled }}
           persistentVolumeClaim:

diff --git a/charts/redpanda/values.yaml b/charts/redpanda/values.yaml
@@ -65,6 +65,19 @@ rackAwareness:
   # this if you have your own custom Node annotation to use instead.
   nodeAnnotation: topology.kubernetes.io/zone
 
+#
+# Console
+console:
+  enabled: true
+  configmap:
+    create: false
+  secret:
+    create: false
+  deployment:
+    create: false
+  config: {}
+
+#
 # Authentication
 auth:
   # SASL configuration