diff --git a/CHANGELOG.md b/CHANGELOG.md index e6c144fe..19cc9045 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ * Switch st2 to `v3.7` as a new default stable version (#274) * Upgrade MongoDB `v4.0` -> `v4.4` as 4.0 has reached its EOL. (#304) * Migrate from `python 3.6` `Ubuntu Bionic` to `python 3.8` `Ubuntu Focal` as a base StackStorm OS (StackStorm/st2-dockerfiles#54) +* Add support for use of overrides that are available in `v3.7` of st2 via helm charts. (#306) ## v0.90.0 * Advanced Feature: Make securityContext (on Deployments/Jobs) and podSecurityContext (on Pods) configurable. This allows dropping all capabilities, for example. You can override the securityContext for `st2actionrunner`, `st2sensorcontainer`, and `st2client` if your actions or sensors need, for example, additional capabilites that the rest of StackStorm does not need. (#271) (by @cognifloyd) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 97bc6e67..dd5ce49a 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -210,6 +210,23 @@ define this here as well to simplify comparison with packs-volume-mounts {{- end }} {{- end -}} +#Inserted for override ability to happen via helm charts + +{{- define "stackstorm-ha.overrides-config-mounts" -}} + {{- if .Values.st2.overrides }} +- name: st2-overrides-vol + mountPath: /opt/stackstorm/overrides + {{- end }} +{{- end -}} + +{{- define "stackstorm-ha.overrides-configs" -}} + {{- if .Values.st2.overrides }} +- name: st2-overrides-vol + configMap: + name: {{ .Release.Name }}-st2-overrides-configs + {{- end }} +{{- end -}} + {{/* For custom st2packs-initContainers reduce duplicity by defining them here once Merge packs and virtualenvs from st2 with those from st2packs images diff --git a/templates/configmaps_overrides.yaml b/templates/configmaps_overrides.yaml new file mode 100644 index 00000000..90c4536c --- /dev/null +++ b/templates/configmaps_overrides.yaml @@ -0,0 +1,18 @@ +{{- if .Values.st2.overrides }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-st2-overrides-configs + annotations: + description: StackStorm override configs defined in helm values, shipped in (or copied to) '/opt/stackstorm/overrides' + labels: + app: st2 + tier: backend + vendor: stackstorm + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: +{{ toYaml .Values.st2.overrides | indent 2 }} +{{- end }} diff --git a/templates/deployments.yaml b/templates/deployments.yaml index fa5467b0..8c686a72 100644 --- a/templates/deployments.yaml +++ b/templates/deployments.yaml @@ -1700,6 +1700,9 @@ spec: checksum/auth: {{ include (print $.Template.BasePath "/secrets_st2auth.yaml") . | sha256sum }} checksum/ssh: {{ include (print $.Template.BasePath "/secrets_ssh.yaml") . | sha256sum }} checksum/datastore-key: {{ include (print $.Template.BasePath "/secrets_datastore_crypto_key.yaml") . | sha256sum }} + {{- if .Values.st2.overrides }} + checksum/overrides: {{ include (print $.Template.BasePath "/configmaps_overrides.yaml") . | sha256sum }} + {{- end }} {{- if .Values.st2client.postStartScript }} checksum/post-start-script: {{ .Values.st2client.postStartScript | sha256sum }} {{- end }} @@ -1773,6 +1776,7 @@ spec: - name: st2-rbac-mappings-vol mountPath: /opt/stackstorm/rbac/mappings/ {{- end }} + {{- include "stackstorm-ha.overrides-config-mounts" . | nindent 8 }} - name: st2client-config-vol mountPath: /root/.st2/ - name: st2-ssh-key-vol @@ -1824,6 +1828,7 @@ spec: configMap: name: {{ .Release.Name }}-st2-rbac-mappings {{- end }} + {{- include "stackstorm-ha.overrides-configs" . | nindent 8 }} - name: st2client-config-vol emptyDir: medium: Memory diff --git a/templates/jobs.yaml b/templates/jobs.yaml index cd06e961..e23791dc 100644 --- a/templates/jobs.yaml +++ b/templates/jobs.yaml @@ -416,6 +416,9 @@ spec: # TODO: Investigate/propose running Helm hook only on condition when ConfigMap or Secret has changed checksum/config: {{ include (print $.Template.BasePath "/configmaps_st2-conf.yaml") . | sha256sum }} checksum/packs: {{ include (print $.Template.BasePath "/configmaps_packs.yaml") . | sha256sum }} + {{- if .Values.st2.overrides }} + checksum/overrides: {{ include (print $.Template.BasePath "/configmaps_overrides.yaml") . | sha256sum }} + {{- end }} {{- if .Values.jobs.annotations }} {{- toYaml .Values.jobs.annotations | nindent 8 }} {{- end }} @@ -474,12 +477,14 @@ spec: {{- end }} {{- end }} volumeMounts: + {{- include "stackstorm-ha.overrides-config-mounts" . | nindent 8 }} {{- include "stackstorm-ha.st2-config-volume-mounts" . | nindent 8 }} {{- include "stackstorm-ha.packs-volume-mounts-for-register-job" . | nindent 8 }} {{- include "stackstorm-ha.pack-configs-volume-mount" . | nindent 8 }} # TODO: Find out default resource limits for this specific service (#5) #resources: volumes: + {{- include "stackstorm-ha.overrides-configs" . | nindent 8 }} {{- include "stackstorm-ha.st2-config-volume" . | nindent 8 }} {{- include "stackstorm-ha.packs-volumes" . | nindent 8 }} {{- include "stackstorm-ha.pack-configs-volume" . | nindent 8 }} @@ -540,6 +545,9 @@ spec: annotations: checksum/config: {{ include (print $.Template.BasePath "/configmaps_st2-conf.yaml") $ | sha256sum }} checksum/packs: {{ include (print $.Template.BasePath "/configmaps_packs.yaml") $ | sha256sum }} + {{- if $.Values.st2.overrides }} + checksum/overrides: {{ include (print $.Template.BasePath "/configmaps_overrides.yaml") $ | sha256sum }} + {{- end }} {{- if $.Values.jobs.annotations }} {{- toYaml $.Values.jobs.annotations | nindent 8 }} {{- end }} @@ -605,6 +613,7 @@ spec: volumeMounts: - name: st2client-config-vol mountPath: /root/.st2/ + {{- include "stackstorm-ha.overrides-config-mounts" $ | nindent 8 }} {{- include "stackstorm-ha.st2-config-volume-mounts" $ | nindent 8 }} {{- include "stackstorm-ha.packs-volume-mounts-for-register-job" $ | nindent 8 }} {{- include "stackstorm-ha.pack-configs-volume-mount" $ | nindent 8 }} @@ -615,6 +624,7 @@ spec: - name: st2client-config-vol emptyDir: medium: Memory + {{- include "stackstorm-ha.overrides-configs" $ | nindent 8 }} {{- include "stackstorm-ha.st2-config-volume" $ | nindent 8 }} {{- include "stackstorm-ha.packs-volumes" $ | nindent 8 }} {{- include "stackstorm-ha.pack-configs-volume" $ | nindent 8 }} diff --git a/tests/unit/custom_annotations_test.yaml b/tests/unit/custom_annotations_test.yaml index 7a7ed9b7..87c4d3f5 100644 --- a/tests/unit/custom_annotations_test.yaml +++ b/tests/unit/custom_annotations_test.yaml @@ -9,6 +9,7 @@ templates: - services.yaml # included templates must also be listed + - configmaps_overrides.yaml - configmaps_packs.yaml - configmaps_rbac.yaml - configmaps_st2-conf.yaml diff --git a/tests/unit/dns_test.yaml b/tests/unit/dns_test.yaml index b4d1c1bb..027a7147 100644 --- a/tests/unit/dns_test.yaml +++ b/tests/unit/dns_test.yaml @@ -6,6 +6,7 @@ templates: - jobs.yaml # included templates must also be listed + - configmaps_overrides.yaml - configmaps_packs.yaml - configmaps_rbac.yaml - configmaps_st2-conf.yaml @@ -23,7 +24,7 @@ tests: - deployments.yaml - jobs.yaml set: - st2: + st2: packs: { sensors: [] } # ensure only 1 sensor rbac: { enabled: true } # enable rbac job jobs: @@ -54,7 +55,7 @@ tests: - name: ndots value: "2" - name: edns0 - st2: + st2: packs: { sensors: [] } # ensure only 1 sensor rbac: { enabled: true } # enable rbac job jobs: diff --git a/tests/unit/env_test.yaml b/tests/unit/env_test.yaml index 4bd42f2b..9cc7badf 100644 --- a/tests/unit/env_test.yaml +++ b/tests/unit/env_test.yaml @@ -6,6 +6,7 @@ templates: - jobs.yaml # included templates must also be listed + - configmaps_overrides.yaml - configmaps_packs.yaml - configmaps_rbac.yaml - configmaps_st2-conf.yaml diff --git a/tests/unit/image_pull_test.yaml b/tests/unit/image_pull_test.yaml index 6a0ef3ac..ce59058d 100644 --- a/tests/unit/image_pull_test.yaml +++ b/tests/unit/image_pull_test.yaml @@ -7,6 +7,7 @@ templates: - service-account.yaml # included templates must also be listed + - configmaps_overrides.yaml - configmaps_packs.yaml - configmaps_rbac.yaml - configmaps_st2-conf.yaml diff --git a/tests/unit/labels_test.yaml b/tests/unit/labels_test.yaml index 09f1dd7d..6457acf2 100644 --- a/tests/unit/labels_test.yaml +++ b/tests/unit/labels_test.yaml @@ -5,6 +5,7 @@ templates: - jobs.yaml - services.yaml + - configmaps_overrides.yaml - configmaps_packs.yaml - configmaps_post-start-scripts.yaml - configmaps_rbac.yaml diff --git a/tests/unit/overrides_test.yaml b/tests/unit/overrides_test.yaml new file mode 100644 index 00000000..60da9b4c --- /dev/null +++ b/tests/unit/overrides_test.yaml @@ -0,0 +1,164 @@ +--- +suite: Overrides check +templates: + # primary template files + - deployments.yaml + - jobs.yaml + - service-account.yaml + + # included templates must also be listed + - configmaps_overrides.yaml + - configmaps_packs.yaml + - configmaps_rbac.yaml + - configmaps_st2-conf.yaml + - configmaps_st2-urls.yaml + - configmaps_st2web.yaml + - secrets_datastore_crypto_key.yaml + - secrets_ssh.yaml + - secrets_st2apikeys.yaml + - secrets_st2auth.yaml + - secrets_st2chatops.yaml + +tests: + - it: Jobs with overrides mounted + template: jobs.yaml + set: + st2: + overrides: #Enabling the overrides mounts in register-content job. + _global.yaml: | + --- + rules: + defaults: + enabled: false + rbac: { enabled: true } # enable rbac job + packs: { sensors: [] } # ensure only 1 sensor + jobs: + extra_hooks: &extra_hooks_jobs + - name: upgrade-warning + hook: pre-upgrade, pre-rollback + hook_weight: -5 + command: ["st2", "run", "--tail", "custom_pack.warn_about_upgrade"] + release: + name: st2ha + asserts: + - hasDocuments: + count: 5 + + - contains: &overrides_volume + path: spec.template.spec.volumes + content: + name: st2-overrides-vol + configMap: + name: st2ha-st2-overrides-configs + documentIndex: 3 # register_content + + + - contains: &overrides_mnt + path: spec.template.spec.containers[0].volumeMounts + content: + name: st2-overrides-vol + mountPath: /opt/stackstorm/overrides + documentIndex: 3 # register_content + + - contains: *overrides_mnt + documentIndex: 4 #Extra_jobs + - contains: *overrides_volume + documentIndex: 4 #extra_jobs + + - notContains: *overrides_volume + documentIndex: 0 + - notContains: *overrides_mnt + documentIndex: 0 + - notContains: *overrides_volume + documentIndex: 1 + - notContains: *overrides_mnt + documentIndex: 1 + - notContains: *overrides_volume + documentIndex: 2 + - notContains: *overrides_mnt + documentIndex: 2 + + + - it: Deployments with overrides + template: deployments.yaml + set: + st2: + overrides: #Enabling the override mounts in register-content job. + _global.yaml: | + --- + rules: + defaults: + enabled: false + packs: + sensors: [] # ensure only 1 sensor + images: [] # no extra packs to load + volumes: + enabled: false + configs: {} # has one core.yaml config file by default (dicts get merged) + st2chatops: + enabled: true + release: + name: st2ha + asserts: + - hasDocuments: + count: 14 + + + - contains: *overrides_volume # always included + documentIndex: 12 # st2client + - contains: *overrides_mnt # always included + documentIndex: 12 # st2client + + + - notContains: *overrides_volume + documentIndex: 1 + - notContains: *overrides_mnt + documentIndex: 1 # st2api + - notContains: *overrides_volume + documentIndex: 10 # st2actionrunner + - notContains: *overrides_mnt + documentIndex: 10 # st2actionrunner + - notContains: *overrides_volume + documentIndex: 0 + - notContains: *overrides_mnt + documentIndex: 0 + - notContains: *overrides_volume + documentIndex: 2 + - notContains: *overrides_mnt + documentIndex: 2 + - notContains: *overrides_volume + documentIndex: 3 + - notContains: *overrides_mnt + documentIndex: 3 + - notContains: *overrides_volume + documentIndex: 4 + - notContains: *overrides_mnt + documentIndex: 4 + - notContains: *overrides_volume + documentIndex: 5 + - notContains: *overrides_mnt + documentIndex: 5 + - notContains: *overrides_volume + documentIndex: 6 + - notContains: *overrides_mnt + documentIndex: 6 + - notContains: *overrides_volume + documentIndex: 7 + - notContains: *overrides_mnt + documentIndex: 7 + - notContains: *overrides_volume + documentIndex: 8 + - notContains: *overrides_mnt + documentIndex: 8 + - notContains: *overrides_volume # never + documentIndex: 9 # st2sensorcontainer + - notContains: *overrides_mnt # never + documentIndex: 9 # st2sensorcontainer + - notContains: *overrides_volume + documentIndex: 11 + - notContains: *overrides_mnt + documentIndex: 11 + - notContains: *overrides_volume + documentIndex: 13 + - notContains: *overrides_mnt + documentIndex: 13 diff --git a/tests/unit/packs_volumes_test.yaml b/tests/unit/packs_volumes_test.yaml index abaec6f2..268a2190 100644 --- a/tests/unit/packs_volumes_test.yaml +++ b/tests/unit/packs_volumes_test.yaml @@ -6,6 +6,7 @@ templates: - jobs.yaml # included templates must also be listed + - configmaps_overrides.yaml - configmaps_packs.yaml - configmaps_rbac.yaml - configmaps_st2-conf.yaml diff --git a/tests/unit/placement_test.yaml b/tests/unit/placement_test.yaml index 8f583481..483c09b8 100644 --- a/tests/unit/placement_test.yaml +++ b/tests/unit/placement_test.yaml @@ -6,6 +6,7 @@ templates: - jobs.yaml # included templates must also be listed + - configmaps_overrides.yaml - configmaps_packs.yaml - configmaps_rbac.yaml - configmaps_st2-conf.yaml diff --git a/tests/unit/post_start_script_test.yaml b/tests/unit/post_start_script_test.yaml index 366cdc6d..d3856b06 100644 --- a/tests/unit/post_start_script_test.yaml +++ b/tests/unit/post_start_script_test.yaml @@ -6,6 +6,7 @@ templates: - configmaps_post-start-script.yaml # included templates must also be listed + - configmaps_overrides.yaml - configmaps_packs.yaml - configmaps_rbac.yaml - configmaps_st2-conf.yaml diff --git a/tests/unit/resources_test.yaml b/tests/unit/resources_test.yaml index 35849882..698897a7 100644 --- a/tests/unit/resources_test.yaml +++ b/tests/unit/resources_test.yaml @@ -7,6 +7,7 @@ templates: # No jobs resources yet # included templates must also be listed + - configmaps_overrides.yaml - configmaps_packs.yaml - configmaps_rbac.yaml - configmaps_st2-conf.yaml diff --git a/tests/unit/security_context_test.yaml b/tests/unit/security_context_test.yaml index c61fbcf3..4462d624 100644 --- a/tests/unit/security_context_test.yaml +++ b/tests/unit/security_context_test.yaml @@ -6,6 +6,7 @@ templates: - jobs.yaml # included templates must also be listed + - configmaps_overrides.yaml - configmaps_packs.yaml - configmaps_rbac.yaml - configmaps_st2-conf.yaml diff --git a/tests/unit/service_account_test.yaml b/tests/unit/service_account_test.yaml index 3c0e7ebc..52bc261b 100644 --- a/tests/unit/service_account_test.yaml +++ b/tests/unit/service_account_test.yaml @@ -8,6 +8,7 @@ templates: # ServiceAccount doesn't attach to Jobs # included templates must also be listed + - configmaps_overrides.yaml - configmaps_packs.yaml - configmaps_rbac.yaml - configmaps_st2-conf.yaml diff --git a/tests/unit/st2sensors_test.yaml b/tests/unit/st2sensors_test.yaml index a6b68680..adcd8eee 100644 --- a/tests/unit/st2sensors_test.yaml +++ b/tests/unit/st2sensors_test.yaml @@ -5,6 +5,7 @@ templates: - deployments.yaml # included templates must also be listed + - configmaps_overrides.yaml - configmaps_packs.yaml - configmaps_rbac.yaml - configmaps_st2-conf.yaml diff --git a/values.yaml b/values.yaml index bd530d3e..6dc4a8c0 100644 --- a/values.yaml +++ b/values.yaml @@ -67,6 +67,22 @@ st2: config: | [api] allow_origin = '*' + + #Override Definitions can be added here. + #https://docs.stackstorm.com/latest/packs.html#overriding-pack-defaults + overrides: {} + # overrides: + # _global.yaml: | + # --- + # rules: + # defaults: + # enabled: true + # packA.yaml: | + # --- + # rules: + # rule.name: + # enabled: false + # This mirrors the [system_user] section of st2.conf, but makes the values available for helm templating. # If you change the user, you must provide a customized st2actionrunner image that includes your user.