Skip to content

Commit

Permalink
Merge pull request #547 from 2gis/feat/GEFEST-1331-multihost-postgres
Browse files Browse the repository at this point in the history 
GEFEST-1331: Конфигурация нескольких хостов для Postgres в чарте Keys
  • Loading branch information
@mprudnikov3
mprudnikov3 authored Jan 24, 2025
2 parents fa37e10 + 187829b commit 4749324
Show file tree
Hide file tree
Showing 6 changed files with 69 additions and 15 deletions.
8 changes: 7 additions & 1 deletion Breaking-Changes.md
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,15 @@
# 2GIS On-Premise Breaking-Changes

## [1.34.0]

### keys
- A temporary flag, `--migrate-data`, has been added for this release. This flag triggers the data migration required for the Routing API data in the service.
- Ensure that `keys` service is upgraded prior to upgrading any of the `navi` services.

## [1.33.0]

### pro-api
- permissions.settings.enabled was removed, permissions api is now always mandatory
- permissions.settings.enabled was removed, permissions api is now always mandatory
- postgres.connectionString, postgres.connectionStringReadonly, postgres.password were changed to postgres.api.rw / postgres.api.ro settings


Expand Down
2 changes: 1 addition & 1 deletion charts/keys/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ type: application
description: A Helm chart for Kubernetes to deploy API Keys service

version: 1.33.1
appVersion: 1.105.0
appVersion: 1.108.2

maintainers:
- name: 2gis
Expand Down
19 changes: 14 additions & 5 deletions charts/keys/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ See the [documentation](https://docs.2gis.com/en/on-premise/keys) to learn about
| `imagePullSecrets` | Kubernetes image pull secrets. | `[]` |
| `imagePullPolicy` | Pull policy. | `IfNotPresent` |
| `backend.image.repository` | Backend service image repository. | `2gis-on-premise/keys-backend` |
| `backend.image.tag` | Backend service image tag. | `1.105.0` |
| `backend.image.tag` | Backend service image tag. | `1.108.2` |
| `admin.image.repository` | Admin service image repository. | `2gis-on-premise/keys-ui` |
| `admin.image.tag` | Admin service image tag. | `0.10.3` |
| `redis.image.repository` | Redis image repository. | `2gis-on-premise/keys-redis` |
Expand Down Expand Up @@ -88,6 +88,15 @@ See the [documentation](https://docs.2gis.com/en/on-premise/keys) to learn about
| `api.adminSessionTTL` | TTL of the admin users sessions. Duration string is a sequence of decimal numbers with optional fraction and unit suffix, like `100ms`, `2.3h` or `4h35m`. Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. | `336h` |
| `api.logLevel` | Log level for the service. Can be: `trace`, `debug`, `info`, `warning`, `error`, `fatal`. | `warning` |
| `api.signPrivateKey` | RSA-PSS 2048 private key (in PKCS#1 format) for signing responses in Public API. | `""` |
| `api.oidc.enable` | If OIDC authentication is enabled. | `false` |
| `api.oidc.enableSignlePartnerMode` | Enable single partner mode: all users are binded to the preconfigured partner (needed when external OIDC provider is used). | `false` |
| `api.oidc.url` | URL of the OIDC provider. | `""` |
| `api.oidc.retryCount` | Maximum number of retries for requests to OIDC provider. | `3` |
| `api.oidc.timeout` | Timeout for requests to OIDC provider. | `3s` |
| `api.oidc.defaultPartner` | **Settings for single partner mode feature. Info specified here will be returned in responses from Auth API** | |
| `api.oidc.defaultPartner.id` | Default partner's Id. | `""` |
| `api.oidc.defaultPartner.name` | Default partner's Name. | `""` |
| `api.oidc.defaultPartner.role` | Role of the user in the default partner. Can be: 'user', 'admin'. | `""` |
| `api.replicas` | A replica count for the pod. | `1` |
| `api.revisionHistoryLimit` | Revision history limit (used for [rolling back](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) a deployment). | `3` |
| `api.strategy.type` | Type of Kubernetes deployment. Can be `Recreate` or `RollingUpdate`. | `RollingUpdate` |
Expand Down Expand Up @@ -208,8 +217,8 @@ See the [documentation](https://docs.2gis.com/en/on-premise/keys) to learn about
| Name | Description | Value |
| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------- |
| `postgres.ro` | **Settings for the read-only access** | |
| `postgres.ro.host` | PostgreSQL hostname or IP. **Required** | `""` |
| `postgres.ro.port` | PostgreSQL port. | `5432` |
| `postgres.ro.host` | PostgreSQL one or multiple hostnames or IPs separated by comma (e.g. 'host1,host2,10.0.0.1'). **Required** | `""` |
| `postgres.ro.port` | PostgreSQL one or multiple ports (one for each host). Values must be separated by comma (e.g. '1234,4567,5432'). | `5432` |
| `postgres.ro.timeout` | PostgreSQL client connection timeout. | `3s` |
| `postgres.ro.name` | PostgreSQL database name. **Required** | `""` |
| `postgres.ro.schema` | PostgreSQL database schema. If not specified, schema from SEARCH_PATH will be used. | `""` |
Expand All @@ -220,8 +229,8 @@ See the [documentation](https://docs.2gis.com/en/on-premise/keys) to learn about
| `postgres.ro.tls.clientCert` | client certificate. **Required for mode `verify-full`**. | `""` |
| `postgres.ro.tls.clientKey` | client private key. **Required for mode `verify-full`**. | `""` |
| `postgres.rw` | **Settings for the read-write access** | |
| `postgres.rw.host` | PostgreSQL hostname or IP. **Required** | `""` |
| `postgres.rw.port` | PostgreSQL port. | `5432` |
| `postgres.rw.host` | PostgreSQL one or multiple hostnames or IPs separated by comma (e.g. 'host1,host2,host3'). **Required** | `""` |
| `postgres.rw.port` | PostgreSQL one or multiple ports (one for each host). Values must be separated by comma (e.g. '1234,4567,5432'). | `5432` |
| `postgres.rw.timeout` | PostgreSQL client connection timeout. | `3s` |
| `postgres.rw.name` | PostgreSQL database name. **Required** | `""` |
| `postgres.rw.schema` | PostgreSQL database schema. If not specified, schema from SEARCH_PATH will be used. | `""` |
Expand Down
18 changes: 18 additions & 0 deletions charts/keys/templates/helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,10 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
value: "{{ .Values.featureFlags.enableAudit }}"
- name: KEYS_FEATURE_FLAGS_PUBLIC_API_SIGN
value: "{{ .Values.featureFlags.enablePublicAPISign }}"
- name: KEYS_FEATURE_FLAGS_EXTERNAL_COMPANIES
value: "{{ .Values.api.oidc.enableSignlePartnerMode }}"
- name: KEYS_FEATURE_FLAGS_OIDC
value: "{{ .Values.api.oidc.enable }}"
{{- end }}

{{- define "keys.env.api" -}}
Expand All @@ -137,6 +141,20 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
name: {{ include "keys.secret.deploys.name" . }}
key: signPrivateKey
{{- end }}
{{- if .Values.featureFlags.enableOIDC }}
- name: KEYS_OIDC_ENDPOINT
value: "{{ required "A valid .Values.api.oidc.url required" .Values.api.oidc.url }}"
- name: KEYS_OIDC_CLIENT_TIMEOUT
value: "{{ .Values.api.oidc.timeout }}"
- name: KEYS_OIDC_CLIENT_RETRY_COUNT
value: "{{ .Values.api.oidc.retryCount }}"
- name: KEYS_OIDC_DEFAULT_PARTNER_ID
value: "{{ required "A valid .Values.api.oidc.defaultPartner.id required" .Values.api.oidc.defaultPartner.id }}"
- name: KEYS_OIDC_DEFAULT_PARTNER_NAME
value: "{{ required "A valid .Values.api.oidc.defaultPartner.name required" .Values.api.oidc.defaultPartner.name }}"
- name: KEYS_OIDC_DEFAULT_ROLE
value: "{{ required "A valid .Values.api.oidc.defaultPartner.role required" .Values.api.oidc.defaultPartner.role }}"
{{- end }}
{{- end }}

{{- define "keys.env.import" -}}
Expand Down
2 changes: 1 addition & 1 deletion charts/keys/templates/import/job.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ spec:
- name: migrate
image: {{ required "A valid .Values.dgctlDockerRegistry entry required" .Values.dgctlDockerRegistry }}/{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
command: [ "keysctl", "import" ]
command: [ "keysctl", "import", "--migrate-data" ]
resources:
{{- toYaml .Values.import.resources | nindent 12 }}
env:
Expand Down
35 changes: 28 additions & 7 deletions charts/keys/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ featureFlags:
backend:
image:
repository: 2gis-on-premise/keys-backend
tag: 1.105.0
tag: 1.108.2

# @section Admin service settings

Expand Down Expand Up @@ -156,6 +156,27 @@ api:
# ...
# -----END CERTIFICATE-----

# @param api.oidc.enable If OIDC authentication is enabled.
# @param api.oidc.enableSignlePartnerMode Enable single partner mode: all users are binded to the preconfigured partner (needed when external OIDC provider is used).
# @param api.oidc.url URL of the OIDC provider.
# @param api.oidc.retryCount Maximum number of retries for requests to OIDC provider.
# @param api.oidc.timeout Timeout for requests to OIDC provider.
# @extra api.oidc.defaultPartner **Settings for single partner mode feature. Info specified here will be returned in responses from Auth API**
# @param api.oidc.defaultPartner.id Default partner's Id.
# @param api.oidc.defaultPartner.name Default partner's Name.
# @param api.oidc.defaultPartner.role Role of the user in the default partner. Can be: 'user', 'admin'.

oidc:
enable: false
enableSignlePartnerMode: false
url: ''
retryCount: 3
timeout: 3s
defaultPartner:
id: ''
name: ''
role: ''

# @param api.replicas A replica count for the pod.

replicas: 1
Expand Down Expand Up @@ -497,8 +518,8 @@ postgres:

# @extra postgres.ro **Settings for the read-only access**

# @param postgres.ro.host PostgreSQL hostname or IP. **Required**
# @param postgres.ro.port PostgreSQL port.
# @param postgres.ro.host PostgreSQL one or multiple hostnames or IPs separated by comma (e.g. 'host1,host2,10.0.0.1'). **Required**
# @param postgres.ro.port PostgreSQL one or multiple ports (one for each host). Values must be separated by comma (e.g. '1234,4567,5432').
# @param postgres.ro.timeout PostgreSQL client connection timeout.
# @param postgres.ro.name PostgreSQL database name. **Required**
# @param postgres.ro.schema PostgreSQL database schema. If not specified, schema from SEARCH_PATH will be used.
Expand All @@ -511,7 +532,7 @@ postgres:

ro:
host: ''
port: 5432
port: '5432'
timeout: 3s
name: ''
schema: ''
Expand All @@ -525,8 +546,8 @@ postgres:

# @extra postgres.rw **Settings for the read-write access**

# @param postgres.rw.host PostgreSQL hostname or IP. **Required**
# @param postgres.rw.port PostgreSQL port.
# @param postgres.rw.host PostgreSQL one or multiple hostnames or IPs separated by comma (e.g. 'host1,host2,host3'). **Required**
# @param postgres.rw.port PostgreSQL one or multiple ports (one for each host). Values must be separated by comma (e.g. '1234,4567,5432').
# @param postgres.rw.timeout PostgreSQL client connection timeout.
# @param postgres.rw.name PostgreSQL database name. **Required**
# @param postgres.rw.schema PostgreSQL database schema. If not specified, schema from SEARCH_PATH will be used.
Expand All @@ -539,7 +560,7 @@ postgres:

rw:
host: ''
port: 5432
port: '5432'
timeout: 3s
name: ''
schema: ''
Expand Down

0 comments on commit 4749324

Please sign in to comment.