feat: add vault, namespace, serviceAccount, external db, virtualService, and SSL certificate

.pre-commit-config.yaml

@@ -0,0 +1,11 @@
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.1.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      # Disabled due to conflicts with Helm templates
+      # -   id: check-yaml
+      - id: check-added-large-files

Chart.yaml

@@ -21,7 +21,7 @@ version: 0.4.0
 appVersion: 1.16.0
 
 # WIP
-#dependencies: 
+#dependencies:
 #  - name: nginx-ingress
 #    version: ~1.6.0
 #    repository: https://helm.nginx.com/stable

charts/postgresql/.helmignore

@@ -1,2 +1,2 @@
 .git
-OWNERS
+OWNERS

charts/postgresql/files/docker-entrypoint-initdb.d/README.md

@@ -1,3 +1,3 @@
 You can copy here your custom `.sh`, `.sql` or `.sql.gz` file so they are executed during the first boot of the image.
 
-More info in the [bitnami-docker-postgresql](https://github.com/bitnami/bitnami-docker-postgresql#initializing-a-new-instance) repository.
+More info in the [bitnami-docker-postgresql](https://github.com/bitnami/bitnami-docker-postgresql#initializing-a-new-instance) repository.

charts/postgresql/templates/serviceaccount.yaml

@@ -8,4 +8,4 @@ metadata:
     release: {{ .Release.Name | quote }}
     heritage: {{ .Release.Service | quote }}
   name: {{ template "postgresql.fullname" . }}
-{{- end }}
+{{- end }}

pg_hba.conf

@@ -75,4 +75,4 @@
 
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
 host all all 0.0.0.0/0 password
-host all all localhost password
+host all all localhost password

templates/certificate.yaml

@@ -0,0 +1,35 @@
+{{- if .Values.ssl.enabled }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .Release.Name }}
+  annotations:
+    {{- range $key, $value :=  .Values.ssl.annotations }}
+    {{ $key }}: {{ $value }}
+    {{- end }}
+spec:
+  secretName: {{ .Release.Name }}-tls
+  secretTemplate:
+    annotations:
+      {{- range $key, $value :=  .Values.ssl.secretTemplate.annotations }}
+      {{ $key }}: {{ $value }}
+      {{- end }}
+  duration: {{ .Values.ssl.duration }}
+  renewBefore: {{ .Values.ssl.renewBefore }}
+  privateKey:
+    algorithm: {{ .Values.ssl.privateKey.algorithm }}
+    encoding: {{ .Values.ssl.privateKey.encoding }}
+    size: {{ .Values.ssl.privateKey.size }}
+  subject:
+    organizations:
+      - {{ .Values.ssl.organizationName }}
+  usages:
+    - server auth
+    - client auth
+  dnsNames:
+    {{ toYaml .Values.virtualService.hosts }}
+  issuerRef:
+    name: {{ .Values.ssl.issuerRef.name }}
+    kind: {{ .Values.ssl.issuerRef.kind }}
+    group: {{ .Values.ssl.issuerRef.group }}
+{{- end }}

templates/namespace.yaml

@@ -0,0 +1,10 @@
+{{- if .Values.namespace.enabled }}
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    {{- range $key, $value :=  .Values.namespace.labels }}
+    {{ $key }}: {{ $value }}
+    {{- end }}
+  name: {{ .Values.namespace.name }}
+{{- end }}

templates/secret-rudder-token-vault.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.vault.enabled }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "rudderstack.rudderWorkspaceTokenSecretName" . }}
+  labels:
+    {{- include "rudderstack.labels" . | nindent 4 }}
+  annotations:
+    {{- range $key, $value :=  .Values.vault.annotations }}
+    {{ $key }}: {{ $value }}
+    {{- end }}
+type: Opaque
+data:
+   rudderWorkspaceToken: {{ .Values.vault.rudderWorkspaceToken | b64enc | quote }}
+{{- end }}

templates/secret-rudder-token.yaml

@@ -1,4 +1,4 @@
-{{- if not .Values.rudderWorkspaceTokenExistingSecret }}
+{{- if and (not .Values.rudderWorkspaceTokenExistingSecret) (not .Values.vault.enabled) }}
 ---
 apiVersion: v1
 kind: Secret
@@ -10,4 +10,3 @@ type: Opaque
 data:
    rudderWorkspaceToken: {{ required "value for either .Values.rudderWorkspaceTokenExistingSecret or .Values.rudderWorkspaceToken is expected" .Values.rudderWorkspaceToken | b64enc | quote }}
 {{- end }}
-

templates/service-account.yaml

@@ -0,0 +1,7 @@
+{{- if .Values.serviceAccount.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccount.name }}
+  namespace: {{ .Values.namespace.enabled | ternary .Values.namespace.name "default" }}
+{{- end }}

templates/statefulset.yaml

@@ -4,6 +4,12 @@ metadata:
   name: {{ include "rudderstack.fullname" . }}
   labels:
     {{- include "rudderstack.labels" . | nindent 4 }}
+  {{- if .Values.vault.enabled }}
+  annotations:
+    {{- range $key, $value :=  .Values.vault.annotations }}
+    {{ $key }}: {{ $value }}
+    {{- end }}
+  {{- end}}
 spec:
   serviceName: {{ include "rudderstack.fullname" . }}
   replicas: {{ .Values.global.backendReplicaCount }}
@@ -20,11 +26,17 @@ spec:
         {{- end }}
         checksum/rudder-config: {{ .Files.Get "rudder-config.yaml" | sha256sum }}
         checksum/rudder-bigquery-credentials: {{ .Files.Get "bigquery-credentials.json" | sha256sum }}
+        {{- if .Values.vault.enabled }}
+        {{- range $key, $value :=  .Values.vault.annotations }}
+        {{ $key }}: {{ $value }}
+        {{- end }}
+        {{- end}}
     spec:
     {{- with .Values.global.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
     {{- end }}
+      serviceAccountName: {{ .Values.serviceAccount.enabled | ternary .Values.serviceAccount.name "default" }}
       volumes:
         - configMap:
             defaultMode: 420
@@ -87,13 +99,13 @@ spec:
           - name: DEST_TRANSFORM_URL
             value: "http://{{ include "transformer.fullname" . }}:{{ .Values.transformer.service.port}}"
           - name: COMPUTE_DB_HOST_IN_K8S
-            value: "true"
+            value: "{{ .Values.postgresql.external.enabled | ternary "false" "true" }}"
           - name: POSTGRES_POD_NAME
             value: "{{ .Release.Name }}-{{ .Values.postgresql.nameOverride }}"
           - name: POSTGRES_HEADLESS_SVC
             value: "{{ .Release.Name }}-{{ .Values.postgresql.nameOverride }}-headless"
           - name: JOBS_DB_HOST
-            value: "This is expected to be set by docker entrypoint script"
+            value: "{{ .Values.postgresql.external.enabled | ternary .Values.postgresql.external.postgresqlHost "This is expected to be set by docker entrypoint script" }}"
           - name: JOBS_DB_USER
             value: "{{ .Values.postgresql.postgresqlUsername }}"
           - name: JOBS_DB_PORT
@@ -102,6 +114,10 @@ spec:
             value: "{{ .Values.postgresql.postgresqlDatabase }}"
           - name: JOBS_DB_PASSWORD
             value: "{{ .Values.postgresql.postgresqlPassword }}"
+          {{- if .Values.postgresql.external.enabled }}
+          - name: JOBS_DB_SSL_MODE
+            value: "{{ .Values.postgresql.external.postgresqlSslMode }}"
+          {{- end }}
           - name: INSTANCE_ID
             valueFrom:
               fieldRef:

templates/virtual-service.yaml

@@ -0,0 +1,46 @@
+{{- if .Values.virtualService.enabled }}
+---
+apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+  labels:
+    app: rudderstack
+  name: rudderstack-public
+  {{- if .Values.namespace.enabled }}
+  namespace: {{ .Values.namespace.name }}
+  {{- end }}
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+  - hosts:
+      {{ toYaml .Values.virtualService.hosts }}
+    port:
+      name: https
+      number: 443
+      protocol: HTTPS
+    tls:
+      credentialName: {{ .Release.Name }}-tls
+      mode: SIMPLE
+      minProtocolVersion: TLSV1_2
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: rudderstack-route
+  {{- if .Values.namespace.enabled }}
+  namespace: {{ .Values.namespace.name }}
+  {{- end }}
+spec:
+  hosts:
+    {{ toYaml .Values.virtualService.hosts }}
+  gateways:
+    - rudderstack-public
+  http:
+  - name: rudderstack
+    route:
+    - destination:
+        host: rudderstack.{{ .Values.namespace.enabled | ternary .Values.namespace.name "default" }}.svc.cluster.local
+        port:
+          number: 80
+{{- end }}

values.yaml

@@ -1,8 +1,8 @@
+---
 # Default values for rudderstack.
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 
-
 # Deployment specific values for rudderstack.
 # Following values must be filled in for the deployment to succeed
 
@@ -45,7 +45,7 @@ backend:
     annotations:
       ## Refer https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer for more annotations
       service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
-      ## For enabling https on aws, 
+      ## For enabling https on aws,
       ## uncomment below line with acm managed certificate arn and change port value below to 443
       # service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012
     type: LoadBalancer
@@ -110,6 +110,11 @@ transformer:
       memory: 768Mi
 
 postgresql:
+  # Enable connecting to external PostgreSQL DB instead of in-cluster db
+  external:
+    enabled: false
+    postgresqlHost: example.server
+    postgresqlSslMode: disable
   nameOverride: "rudderstack-postgresql"
   postgresqlUsername: rudder
   postgresqlPassword: password
@@ -165,3 +170,58 @@ telegraf_sidecar:
       - 99
 
 affinity: {}
+
+# Enable namespace creation
+namespace:
+  enabled: false
+  name: rudderstack
+  labels: {
+    key1: value,
+    key2: value
+  }
+
+# Enable serviceAccount creation
+serviceAccount:
+  enabled: false
+  name: rudderstack
+
+# Enable virtualService for public gateway
+virtualService:
+  enabled: false
+  hosts: [
+    "rudderstack.example.com"
+  ]
+
+# Enable SSL certificate for public gateways
+ssl:
+  enabled: false
+  annotations: {
+    key1: value,
+    key2: value
+  }
+  secretTemplate: {
+    annotations: {
+      key1: value,
+      key2: value
+    }
+  }
+  organizationName: "Organization name"
+  duration:  2160h0m0s # 90d
+  renewBefore: 360h0m0s # 15d
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+    group: cert-manager.io
+
+# Enable Hashicorp Vault secret manager https://www.vaultproject.io
+vault:
+  enabled: false
+  rudderWorkspaceToken: "vault:secret/data/namespace/app/key"
+  annotations: {
+    key1: value,
+    key2: value
+  }