Protei/PromucFlow_constructor
2
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
096fc8aa69
PromucFlow_constructor/deploy/helm/templates/deployment.yaml
Wyatt Walter 4c7a019adf
fix: support nss wrapper in Helm chart (#40673) 
## Description

Requires: https://github.com/appsmithorg/appsmith/pull/40642

Adds an environment variable activating nss_wrapper when the
`securityPolicy.runAsUser` value is set so the UID can be set
dynamically. This avoids the `I have no name!` in the prompt when doing
a `kubectl exec` with that value set.

I am also introducing
[helm-unittest](https://github.com/helm-unittest/helm-unittest) for
ensuring that changes to our defaults are made explicit.

Fixes https://github.com/appsmithorg/appsmith/issues/38787

## Automation

/ok-to-test tags=""

### 🔍 Cypress test results
<!-- This is an auto-generated comment: Cypress test results  -->
> [!WARNING]
> Tests have not run on the HEAD
d30d87ffc66c107f980a3b27464e97db0910dcbe yet
> <hr>Mon, 19 May 2025 18:59:10 UTC
<!-- end of auto-generated comment: Cypress test results  -->


## Communication
Should the DevRel and Marketing teams inform users about this change?
- [ ] Yes
- [ ] No


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

- **New Features**
- Added automated unit testing for Helm charts, including snapshot and
security context tests.
- Introduced documentation for running and understanding Helm chart unit
tests.
- Added a GitHub Actions workflow to run Helm chart unit tests on pull
requests and manually.
- **Bug Fixes**
- Ensured the LD_PRELOAD environment variable is set when a specific
security context is configured in deployments.
- **Documentation**
- Updated Helm chart README to reference new testing documentation and
improve clarity.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: Goutham Pratapa <goutham@appsmith.com>
2025-06-04 20:54:46 +05:30

213 lines
8.7 KiB
YAML
Raw Blame History

{{- $updateStrategy := .Values.updateStrategy | default dict }}
{{- $postgresuser := .Values.postgresql.auth.username }}
{{- $postgrespass := .Values.postgresql.auth.password }}
{{- $postgrespass := .Values.postgresql.auth.password }}
{{- $releaseName := include "appsmith.fullname" . -}}
apiVersion: apps/v1
kind: {{ if not .Values.autoscaling.enabled }}StatefulSet{{- else }}Deployment{{- end }}
metadata:
name: {{ include "appsmith.fullname" . }}
namespace: {{ include "appsmith.namespace" . }}
labels:
{{- include "appsmith.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: 1
serviceName: {{ include "appsmith.fullname" . }}
updateStrategy:
{{- else }}
strategy:
type: {{ .Values.strategyType | default "RollingUpdate" }}
rollingUpdate:
maxSurge: {{ dig "maxSurge" 1 $updateStrategy }}
maxUnavailable: {{ dig "maxUnavailable" "0" $updateStrategy }}
{{- end }}
selector:
matchLabels:
{{- include "appsmith.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "appsmith.selectorLabels" . | nindent 8 }}
{{- if .Values.podLabels }}
{{- toYaml .Values.podLabels | nindent 8 }}
{{- end }}
spec:
{{- with .Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.schedulerName }}
schedulerName: {{ .Values.schedulerName | quote }}
{{- end }}
serviceAccountName: {{ template "appsmith.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
initContainers:
{{- if .Values.redis.enabled }}
- name: redis-init-container
{{- if ((.Values.initContainer.redis).image) }}
image: {{ .Values.initContainer.redis.image }}
{{- else }}
image: "docker.io/redis:7.0.15"
{{- end }}
command: ['sh', '-c', "until redis-cli -h {{.Release.Name}}-redis-master.{{.Release.Namespace}}.svc.cluster.local ping ; do echo waiting for redis; sleep 2; done"]
{{- end }}
{{- if .Values.mongodb.enabled }}
- name: mongo-init-container
{{- if ((.Values.initContainer.mongodb).image) }}
image: {{ .Values.initContainer.mongodb.image }}
{{- else }}
image: "docker.io/bitnami/mongodb:6.0.13"
{{- end }}
command: ['sh', '-c', "until mongosh --host appsmith-mongodb.{{.Release.Namespace}}.svc.cluster.local --eval 'db.runCommand({ping:1})' ; do echo waiting for mongo; sleep 2; done"]
{{- end }}
{{- if .Values.postgresql.enabled }}
- name: psql-init-container
{{- if ((.Values.initContainer.postgresql).image) }}
image: {{ .Values.initContainer.postgresql.image }}
{{- else}}
image: docker.io/bitnami/postgresql:14.5.0-debian-11-r21
{{- end}}
command: ['sh', '-c', "until pg_isready -U $postgresuser -d $postgresdb -h {{.Release.Name}}-postgresql.{{.Release.Namespace}}.svc.cluster.local; do echo waiting for postgresql; sleep 2; done"]
{{- end }}
containers:
- name: {{ .Values.containerName }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
{{- $customImage := .Values._image | default dict }}
image: {{ dig "registry" "index.docker.io" $customImage }}/{{ dig "repository" "appsmith/appsmith-ee" $customImage }}:{{ dig "tag" (.Values.image.tag | default "latest") $customImage }}
imagePullPolicy: {{ dig "pullPolicy" "IfNotPresent" $customImage }}
ports:
- name: http
containerPort: {{ .Values.HTTPContainerPort | default 80 }}
protocol: TCP
- name: https
containerPort: 443
protocol: TCP
- name: metrics
containerPort: {{ .Values.metrics.port }}
protocol: TCP
{{- $probes := .Values.probes | default dict }}
startupProbe:
# The `livenessProbe` and `readinessProbe` will be disabled until the `startupProbe` is successful.
httpGet:
port: {{ dig "startupProbe" "port" "80" $probes }}
path: {{ dig "startupProbe" "api" "/api/v1/health" $probes }}
failureThreshold: {{ dig "startupProbe" "failureThreshold" 3 $probes }}
periodSeconds: {{ dig "startupProbe" "periodSeconds" 60 $probes }}
livenessProbe:
httpGet:
port: {{ dig "livenessProbe" "port" "80" $probes }}
path: {{ dig "livenessProbe" "api" "/api/v1/health" $probes }}
failureThreshold: {{ dig "livenessProbe" "failureThreshold" 3 $probes }}
periodSeconds: {{ dig "livenessProbe" "periodSeconds" 60 $probes }}
readinessProbe:
httpGet:
port: {{ dig "readinessProbe" "port" "80" $probes }}
path: {{ dig "readinessProbe" "api" "/api/v1/health" $probes }}
failureThreshold: {{ dig "readinessProbe" "failureThreshold" 3 $probes }}
periodSeconds: {{ dig "readinessProbe" "periodSeconds" 60 $probes }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumeMounts:
- name: data
mountPath: /appsmith-stacks
{{- if .Values.customCAcert }}
- name: ca-cert
mountPath: "/appsmith-stacks/ca-certs"
{{- end }}
env:
{{- if .Values.HTTPContainerPort }}
- name: PORT
value: "{{ .Values.HTTPContainerPort }}"
{{- end }}
- name: APPSMITH_ENABLE_EMBEDDED_DB
value: "0"
- name: JGROUPS_DISCOVERY_PROTOCOL
value: kubernetes.KUBE_PING
- name: APPSMITH_HEADLESS_SVC
value: {{ include "appsmith.fullname" . }}-headless
{{- if .Values.securityContext.runAsUser | default nil }}
# ensure the interactive shell when connected via kubectl exec is set
- name: LD_PRELOAD
value: /usr/local/lib/libnss_wrapper.so
{{- end }}
envFrom:
- configMapRef:
name: {{ include "appsmith.fullname" . }}
{{- if .Values.secretName }}
- secretRef:
name: {{ .Values.secretName }}
{{- end }}
{{- if .Values.secrets }}
- secretRef:
name: {{ include "appsmith.fullname" . }}
{{- end }}
{{- if .Values.externalSecrets.enabled }}
- secretRef:
name: "{{ include "appsmith.fullname" . }}-external-secret"
{{- end }}
{{- if .Values.image.pullSecrets}}
imagePullSecrets:
- name: {{ .Values.image.pullSecrets }}
{{- end }}
volumes:
{{- if .Values.customCAcert }}
- name: ca-cert
configMap:
name: {{ $releaseName }}-trustedca
items:
{{- range $key, $value := .Values.customCAcert }}
- key: {{ $key }}
path: {{ $key }}.crt
{{- end }}
{{- end }}
{{- if not .Values.persistence.enabled }}
- name: data
emptyDir: {}
{{- else if and (not .Values.autoscaling.enabled) (.Values.persistence.enabled) }}
volumeClaimTemplates:
- metadata:
name: data
{{- if .Values.persistence.annotations}}
annotations:
{{- include "tplvalues.render" (dict "value" .Values.persistence.annotations "context" $) | nindent 10 }}
{{- end }}
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- if .Values.persistence.volumeClaimTemplates.selector }}
selector:
{{- include "tplvalues.render" (dict "value" .Values.persistence.volumeClaimTemplates.selector "context" $) | nindent 10 }}
{{- end }}
{{ include "storage.class" (dict "persistence" .Values.persistence "global" .Values.global) | nindent 8 }}
{{- else }}
- name: data
persistentVolumeClaim:
{{- if .Values.persistence.existingClaim.enabled }}
claimName: {{ .Values.persistence.existingClaim.claimName }}
{{- else }}
claimName: {{ include "appsmith.fullname" . }}
{{- end }}
{{- end }}
Reference in New Issue View Git Blame Copy Permalink