config: enhance database/RabbitMQ connection configuration

Co-authored-by: Andreas Lindhé <[email protected]>

Author: egabancho

charts/invenio/templates/_helpers.tpl

@@ -83,7 +83,7 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
   {{- end }}
 {{- end -}}
 
-#######################     RabbitMQ password secret     #######################
+#######################     RabbitMQ connection configuration     #######################
 {{/*
   This template renders the name of the secret that stores the password for RabbitMQ.
 */}}
@@ -95,19 +95,17 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
   {{- end }}
 {{- end -}}
 
-##########################     RabbitMQ username     ##########################
 {{/*
   This template renders the username for accessing RabbitMQ.
 */}}
 {{- define "invenio.rabbitmq.username" -}}
   {{- if .Values.rabbitmq.enabled }}
     {{- required "Missing .Values.rabbitmq.auth.username" .Values.rabbitmq.auth.username -}}
   {{- else }}
-    {{- required "Missing .Values.rabbitmqExternal.username" .Values.rabbitmqExternal.username -}}
+    {{- required "Missing .Values.rabbitmqExternal.username" (tpl .Values.rabbitmqExternal.username .) -}}
   {{- end }}
 {{- end -}}
 
-##########################     RabbitMQ password     ##########################
 {{/*
   This template renders the password for accessing RabbitMQ.
 */}}
@@ -119,43 +117,61 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
   {{- end }}
 {{- end -}}
 
-##########################     RabbitMQ AMQP port     ##########################
+{{/*
+  Get the database password secret name
+*/}}
+{{- define "invenio.rabbitmq.secretName" -}}
+  {{- if .Values.rabbitmq.enabled -}}
+    {{- required "Missing .Values.rabbitmq.auth.existingPasswordSecret" (tpl .Values.rabbitmq.auth.existingPasswordSecret .) -}}
+  {{- else -}}
+    {{- required "Missing .Values.rabbitmqExternal.existingSecret" (tpl .Values.rabbitmqExternal.existingSecret .) -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+  Get the database password secret key
+*/}}
+{{- define "invenio.rabbitmq.secretKey" -}}
+  {{- if .Values.rabbitmq.enabled -}}
+    {{- required "Missing .Values.rabbitmq.auth.existingSecretPasswordKey" .Values.rabbitmq.auth.existingSecretPasswordKey -}}
+  {{- else -}}
+    {{- required "Missing .Values.rabbitmqExternal.existingSecretPasswordKey" .Values.rabbitmqExternal.existingSecretPasswordKey -}}
+  {{- end -}}
+{{- end -}}
+
 {{/*
   This template renders the AMQP port number for RabbitMQ.
 */}}
-{{- define "invenio.rabbitmq.amqpPort" -}}
+{{- define "invenio.rabbitmq.amqpPortString" -}}
   {{- if .Values.rabbitmq.enabled }}
-    {{- required "Missing .Values.rabbitmq.service.ports.amqp" .Values.rabbitmq.service.ports.amqp -}}
+    {{- required "Missing .Values.rabbitmq.service.ports.amqp" .Values.rabbitmq.service.ports.amqp | quote -}}
   {{- else }}
-    {{- required "Missing .Values.rabbitmqExternal.amqpPort" .Values.rabbitmqExternal.amqpPort -}}
+    {{- required "Missing .Values.rabbitmqExternal.amqpPort" (tpl (toString .Values.rabbitmqExternal.amqpPort) .) | quote -}}
   {{- end }}
 {{- end -}}
 
-#######################     RabbitMQ management port     #######################
 {{/*
   This template renders the management port number for RabbitMQ.
 */}}
-{{- define "invenio.rabbitmq.managementPort" -}}
+{{- define "invenio.rabbitmq.managementPortString" -}}
   {{- if .Values.rabbitmq.enabled }}
-    {{- required "Missing .Values.rabbitmq.service.ports.manager" .Values.rabbitmq.service.ports.manager -}}
+    {{- required "Missing .Values.rabbitmq.service.ports.manager" .Values.rabbitmq.service.ports.manager | quote -}}
   {{- else }}
-    {{- required "Missing .Values.rabbitmqExternal.managementPort" .Values.rabbitmqExternal.managementPort -}}
+    {{- required "Missing .Values.rabbitmqExternal.managementPort" (tpl (toString .Values.rabbitmqExternal.managementPort) .) | quote -}}
   {{- end }}
 {{- end -}}
 
-##########################     RabbitMQ hostname     ##########################
 {{/*
   This template renders the hostname for RabbitMQ.
 */}}
 {{- define "invenio.rabbitmq.hostname" -}}
   {{- if .Values.rabbitmq.enabled }}
     {{- include "common.names.fullname" .Subcharts.rabbitmq -}}
   {{- else }}
-    {{- required "Missing .Values.rabbitmqExternal.hostname" .Values.rabbitmqExternal.hostname }}
+    {{- required "Missing .Values.rabbitmqExternal.hostname" (tpl .Values.rabbitmqExternal.hostname .) }}
   {{- end }}
 {{- end -}}
 
-##########################     RabbitMQ protocol     ##########################
 {{/*
   This template renders the protocol for RabbitMQ.
 */}}
@@ -167,42 +183,47 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
   {{- end }}
 {{- end -}}
 
-##########################     RabbitMQ vhost     ##########################
 {{/*
   This template renders the vhost for RabbitMQ.
 */}}
 {{- define "invenio.rabbitmq.vhost" -}}
   {{- if .Values.rabbitmq.enabled }}
     {{- "" }}
   {{- else }}
-    {{- required "Missing .Values.rabbitmqExternal.vhost" .Values.rabbitmqExternal.vhost }}
+    {{- required "Missing .Values.rabbitmqExternal.vhost" (tpl .Values.rabbitmqExternal.vhost .) }}
   {{- end }}
 {{- end -}}
 
-##########################     Celery broker URI     ##########################
-{{/*
-  This template renders the URI for connecting to RabbitMQ.
-*/}}
-{{- define "invenio.rabbitmq.uri" -}}
-  {{- $username := (include "invenio.rabbitmq.username" .) -}}
-  {{- $password := (include "invenio.rabbitmq.password" .) -}}
-  {{- $port := (include "invenio.rabbitmq.amqpPort" .) -}}
-  {{- $hostname := (include "invenio.rabbitmq.hostname" .) -}}
-  {{- $protocol := (include "invenio.rabbitmq.protocol" .) -}}
-  {{- $vhost := (include "invenio.rabbitmq.vhost" .) -}}
-  {{- printf "%s://%s:%s@%s:%v/%s" $protocol $username $password $hostname $port $vhost}}
-{{- end -}}
-
-###########################     RabbitMQ API URI     ###########################
 {{/*
-  This template renders the URI for RabbitMQ's API endpoint.
-*/}}
-{{- define "invenio.rabbitmq.apiUri" -}}
-  {{- $username := (include "invenio.rabbitmq.username" .) -}}
-  {{- $password := (include "invenio.rabbitmq.password" .) -}}
-  {{- $port := (include "invenio.rabbitmq.managementPort" .) -}}
-  {{- $hostname := (include "invenio.rabbitmq.hostname" .) -}}
-  {{- printf "http://%s:%s@%s:%v/api/" $username $password $hostname $port }}
+  RabbitMQ connection env section.
+*/}}
+{{- define "invenio.config.queue" -}}
+{{- $uri := "$(INVENIO_AMQP_BROKER_PROTOCOL)://$(INVENIO_AMQP_BROKER_USER):$(INVENIO_AMQP_BROKER_PASSWORD)@$(INVENIO_AMQP_BROKER_HOST):$(INVENIO_AMQP_BROKER_PORT)/$(INVENIO_AMQP_BROKER_VHOST)" -}}
+- name: INVENIO_AMQP_BROKER_USER
+  value: {{ include "invenio.rabbitmq.username" . }}
+- name: INVENIO_AMQP_BROKER_HOST
+  value: {{ include "invenio.rabbitmq.hostname" . }}
+- name: INVENIO_AMQP_BROKER_PORT
+  value: {{ include "invenio.rabbitmq.amqpPortString" . }}
+- name: INVENIO_AMQP_BROKER_VHOST
+  value: {{ include "invenio.rabbitmq.vhost" . }}
+- name: INVENIO_AMQP_BROKER_PROTOCOL
+  value: {{ include "invenio.rabbitmq.protocol" . }}
+- name: INVENIO_AMQP_BROKER_PASSWORD
+{{- if or (and .Values.rabbitmq.enabled .Values.rabbitmq.auth.password) .Values.rabbitmqExternal.password }}
+  value: {{ include "invenio.rabbitmq.password" .  | quote }}
+{{- else }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "invenio.rabbitmq.secretName" .}}
+      key: {{ include "invenio.rabbitmq.secretKey" .}}
+{{- end }}
+- name: INVENIO_BROKER_URL
+  value: {{ $uri }}
+- name: INVENIO_CELERY_BROKER_URL
+  value: $(INVENIO_BROKER_URL)
+- name: RABBITMQ_API_URI
+  value: "http://$(INVENIO_AMQP_BROKER_USER):$(INVENIO_AMQP_BROKER_PASSWORD)@$(INVENIO_AMQP_BROKER_HOST):$(INVENIO_AMQP_BROKER_PORT)/api/"
 {{- end -}}
 
 #########################     OpenSearch hostname     #########################
@@ -217,79 +238,110 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
   {{- end }}
 {{- end -}}
 
-#########################     PostgreSQL username     #########################
+#########################     PostgreSQL connection configuration     #########################
 {{/*
   This template renders the username used for the PostgreSQL instance.
 */}}
 {{- define "invenio.postgresql.username" -}}
   {{- if .Values.postgresql.enabled -}}
-    {{- required "Missing .Values.postgresql.auth.username" .Values.postgresql.auth.username -}}
-    {{/* NOTE: Specifying username explicitly like this is suboptmal. Would be desirable to refactor Invenio so it can take the postgres username as a spearate environment variable which we can populate dynamically from the secret. */}}
+    {{- required "Missing .Values.postgresql.auth.username" (tpl .Values.postgresql.auth.username .) -}}
   {{- else -}}
-    {{- required "Missing .Values.postgresqlExternal.username" .Values.postgresqlExternal.username -}}
+    {{- required "Missing .Values.postgresqlExternal.username" (tpl  .Values.postgresqlExternal.username .) -}}
   {{- end -}}
 {{- end -}}
 
-#########################     PostgreSQL password     #########################
 {{/*
   This template renders the password used for the PostgreSQL instance.
+  In production environments we encourage you to use secrets instead.
 */}}
 {{- define "invenio.postgresql.password" -}}
   {{- if .Values.postgresql.enabled -}}
     {{- required "Missing .Values.postgresql.auth.password" .Values.postgresql.auth.password -}}
-    {{/* NOTE: Specifying password explicitly like this is suboptmal. Would be desirable to refactor Invenio so it can take the postgres password as a spearate environment variable which we can populate dynamically from the secret. */}}
   {{- else -}}
     {{- required "Missing .Values.postgresqlExternal.password" .Values.postgresqlExternal.password -}}
   {{- end -}}
 {{- end -}}
 
-#########################     PostgreSQL hostname     #########################
+{{/*
+  Get the database password secret name
+*/}}
+{{- define "invenio.postgresql.secretName" -}}
+  {{- if .Values.postgresql.enabled -}}
+    {{- required "Missing .Values.postgresql.auth.existingSecret" (tpl .Values.postgresql.auth.existingSecret .) -}}
+  {{- else -}}
+    {{- required "Missing .Values.postgresqlExternal.existingSecret" (tpl .Values.postgresqlExternal.existingSecret .) -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+  Get the database password secret key
+*/}}
+{{- define "invenio.postgresql.secretKey" -}}
+  {{- if .Values.postgresql.enabled -}}
+    {{- required "Missing .Values.postgresql.auth.secretKeys.userPasswordKey" .Values.postgresql.auth.secretKeys.userPasswordKey -}}
+  {{- else -}}
+    {{- required "Missing .Values.postgresqlExternal.existingSecretPasswordKey" .Values.postgresqlExternal.existingSecretPasswordKey -}}
+  {{- end -}}
+{{- end -}}
+
 {{/*
   This template renders the hostname used for the PostgreSQL instance.
 */}}
 {{- define "invenio.postgresql.hostname" -}}
   {{- if .Values.postgresql.enabled -}}
     {{- include "postgresql.v1.primary.fullname" .Subcharts.postgresql -}}
   {{- else -}}
-    {{- required "Missing .Values.postgresqlExternal.hostname" .Values.postgresqlExternal.hostname -}}
+    {{- required "Missing .Values.postgresqlExternal.hostname" (tpl .Values.postgresqlExternal.hostname .) -}}
   {{- end -}}
 {{- end -}}
 
-###########################     PostgreSQL port     ###########################
 {{/*
-  This template renders the port number used for the PostgreSQL instance.
+  This template renders the port number used for the PostgreSQL instance (as a string).
 */}}
-{{- define "invenio.postgresql.port" -}}
+{{- define "invenio.postgresql.portString" -}}
   {{- if .Values.postgresql.enabled -}}
-    {{- required "Missing .Values.postgresql.primary.service.ports.postgresql" .Values.postgresql.primary.service.ports.postgresql -}}
+    {{- required "Missing .Values.postgresql.primary.service.ports.postgresql" (tpl (toString .Values.postgresql.primary.service.ports.postgresql) .) | quote -}}
   {{- else -}}
-    {{- required "Missing .Values.postgresqlExternal.port" .Values.postgresqlExternal.port -}}
+    {{- required "Missing .Values.postgresqlExternal.port" (tpl (toString .Values.postgresqlExternal.port) .) | quote -}}
   {{- end -}}
 {{- end -}}
 
-############################     Database name     ############################
 {{/*
   This template renders the name of the database in PostgreSQL.
 */}}
-{{- define "invenio.postgresql.databaseName" -}}
+{{- define "invenio.postgresql.database" -}}
   {{- if .Values.postgresql.enabled -}}
-    {{- required "Missing .Values.postgresql.auth.database" .Values.postgresql.auth.database -}}
+    {{- required "Missing .Values.postgresql.auth.database" (tpl .Values.postgresql.auth.database .) -}}
   {{- else -}}
-    {{- required "Missing .Values.postgresqlExternal.databaseName" .Values.postgresqlExternal.databaseName -}}
+    {{- required "Missing .Values.postgresqlExternal.database" (tpl .Values.postgresqlExternal.database .) -}}
   {{- end -}}
 {{- end -}}
 
-#######################     SQLAlchemy database URI     #######################
 {{/*
-  This template renders the SQLAlchemy database URI.
-*/}}
-{{- define "invenio.sqlAlchemyDbUri" -}}
-  {{- $username := include "invenio.postgresql.username" . -}}
-  {{- $password := include "invenio.postgresql.password" . -}}
-  {{- $hostname := include "invenio.postgresql.hostname" . -}}
-  {{- $port := include "invenio.postgresql.port" . -}}
-  {{- $databaseName := include "invenio.postgresql.databaseName" . -}}
-  {{- printf "postgresql+psycopg2://%s:%s@%s:%v/%s" $username $password $hostname $port $databaseName -}}
+  Define database connection env section.
+*/}}
+{{- define "invenio.config.database" -}}
+- name: INVENIO_DB_USER
+  value: {{ include "invenio.postgresql.username" . }}
+- name: INVENIO_DB_HOST
+  value: {{ include "invenio.postgresql.hostname" . }}
+- name: INVENIO_DB_PORT
+  value: {{ include "invenio.postgresql.portString" . }}
+- name: INVENIO_DB_NAME
+  value: {{ include "invenio.postgresql.database" . }}
+- name: INVENIO_DB_PROTOCOL
+  value: "postgresql+psycopg2"
+- name: INVENIO_DB_PASSWORD
+{{- if or (and .Values.postgresql.enabled .Values.postgresql.auth.password) .Values.postgresqlExternal.password }}
+  value: {{ include "invenio.postgresql.password" .  | quote }}
+{{- else }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "invenio.postgresql.secretName" .}}
+      key: {{ include "invenio.postgresql.secretKey" .}}
+{{- end }}
+- name: INVENIO_SQLALCHEMY_DATABASE_URI
+  value: "$(INVENIO_DB_PROTOCOL)://$(INVENIO_DB_USER):$(INVENIO_DB_PASSWORD)@$(INVENIO_DB_HOST):$(INVENIO_DB_PORT)/$(INVENIO_DB_NAME)"
 {{- end -}}
 
 {{/*
@@ -299,7 +351,7 @@ Get the sentry secret name
 {{- if .Values.invenio.sentry.existingSecret -}}
   {{- print (tpl .Values.invenio.sentry.existingSecret .) -}}
 {{- else if  .Values.invenio.sentry.secret_name -}}
-  {{- print .Values.invenio.sentry.secret_name -}}  
+  {{- print .Values.invenio.sentry.secret_name -}}
 {{- else -}}
   {{- printf "%s-%s" (include "invenio.fullname" .) "sentry" -}}
 {{- end -}}

charts/invenio/templates/flower/deployment.yaml

@@ -23,9 +23,9 @@ spec:
               [
                 "celery",
                 "--config=/var/celery/celeryconfig.py",
-                {{ printf "--broker=%s" (include "invenio.rabbitmq.uri" .) }},
+                "--broker=$(INVENIO_CELERY_BROKER_URL)",
                 "flower",
-                {{ printf "--broker_api=%s" (include "invenio.rabbitmq.apiUri" .) }},
+                "--broker_api=$(RABBITMQ_API_URI)",
                 "--basic_auth=$(FLOWER_BASIC_AUTH_CREDENTIALS)",
                 "--conf=/var/flower/flowerconfig.py"
               ]
@@ -44,6 +44,7 @@ spec:
                 secretKeyRef:
                   name: {{ .Values.flower.secret_name }}
                   key: FLOWER_BASIC_AUTH_CREDENTIALS
+            {{- include "invenio.config.queue" . | nindent 12 }}
           {{- if (or .Values.invenio.extraEnvFrom .Values.flower.extraEnvFrom) }}
           envFrom:
             {{- with .Values.invenio.extraEnvFrom }}

charts/invenio/templates/install-init-job.yaml

@@ -38,12 +38,8 @@ spec:
         env:
         - name: TZ
           value: {{ required "Missing .Values.global.timezone" .Values.global.timezone }}
-        - name: INVENIO_BROKER_URL
-          value: {{ include "invenio.rabbitmq.uri" . }}
-        - name: INVENIO_CELERY_BROKER_URL
-          value: {{ include "invenio.rabbitmq.uri" . }}
-        - name: INVENIO_SQLALCHEMY_DATABASE_URI
-          value: {{ include "invenio.sqlAlchemyDbUri" . }}
+        {{- include "invenio.config.queue" . | nindent 8 }}
+        {{- include "invenio.config.database" . | nindent 8 }}
         volumeMounts:
           {{- range $key, $value := .Values.invenio.vocabularies }}
           - name: vocabularies

charts/invenio/templates/web-deployment.yaml

@@ -50,12 +50,8 @@ spec:
         env:
         - name: TZ
           value: {{ required "Missing .Values.global.timezone" .Values.global.timezone }}
-        - name: INVENIO_BROKER_URL
-          value: {{ include "invenio.rabbitmq.uri" . }}
-        - name: INVENIO_CELERY_BROKER_URL
-          value: {{ include "invenio.rabbitmq.uri" . }}
-        - name: INVENIO_SQLALCHEMY_DATABASE_URI
-          value: {{ include "invenio.sqlAlchemyDbUri" . }}
+        {{- include "invenio.config.queue" . | nindent 8 }}
+        {{- include "invenio.config.database" . | nindent 8 }}
         {{- with .Values.web.extraEnvVars }}
         {{-  toYaml . | nindent 8 }}
         {{- end }}

charts/invenio/templates/worker-beat-deployment.yaml

@@ -62,12 +62,8 @@ spec:
         env:
         - name: TZ
           value: {{ required "Missing .Values.global.timezone" .Values.global.timezone }}
-        - name: INVENIO_BROKER_URL
-          value: {{ include "invenio.rabbitmq.uri" . }}
-        - name: INVENIO_CELERY_BROKER_URL
-          value: {{ include "invenio.rabbitmq.uri" . }}
-        - name: INVENIO_SQLALCHEMY_DATABASE_URI
-          value: {{ include "invenio.sqlAlchemyDbUri" . }}
+        {{- include "invenio.config.queue" . | nindent 8 }}
+        {{- include "invenio.config.database" . | nindent 8}}
         {{- with .Values.workerBeat.extraEnvVars }}
         {{- toYaml . | nindent 8 }}
         {{- end }}