Ontotext-AD · mihailradkov · Nov 11, 2024 · Oct 21, 2024 · Oct 23, 2024 · Oct 21, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,21 @@
 # GraphDB Helm chart release notes
 
+## Version 11.3.0
+
+### New
+
+- Added new configuration properties for the license
+  - Added `license.mountPath` to configure where the license volume is mounted
+  - Added `license.optional` to configure the license volume as optional if needed
+  - Added `license.readOnly` to configure the read/write mode of the license volume mount
+
+### Updated
+
+- Removed any pre-install, pre-upgrade, pre-rollback Helm hooks annotations to allow seamless ArgoCD deployments.
+- Changed the license directory to `/opt/graphdb/home/conf/license/` with `license.mountPath` in order to avoid using a `subPath` volume
+  mount. This allows kubelet to update the license when the Secret has been updated.
+- Changed the license volume mount as read-only by default with `license.readOnly`
+
 ## Version 11.2.2
 
 ### New

diff --git a/README.md b/README.md
@@ -439,6 +439,9 @@ IMPORTANT: This is generated by helm-docs, do not attempt modifying it on hand a
 | labels | object | `{}` |  |
 | license.existingSecret | string | `""` |  |
 | license.licenseFilename | string | `"graphdb.license"` |  |
+| license.mountPath | string | `"/opt/graphdb/home/conf/license/"` |  |
+| license.optional | bool | `false` |  |
+| license.readOnly | bool | `true` |  |
 | livenessProbe.httpGet.path | string | `"/protocol"` |  |
 | livenessProbe.httpGet.port | string | `"http"` |  |
 | livenessProbe.initialDelaySeconds | int | `60` |  |

diff --git a/templates/graphdb/configmap-properties.yaml b/templates/graphdb/configmap-properties.yaml
@@ -15,6 +15,7 @@ data:
     # See https://graphdb.ontotext.com/documentation/ for supported properties
     graphdb.connector.port={{ .Values.containerPorts.http }}
     graphdb.append.request.id.headers=true
+    graphdb.license.file={{ .Values.license.mountPath | trimSuffix "/" }}/{{ .Values.license.licenseFilename }}
     graphdb.workbench.importDirectory=/opt/graphdb/home/graphdb-import
     graphdb.ontop.jdbc.path=/opt/graphdb/home/jdbc-driver
     graphdb.extra.plugins=/opt/graphdb/home/extra-plugins

diff --git a/templates/graphdb/statefulset.yaml b/templates/graphdb/statefulset.yaml
@@ -115,6 +115,7 @@ spec:
         - name: graphdb-license
           secret:
             secretName: {{ tpl .Values.license.existingSecret . }}
+            optional: {{ .Values.license.optional }}
         {{- end }}
         {{- if or .Values.security.enabled .Values.configuration.initialSettings.existingConfigmap }}
         - name: graphdb-initial-settings-config
@@ -346,8 +347,8 @@ spec:
               mountPath: /tmp
             {{- if .Values.license.existingSecret }}
             - name: graphdb-license
-              mountPath: /opt/graphdb/home/conf/graphdb.license
-              subPath: {{ .Values.license.licenseFilename }}
+              mountPath: {{ .Values.license.mountPath }}
+              readOnly: {{ .Values.license.readOnly }}
             {{- end }}
             {{- if .Values.configuration.logback.existingConfigmap }}
             - name: graphdb-logback-config

diff --git a/templates/jobs/configmap-utils.yaml b/templates/jobs/configmap-utils.yaml
@@ -6,7 +6,7 @@ metadata:
   labels:
     {{- include "graphdb.labels" . | nindent 4 }}
   annotations:
-    "helm.sh/hook": pre-install, pre-upgrade, pre-rollback, post-install, post-upgrade, post-rollback
+    "helm.sh/hook": post-install, post-upgrade, post-rollback
     {{- if .Values.backup.enabled }}
     "helm.sh/hook-delete-policy": before-hook-creation
     {{- else }}

diff --git a/templates/jobs/job-scale-down-cluster.yaml b/templates/jobs/job-scale-down-cluster.yaml
@@ -7,7 +7,7 @@ metadata:
   labels:
     {{- include "graphdb.labels" . | nindent 4 }}
   annotations:
-    "helm.sh/hook": pre-upgrade, pre-rollback
+    "helm.sh/hook": post-upgrade, post-rollback
     "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed
     {{- with .Values.annotations }}
       {{- tpl (toYaml .) $ | nindent 4 }}

diff --git a/templates/jobs/secret-provision-user.yaml b/templates/jobs/secret-provision-user.yaml
@@ -8,7 +8,7 @@ metadata:
   labels:
     {{- include "graphdb.labels" . | nindent 4 }}
   annotations:
-    "helm.sh/hook": pre-install, pre-upgrade, pre-rollback, post-install, post-upgrade, post-rollback
+    "helm.sh/hook": post-install, post-upgrade, post-rollback
     {{- if .Values.backup.enabled }}
     "helm.sh/hook-delete-policy": before-hook-creation
     {{- else }}

diff --git a/values.yaml b/values.yaml
@@ -129,6 +129,17 @@ license:
   # File name of the GraphDB license file in the existing license secret.
   # The default is graphdb.license, but it can be changed to map to a different secret key.
   licenseFilename: graphdb.license
+  # Directory where the license file will be mounted.
+  # Can be used to place the license outside the persistence directory if needed.
+  # Note: We use the license/ sub-folder instead of subPath volume mount so kubelet can replace the mounted license at runtime when the
+  # Secret is updated with a new GraphDB license. This avoids having to restart the GraphDB pods.
+  mountPath: /opt/graphdb/home/conf/license/
+  # Defines the secret volume as optional or not.
+  # Note: Useful if the GraphDB license has not yet been provisioned but will be, for example by an external system or an operator such as
+  # External Secret Operator.
+  optional: false
+  # Marks the secret mount as read-only to prevent any modifications to the license file.
+  readOnly: true
 
 # GraphDB runtime configuration settings.
 # For reference, see https://graphdb.ontotext.com/documentation/10.7/directories-and-config-properties.html