getredash · frivoire · Jun 13, 2024 · Jun 13, 2024 · Jun 13, 2024 · Jun 13, 2024
diff --git a/charts/redash/requirements.lock b/charts/redash/requirements.lock
diff --git a/charts/redash/requirements.yaml b/charts/redash/requirements.yaml
diff --git a/charts/redash/templates/_helpers.tpl b/charts/redash/templates/_helpers.tpl
@@ -71,6 +71,24 @@ Get the secret name.
 {{- end -}}
 {{- end -}}
 
+
+{{/*
+Get the hostname from the postgresql connection string
+Example: the input should be similar to:
+    postgresql://redash:$(POSTGRESQL_PASSWORD)@my-pg-host-for-redash/redash
+And the output will be:
+    my-pg-host-for-redash
+*/}}
+{{- define "redash.externalPostgresql.hostname" -}}
+{{ mustRegexReplaceAll ".*@([^/:]+)[/:].*" .Values.externalPostgreSQL "${1}" }}
+{{- end -}}
+
+{{/* same than Postgres above */}}
+{{- define "redash.externalRedis.hostname" -}}
+{{ mustRegexReplaceAll ".*@([^/:]+)[/:].*" .Values.externalRedis "${1}" }}
+{{- end -}}
+
+
 {{/*
 Shared environment block used across each component.
 */}}
@@ -101,7 +119,7 @@ Shared environment block used across each component.
   value: {{ .Values.postgresql.auth.database | quote }}
 {{- end -}}
 {{- if not .Values.redis.enabled }}
-{{- if not .Values.redash.selfManagedSecrets -}}
+{{- if not .Values.redash.selfManagedSecrets }}
 - name: REDASH_REDIS_URL
   {{- with .Values.externalRedisSecret }}
   valueFrom:
@@ -126,11 +144,11 @@ Shared environment block used across each component.
   value: {{ .Values.redis.master.service.ports.redis | quote }}
 - name: REDASH_REDIS_NAME
   value: {{ .Values.redis.database | quote }}
-{{ end -}}
-{{ range $key, $value := .Values.env -}}
+{{- end }}
+{{ range $key, $value := .Values.env }}
 - name: {{ $key }}
   value: {{ $value | quote }}
-{{ end -}}
+{{- end -}}
 ## Start primary Redash configuration
 {{- if not .Values.redash.selfManagedSecrets }}
 {{- if or .Values.redash.secretKey .Values.redash.existingSecret }}
@@ -523,6 +541,9 @@ app.kubernetes.io/component: {{ . }}worker
 app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- if .Values.commonLabels }}
+{{ tpl (toYaml .Values.commonLabels) . }}
+{{- end }}
 {{- end -}}
 
 {{/*
@@ -531,6 +552,8 @@ Selector labels
 {{- define "redash.selectorLabels" -}}
 app.kubernetes.io/name: {{ include "redash.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
+app: {{ .Release.Name }}
+component: database
 {{- end -}}
 
 {{/*

diff --git a/charts/redash/templates/authorizationpolicy.yaml b/charts/redash/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ .Release.Name }}
+  action: ALLOW
+  rules:
+    - from:
+        - source:
+            principals:
+              - "cluster.local/ns/infra/sa/uberproxy"
+              # The config Job needs to call Redash's API
+              - "cluster.local/ns/{{ .Release.Namespace }}/sa/{{ include "redash.serviceAccountName" . }}"
diff --git a/charts/redash/templates/configmap-datasources.yaml b/charts/redash/templates/configmap-datasources.yaml
@@ -0,0 +1,9 @@
+{{- if .Values.config -}}
+apiVersion: v1
+data:
+  datasources.yaml: |
+{{ toYaml .Values.config.datasources | indent 4 }}
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-datasources
+{{- end -}}
diff --git a/charts/redash/templates/configmap-groups.yaml b/charts/redash/templates/configmap-groups.yaml
@@ -0,0 +1,9 @@
+{{- if .Values.config -}}
+apiVersion: v1
+data:
+  groups.yaml: |
+{{ toYaml .Values.config.groups | indent 4 }}
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-groups
+{{- end -}}
diff --git a/charts/redash/templates/hook-config-job.yaml b/charts/redash/templates/hook-config-job.yaml
@@ -0,0 +1,66 @@
+{{- if .Values.config -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ .Release.Name }}-config"
+  labels:
+    {{- include "redash.labels" . | nindent 4 }}
+    app.kubernetes.io/component: config
+  annotations:
+    # This is what defines this resource as a hook.
+    "helm.sh/hook": post-install,post-upgrade,post-rollback
+    "helm.sh/hook-weight": "30"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  template:
+    metadata:
+      name: "{{ .Release.Name }}"
+      labels:
+        {{- include "redash.selectorLabels" . | nindent 8 }}
+        {{- if .Values.hookConfigJob.podLabels }}
+        {{- tpl (toYaml .Values.hookConfigJob.podLabels) $ | nindent 8 }}
+        {{- end }}
+      {{- with .Values.hookConfigJob.podAnnotations }}
+      annotations: {{ toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      volumes:
+        - configMap:
+            name: {{ .Release.Name }}-datasources
+          name: {{ .Release.Name }}-datasources
+        - configMap:
+            name: {{ .Release.Name }}-groups
+          name: {{ .Release.Name }}-groups
+      serviceAccountName: {{ include "redash.serviceAccountName" . }}
+      restartPolicy: Never
+      securityContext: {{ toYaml .Values.hookConfigJob.podSecurityContext | nindent 8 }}
+      containers:
+      - name: {{ include "redash.name" . }}-config
+        securityContext: {{ toYaml .Values.hookConfigJob.securityContext | nindent 10 }}
+        image: "{{ .Values.hookConfigJob.image.repository }}:{{ .Values.hookConfigJob.image.tag }}"
+        imagePullPolicy: {{ .Values.hookConfigJob.image.pullPolicy }}
+        command: ["envoy-preflight", "python3", "redash-config-gitops.py"]
+        args:
+          - --host=http://{{ .Release.Name }}
+          - --apikey=$(APIKEY)
+        volumeMounts:
+        - name: {{ .Release.Name }}-datasources
+          mountPath: /config/datasources
+        - name: {{ .Release.Name }}-groups
+          mountPath: /config/groups
+        env:
+          - name: APIKEY
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Release.Name }}
+                key: apikey
+          # variables below are required by envoy-preflight (to shut down the Envoy proxy once the job completes)
+          - name: ENVOY_ADMIN_API
+            value: "http://127.0.0.1:15000/"
+          - name: ISTIO_QUIT_API
+            value: "http://127.0.0.1:15000/"
+        envFrom:
+        - secretRef:
+            name: {{ .Release.Name }}-datasources
+        resources: {{ toYaml .Values.hookConfigJob.resources | nindent 10 }}
+{{- end -}}
diff --git a/charts/redash/templates/hook-migrations-job.yaml b/charts/redash/templates/hook-migrations-job.yaml
@@ -15,7 +15,11 @@ spec:
   template:
     metadata:
       name: "{{ .Release.Name }}"
-      labels: {{ include "redash.selectorLabels" . | nindent 8 }}
+      labels:
+        {{- include "redash.selectorLabels" . | nindent 8 }}
+        {{- if .Values.migrations.podLabels }}
+        {{- tpl (toYaml .Values.migrations.podLabels) $ | nindent 8 }}
+        {{- end }}
       {{- with .Values.migrations.podAnnotations }}
       annotations: {{ toYaml . | nindent 8 }}
       {{- end }}

diff --git a/charts/redash/templates/istio-sidecar.yaml b/charts/redash/templates/istio-sidecar.yaml
@@ -0,0 +1,33 @@
+apiVersion: networking.istio.io/v1beta1
+kind: Sidecar
+metadata:
+  name: {{ .Release.Name }}
+spec:
+  workloadSelector:
+    labels: {{ include "redash.selectorLabels" . | nindent 6 }}
+  outboundTrafficPolicy:
+    mode: {{ .Values.istio.outboundTrafficPolicy }}
+  ingress:
+  - defaultEndpoint: 127.0.0.1:{{ .Values.server.httpPort }}
+    port:
+      name: http
+      number: {{ .Values.server.httpPort }}
+      protocol: HTTP
+  egress:
+  - hosts:
+    # GKE/K8S system:
+    - "istio-system/metadata.google.internal"
+    - "istio-system/metadata.google.internal."
+    # Redash "system":
+    - "./{{ include "redash.externalPostgresql.hostname" . }}.{{ .Release.Namespace }}.svc.cluster.local"
+    - "./{{ include "redash.externalRedis.hostname" . }}.{{ .Release.Namespace }}.svc.cluster.local"
+    - "./{{ include "redash.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local"    # this is the name of the HTTP service, useful for the config job to connect to the API
+    # SSO:
+    - "*/app-eu.onelogin.com"
+    - "*/blablacar.onelogin.com"
+    {{- if .Values.config }}
+    # The datasources (in the values, the host value should be a "short name", ex: mariadb-main.v3)
+    {{- range .Values.config.datasources }}
+    - "*/{{- .options.host }}.svc.cluster.local"
+    {{- end }}
+    {{- end }}
diff --git a/charts/redash/templates/server-deployment.yaml b/charts/redash/templates/server-deployment.yaml
@@ -20,7 +20,7 @@ spec:
         {{- tpl (toYaml .Values.server.podLabels) $ | nindent 8 }}
         {{- end }}
       {{- with .Values.server.podAnnotations }}
-      annotations: {{ toYaml . | nindent 8 }}
+      annotations: {{ tpl (toYaml .) $ | nindent 8 }}
       {{- end }}
     spec:
       {{ with .Values.imagePullSecrets -}}

diff --git a/charts/redash/templates/worker-deployment.yaml b/charts/redash/templates/worker-deployment.yaml
@@ -17,8 +17,8 @@ spec:
       {{- if $workerConfig.podLabels }}
       {{ tpl (toYaml $workerConfig.podLabels) $ | nindent 8 }}
       {{- end }}
-      {{- with $workerConfig.podAnnotations -}}
-      annotations: {{ toYaml . | nindent 8 }}
+      {{- with $workerConfig.podAnnotations }}
+      annotations: {{ tpl (toYaml .) $ | nindent 8 }}
       {{- end }}
     spec:
       {{ with $.Values.imagePullSecrets -}}