diff --git a/charts/sn-console/templates/console/streamnative-console-statefulset.yaml b/charts/sn-console/templates/console/streamnative-console-statefulset.yaml index 1880f914b..1a0523f6e 100644 --- a/charts/sn-console/templates/console/streamnative-console-statefulset.yaml +++ b/charts/sn-console/templates/console/streamnative-console-statefulset.yaml @@ -76,6 +76,41 @@ spec: periodSeconds: {{ .Values.probe.startup.periodSeconds }} failureThreshold: {{ .Values.probe.startup.failureThreshold }} {{- end }} + workingDir: "/pulsar-manager/console" + command: ["/bin/sh", "-c"] + args: + - | + if [ -f "/pulsar-manager/secrets/google-oauth2/GOOGLE_CLIENT_ID" ]; then + export GOOGLE_CLIENT_ID=$(cat /pulsar-manager/secrets/google-oauth2/GOOGLE_CLIENT_ID) + fi + if [ -f "/pulsar-manager/secrets/google-oauth2/GOOGLE_CLIENT_SECRET" ]; then + export GOOGLE_CLIENT_SECRET=$(cat /pulsar-manager/secrets/google-oauth2/GOOGLE_CLIENT_SECRET) + fi + if [ -f "/pulsar-manager/secrets/azure-oauth2/AZURE_CLIENT_ID" ]; then + export AZURE_CLIENT_ID=$(cat /pulsar-manager/secrets/azure-oauth2/AZURE_CLIENT_ID) + fi + if [ -f "/pulsar-manager/secrets/azure-oauth2/AZURE_CLIENT_SECRET" ]; then + export AZURE_CLIENT_SECRET=$(cat /pulsar-manager/secrets/azure-oauth2/AZURE_CLIENT_SECRET) + fi + if [ -f "/pulsar-manager/secrets/azure-oauth2/AZURE_TENANT_ID" ]; then + export AZURE_TENANT_ID=$(cat /pulsar-manager/secrets/azure-oauth2/AZURE_TENANT_ID) + fi + if [ -f "/pulsar-manager/secrets/okta-oauth2/OKTA_CLIENT_ID" ]; then + export OKTA_CLIENT_ID=$(cat /pulsar-manager/secrets/okta-oauth2/OKTA_CLIENT_ID) + fi + if [ -f "/pulsar-manager/secrets/okta-oauth2/OKTA_CLIENT_SECRET" ]; then + export OKTA_CLIENT_SECRET=$(cat /pulsar-manager/secrets/okta-oauth2/OKTA_CLIENT_SECRET) + fi + if [ -f "/pulsar-manager/secrets/pulsar-jwt/TOKEN" ]; then + export TOKEN=$(cat /pulsar-manager/secrets/pulsar-jwt/TOKEN) + fi + if [ -f "/pulsar-manager/secrets/db-password/DB_PASSWORD" ]; then + export DB_PASSWORD=$(cat /pulsar-manager/secrets/db-password/DB_PASSWORD) + fi + if [ -f "/pulsar-manager/secrets/db-password/NEW_PASSWORD" ]; then + export NEW_PASSWORD=$(cat /pulsar-manager/secrets/db-password/NEW_PASSWORD) + fi + /pulsar-manager/entrypoint.sh env: - name: SPRING_CONFIGURATION_FILE value: /pulsar-manager/pulsar-manager/application.properties @@ -85,6 +120,8 @@ spec: value: {{ .Values.configData.DEFAULT_NAME }} - name: INSTANCE_NAME value: {{ .Values.configData.INSTANCE_NAME }} + - name: CLUSTER_NAME + value: {{ .Values.configData.CLUSTER_NAME | quote }} - name: WEB_SERVICE_URL value: {{ .Values.broker.webServiceUrl }} - name: KOP_SERVICE_URL @@ -151,6 +188,13 @@ spec: {{- end }} - name: CONNECTOR_ENABLED value: "{{ .Values.configData.CONNECTOR_ENABLED | default "true" }}" + {{- if hasSuffix "-all" (toString .Values.image.tag) }} + - name: DB_BASE + value: sqlite + {{- end }} + {{- with .Values.extraEnv }} +{{ toYaml . | indent 10 }} + {{- end }} {{- if .Values.login.pulsarJwt.enabled }} - name: AUTHENTICATION_NAME value: "pulsar-jwt" @@ -208,21 +252,105 @@ spec: - secretRef: name: {{ .Values.login.pulsarJwt.config.SERVICE_ACCOUNT_SUPER_TOKEN_SECRET }} {{- end }} - - ports: - - name: frontend - containerPort: {{ .Values.ports.frontend }} - - name: backend - containerPort: {{ .Values.ports.backend }} volumeMounts: - name: streamnative-console-data mountPath: /data + - name: tmp-storage + mountPath: /tmp + - name: run-postgresql-tmpfs + mountPath: /run/postgresql + - name: pulsar-manager-conf + mountPath: /pulsar-manager/pulsar-manager + - name: psql + mountPath: /pulsar-manager/psql {{- if .Values.login.pulsarJwt.enabled }} - mountPath: /pulsar-manager/keys name: token-keys readOnly: true {{- end }} + {{- if .Values.login.sso.google.enabled }} + - name: google-oauth2-secret + mountPath: /pulsar-manager/secrets/google-oauth2 + readOnly: true + {{- end }} + {{- if .Values.login.sso.azure.enabled }} + - name: azure-oauth2-secret + mountPath: /pulsar-manager/secrets/azure-oauth2 + readOnly: true + {{- end }} + {{- if .Values.login.sso.okta.enabled }} + - name: okta-oauth2-secret + mountPath: /pulsar-manager/secrets/okta-oauth2 + readOnly: true + {{- end }} + {{- if .Values.login.pulsarJwt.enabled }} + - name: pulsar-jwt-secret + mountPath: /pulsar-manager/secrets/pulsar-jwt + readOnly: true + {{- end }} + {{- if .Values.dbPasswordSecret }} + - name: db-password-secret + mountPath: /pulsar-manager/secrets/db-password + readOnly: true + {{- end }} + - name: "{{ template "sn_console.fullname" . }}-{{ .Values.component }}-gateway" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.resources }} + resources: +{{ toYaml .Values.resources | indent 12 }} + {{- end }} + {{- if .Values.probe.readiness.enabled }} + readinessProbe: + httpGet: + path: /cloud-manager/login/enabled + port: {{ .Values.ports.frontend }} + initialDelaySeconds: {{ .Values.probe.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.probe.readiness.periodSeconds }} + failureThreshold: {{ .Values.probe.readiness.failureThreshold }} + {{- end }} + {{- if .Values.probe.liveness.enabled }} + livenessProbe: + httpGet: + path: /cloud-manager/login/enabled + port: {{ .Values.ports.frontend }} + initialDelaySeconds: {{ .Values.probe.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.probe.liveness.periodSeconds }} + failureThreshold: {{ .Values.probe.liveness.failureThreshold }} + {{- end }} + {{- if .Values.probe.startup.enabled }} + startupProbe: + httpGet: + path: /cloud-manager/login/enabled + port: {{ .Values.ports.frontend }} + initialDelaySeconds: {{ .Values.probe.startup.initialDelaySeconds }} + periodSeconds: {{ .Values.probe.startup.periodSeconds }} + failureThreshold: {{ .Values.probe.startup.failureThreshold }} + {{- end }} + workingDir: "/pulsar-manager/gateway" + command: ["/pulsar-manager/gateway/gateway-entrypoint.sh"] + env: + - name: OPENAPI_ENABLED + value: "{{ .Values.configData.OPENAPI_ENABLED | default "false" }}" + ports: + - name: frontend + containerPort: {{ .Values.ports.frontend }} + - name: backend + containerPort: {{ .Values.ports.backend }} + volumeMounts: + - name: nginx-conf + mountPath: /etc/nginx/conf.d + - name: nginx-logs + mountPath: /var/log/nginx + - name: nginx-tmp + mountPath: /var/lib/nginx/tmp + - name: nginx-run + mountPath: /run + - name: nginx-lib-log + mountPath: /var/lib/nginx/logs + - name: tmp-storage + mountPath: /tmp volumes: {{- if not .Values.volumes.persistence }} @@ -254,6 +382,56 @@ spec: secretName: {{ .Values.login.pulsarJwt.config.JWT_BROKER_SECRET_KEY }} {{- end }} {{- end }} + {{- if .Values.login.sso.google.enabled }} + - name: google-oauth2-secret + secret: + secretName: {{ .Values.login.sso.google.clientSecretRef }} + defaultMode: 0440 + {{- end }} + {{- if .Values.login.sso.azure.enabled }} + - name: azure-oauth2-secret + secret: + secretName: {{ .Values.login.sso.azure.clientSecretRef }} + defaultMode: 0440 + {{- end }} + {{- if .Values.login.sso.okta.enabled }} + - name: okta-oauth2-secret + secret: + secretName: {{ .Values.login.sso.okta.clientSecretRef }} + defaultMode: 0440 + {{- end }} + {{- if .Values.login.pulsarJwt.enabled }} + - name: pulsar-jwt-secret + secret: + secretName: {{ .Values.login.pulsarJwt.config.SERVICE_ACCOUNT_SUPER_TOKEN_SECRET }} + defaultMode: 0440 + {{- end }} + {{- if .Values.dbPasswordSecret }} + - name: db-password-secret + secret: + secretName: {{ .Values.dbPasswordSecret }} + defaultMode: 0440 + {{- end }} + - name: tmp-storage + emptyDir: {} + - name: run-postgresql-tmpfs + emptyDir: + medium: Memory + - name: nginx-conf + emptyDir: {} + - name: nginx-logs + emptyDir: {} + - name: nginx-tmp + emptyDir: {} + - name: nginx-run + emptyDir: + medium: Memory + - name: pulsar-manager-conf + emptyDir: {} + - name: nginx-lib-log + emptyDir: {} + - name: psql + emptyDir: {} {{- if or .Values.volumes.data.storageClass .Values.volumes.data.storageClassName }} volumeClaimTemplates: diff --git a/charts/sn-console/values.yaml b/charts/sn-console/values.yaml index ecdd089f0..f0241f354 100644 --- a/charts/sn-console/values.yaml +++ b/charts/sn-console/values.yaml @@ -2,11 +2,11 @@ # Copyright (c) 2019 - 2024 StreamNative, Inc.. All Rights Reserved. # -initialize: true +initialize: false image: - repository: streamnative/sn-platform-console - tag: "v1.14.2" + repository: streamnative/private-cloud-console + tag: "v2.3.27-all" pullPolicy: IfNotPresent hasCommand: false @@ -47,7 +47,7 @@ resources: cpu: 0.1 volumes: # use a persistent volume or emptyDir - persistence: true + persistence: false data: name: data size: 10Gi @@ -94,6 +94,8 @@ configData: DEFAULT_ORGANIZATION: "streamnative" # *required*: the instance name to display for the Pulsar clusters in SN console INSTANCE_NAME: "pulsar" + # Optional: customize the cluster name shown in Console + CLUSTER_NAME: "" GLOBAL_RESOURCE_READ_ONLY: false REDIRECT_SCHEME: "" REDIRECT_HOST: "" @@ -108,13 +110,29 @@ configData: GRAFANA_AUTH_PROXY: false GRAFANA_AUTH_PROXY_USER: "" DEFAULT_ENVIRONMENT_NAME: "pulsar" - DEFAULT_ENVIRONMENT_SERVICE_URL: "" + DEFAULT_ENVIRONMENT_SERVICE_URL: "http://private-cloud-proxy:8080" BACKEND_DEFAULT_SUPER_USER_ROLE: "pulsar-manager-admin" CONNECTOR_ENABLED: true + CLUSTER_NAME: "private-cloud" + +# Extra environment variables for streamnative-console container +extraEnv: [] +# Secret name containing DB_PASSWORD and NEW_PASSWORD keys (mounted as files; read by startup script) +# The secret should have two keys: DB_PASSWORD and NEW_PASSWORD +# Example command to create the secret: +# kubectl create secret generic my-db-password-secret \ +# --from-literal=DB_PASSWORD=your-db-password \ +# --from-literal=NEW_PASSWORD=your-new-password +# Example command to update the secret: +# kubectl create secret generic my-db-password-secret \ +# --from-literal=DB_PASSWORD=your-new-db-password \ +# --from-literal=NEW_PASSWORD=your-new-password \ +# --dry-run=client -o yaml | kubectl apply -f - +dbPasswordSecret: "" login: vault: - enabled: true + enabled: false pulsarJwt: enabled: false config: @@ -154,7 +172,7 @@ login: # broker related settings. configure how streamnative console should access Pulsar brokers. broker: - webServiceUrl: http://localhost:8080 + webServiceUrl: http://private-cloud-proxy:8080 # kopServiceUrl: localhost:9093 auth: authentication: