Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New production ready Helm chart #1224

Open
wants to merge 5 commits into
base: main
Choose a base branch
from

Conversation

Nathanael-Mtd
Copy link

@Nathanael-Mtd Nathanael-Mtd commented Dec 21, 2024

After discussions in #1216, I made a new "next" Helm Chart with more options to have more flexibility in Kubernetes deployments.

Many changes in comparaison of the current chart, need some reviews.

Current features progress in this new chart:

  • SQLite mode
  • PostgreSQL mode
  • Backend and frontend separation in different pods
  • Ingress with custom TLS certificate option
  • SecurityContexts (enabled by default)
  • Change SQLite database PVC and file directory (env : SQLITE_FILE)
  • Use dedicated PVC for local storage directory (env : LOCAL_STORAGE_DIRECTORY)
  • Helm chart README.md generation from values.yaml file (using https://github.com/norwoodj/helm-docs)
  • Automate Helm chart release when a new tag is created
  • Other ideas ?

@Nathanael-Mtd Nathanael-Mtd marked this pull request as draft December 21, 2024 22:22
@eric-intuitem
Copy link
Collaborator

Definitely it is a good idea to use non-root user in the containers. I'll provide a PR for that.

@Nathanael-Mtd
Copy link
Author

Definitely it is a good idea to use non-root user in the containers. I'll provide a PR for that.

Great ! Also, read-only filesystem can be nice to use.
When I tried to run with that option enabled, I got some issues with Matplotlib cache, but maybe some other things use default cache/temp folders located on homedir or code directory.

@Nathanael-Mtd
Copy link
Author

Another thing I thinked about, that's using a GitHub Action to bump chart version and change appVersion when a new tag is made. Like that, we don't need to set manually the image tag version when upgrading.

I don't know too much about GH Actions but I found that : https://github.com/shini4i/helm-charts-updater

@Nathanael-Mtd Nathanael-Mtd marked this pull request as ready for review December 25, 2024 13:28
@Nathanael-Mtd
Copy link
Author

@ab-smith @eric-intuitem Chart seems done. Need a review (and some tests on your side if possible).

I didn't added the GitHub Actions to generate and publish the chart, if you can check to add it, it can be nice (see the previous comment)
If you add GH Actions for release, can be a good idea to add a an action to fail the workflow if there are a change in values.yaml and the comitter forgot to launch helm-docs command to generate a new README.md.
Maybe instead it can be used to update automatically the README.md when a new tag is created in the same time of the GH action chart version bump and release.

@ab-smith
Copy link
Contributor

ab-smith commented Dec 27, 2024

image

we'll need to explicitly mention the helm dep build or something equivalent;
the helm-docs will pick it up on the dependencies but people might skip it.

@Nathanael-Mtd : how is it supposed to behave? user should install pg using specific values/settings first or it will be installed automatically as a dependency?

side note: helm has an annoying limitation, that can interfere with this, on helm dependency build where it stops if other non related repos are broken.

@ab-smith
Copy link
Contributor

image

@Nathanael-Mtd
Copy link
Author

image

we'll need to explicitly mention the helm dep build or something equivalent;

the helm-docs will pick it up on the dependencies but people might skip it.

side note: helm has an annoying limitation, that can interfere with this, on helm dependency build where it stops if other non related repos are broken.

Yeah but that's only if people wants to install helm chart from sources, mainly for dev purposes.

We should add the regular install guide on readme.md by using helm chart repo, and a part for install from sources.

@Nathanael-Mtd
Copy link
Author

image

Oops, I will check later, maybe a wrong condition

@Nathanael-Mtd
Copy link
Author

@ab-smith Warning fixed. I added a templating file to add custom instructions to install the chart from official helm chart repo (I supposed it will be ghcr.io/intuitem/ciso-assistant).

To test the build and push of the helm chart, you can use these commands :

helm dependency build charts/ciso-assistant-next
helm package charts/ciso-assistant-next
helm push ciso-assistant-X.Y.Z.tgz oci://ghcr.io/intuitem

But I think you can find an existing GH Action which can handle the release with these steps.

@ab-smith
Copy link
Contributor

@ab-smith ab-smith added the deployment This issue deals with deployment label Jan 1, 2025
@ab-smith
Copy link
Contributor

ab-smith commented Jan 3, 2025

candidate for 2.0.5 or 2.0.6

@Nathanael-Mtd
Copy link
Author

One question, do I need to disable security contexts by default due to dockerfile app user commit revert ?

@ab-smith
Copy link
Contributor

ab-smith commented Jan 3, 2025

If we manage to bring back the non-root user properly before 2.0.6, no, otherwise yes and I’ll tag you accordingly ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
deployment This issue deals with deployment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants