feat: improved migrations and mic improvements

helm-repo/index.yaml

@@ -2,9 +2,9 @@ apiVersion: v1
 entries:
   phase:
   - apiVersion: v2
-    created: "2024-10-29T13:20:00.665108467+05:30"
+    created: "2025-02-10T18:07:46.567713489+05:30"
     description: A Helm chart for deploying the Phase Secrets Manager
-    digest: 2bcc5bd5f1da6139c2c07abb001eb3ec8f60d0ea0e8dc5f754c4cc8ca7bfe9b3
+    digest: e7a5ef550c40bff206a7861f6a52cbd67b32fcd1ff38844924f2cc4225059562
     home: https://github.com/phasehq/kubernetes-secrets-operator
     icon: https://phase.dev/apple-touch-icon.png
     keywords:
@@ -18,12 +18,12 @@ entries:
     - https://github.com/phasehq/console
     type: application
     urls:
-    - phase-0.1.1.tgz
-    version: 0.1.1
+    - phase-0.2.0.tgz
+    version: 0.2.0
   phase-kubernetes-operator:
   - apiVersion: v2
     appVersion: 1.2.3
-    created: "2024-10-29T13:20:00.66538365+05:30"
+    created: "2025-02-10T18:07:46.568323055+05:30"
     description: A Helm chart for deploying the Phase Kubernetes Operator
     digest: 93e571ad092af42648a8731de51d6b1a371f5b738a5b6c5a327ca38fa90d45e4
     home: https://github.com/phasehq/kubernetes-secrets-operator
@@ -43,4 +43,4 @@ entries:
     urls:
     - phase-kubernetes-operator-1.2.3.tgz
     version: 1.2.3
-generated: "2024-10-29T13:20:00.664090903+05:30"
+generated: "2025-02-10T18:07:46.566497163+05:30"

phase-console/Chart.yaml

@@ -3,7 +3,7 @@ name: phase
 icon: https://phase.dev/apple-touch-icon.png
 description: A Helm chart for deploying the Phase Secrets Manager 
 type: application
-version: 0.1.1
+version: 0.2.0
 keywords:
   - phase
   - deployment

phase-console/templates/configmap.yaml

@@ -14,5 +14,4 @@ data:
   DATABASE_USER: {{ .Values.database.user | quote }}
   REDIS_HOST: {{ tpl .Values.redis.host . | quote }}
   REDIS_PORT: {{ .Values.redis.port | quote }}
-  NEXT_TELEMETRY_DISABLED: {{ default "1" | quote }}
   SESSION_COOKIE_DOMAIN: {{ .Values.global.host | quote }}

phase-console/templates/deployment-backend.yaml

@@ -15,6 +15,9 @@ spec:
       labels:
         {{- include "phase.selectorLabels" . | nindent 8 }}
         app: backend
+      annotations:
+        # Wait for the migrations to complete
+        batch.kubernetes.io/job-completion: "{{ include "phase.fullname" . }}-migrations"
     spec:
       containers:
       - name: backend
@@ -34,6 +37,8 @@ spec:
           value: "$(HTTP_PROTOCOL)$(HOST)"
         - name: SESSION_COOKIE_DOMAIN
           value: "$(HOST)"
+        - name: EXTERNAL_MIGRATION
+          value: "true"
         {{- if .Values.app.backend.readinessProbe.enabled }}
         readinessProbe:
           httpGet:

phase-console/templates/deployment-redis.yaml

@@ -21,13 +21,28 @@ spec:
       - name: redis
         image: "{{ .Values.redis.image.repository }}:{{ .Values.redis.image.tag }}"
         imagePullPolicy: {{ .Values.redis.image.pullPolicy }}
+        args:
+        {{- if .Values.secrets.redisPassword }}
+        - --requirepass
+        - $(REDIS_PASSWORD)
+        {{- end }}
+        env:
+        {{- if .Values.secrets.redisPassword }}
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ include "phase.fullname" . }}-secrets
+              key: REDIS_PASSWORD
+        {{- end }}
         ports:
-        - containerPort: 6379
+        - containerPort: {{ .Values.redis.service.port }}
+        {{- if .Values.redis.readinessProbe.enabled }}
         readinessProbe:
           tcpSocket:
-            port: 6379
+            port: {{ .Values.redis.service.port }}
           initialDelaySeconds: {{ .Values.redis.readinessProbe.initialDelaySeconds }}
           periodSeconds: {{ .Values.redis.readinessProbe.periodSeconds }}
+        {{- end }}
         resources:
           {{- toYaml .Values.redis.resources | nindent 12 }}
-{{- end }}
+{{- end }}

phase-console/templates/deployment-worker.yaml

@@ -15,7 +15,30 @@ spec:
       labels:
         {{- include "phase.selectorLabels" . | nindent 8 }}
         app: worker
+      annotations:
+        # Wait for the migrations to complete
+        batch.kubernetes.io/job-completion: "{{ include "phase.fullname" . }}-migrations"
     spec:
+      initContainers:
+      - name: wait-for-redis
+        image: redis:alpine3.19
+        command: ['sh', '-c', 
+          'echo "Waiting for Redis at {{ tpl .Values.redis.host . }}:{{ .Values.redis.port }}...";
+          {{- if .Values.secrets.redisPassword }}
+          until redis-cli -h {{ tpl .Values.redis.host . }} -p {{ .Values.redis.port }} -a "$REDIS_PASSWORD" ping;
+          {{- else }}
+          until redis-cli -h {{ tpl .Values.redis.host . }} -p {{ .Values.redis.port }} ping;
+          {{- end }}
+          do echo "Redis is unavailable - sleeping 5s"; sleep 5; done;
+          echo "Redis is ready!"']
+        env:
+        {{- if .Values.secrets.redisPassword }}
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ include "phase.fullname" . }}-secrets
+              key: REDIS_PASSWORD
+        {{- end }}
       containers:
       - name: worker
         image: "{{ .Values.global.images.backend.repository }}:{{ .Values.global.version }}"
@@ -34,4 +57,4 @@ spec:
         - name: SESSION_COOKIE_DOMAIN
           value: "$(HOST)"
         resources:
-          {{- toYaml .Values.app.worker.resources | nindent 12 }}
+          {{- toYaml .Values.app.worker.resources | nindent 12 }}

phase-console/templates/job-migrations.yaml

@@ -0,0 +1,55 @@
+{{- if not .Values.global.external.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "phase.fullname" . }}-migrations
+  labels:
+    {{- include "phase.labels" . | nindent 4 }}
+    job-name: {{ include "phase.fullname" . }}-migrations
+  annotations:
+    # Migrations are run after all other resources (including PostgreSQL and Redis) are created and ready
+    "helm.sh/hook": "post-install,post-upgrade"
+    "helm.sh/hook-weight": "1"
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
+spec:
+  backoffLimit: 6
+  template:
+    metadata:
+      labels:
+        {{- include "phase.selectorLabels" . | nindent 8 }}
+        app: migrations
+    spec:
+      restartPolicy: OnFailure
+      initContainers:
+      - name: check-db-ready
+        image: postgres:15.4-alpine3.17
+        command: ['sh', '-c', 
+          'echo "Waiting for database at {{ tpl .Values.database.host . }}:{{ .Values.database.port }}...";
+          until pg_isready -h {{ tpl .Values.database.host . }} -p {{ .Values.database.port }} -U {{ .Values.database.user }} -t 5;
+          do echo "Database is unavailable - sleeping 5s"; sleep 5; done;
+          echo "Database is ready!"']
+        # Set PGPASSWORD as DATABASE_PASSWORD
+        env:
+        - name: PGPASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ include "phase.fullname" . }}-secrets
+              key: DATABASE_PASSWORD
+      containers:
+      - name: migrations
+        image: "{{ .Values.global.images.backend.repository }}:{{ .Values.global.version }}"
+        imagePullPolicy: {{ .Values.app.backend.image.pullPolicy }}
+        command: ["python", "manage.py", "migrate"]
+        envFrom:
+        - configMapRef:
+            name: {{ include "phase.fullname" . }}-config
+        - secretRef:
+            name: {{ include "phase.fullname" . }}-secrets
+        env:
+        - name: ALLOWED_HOSTS
+          value: "$(HOST),{{ include "phase.fullname" . }}-worker"
+        - name: ALLOWED_ORIGINS
+          value: "$(HTTP_PROTOCOL)$(HOST)"
+        - name: SESSION_COOKIE_DOMAIN
+          value: "$(HOST)"
+{{- end }} 

phase-console/templates/secret.yaml

@@ -8,8 +8,13 @@ stringData:
   SECRET_KEY: {{ .Values.secrets.secretKey | quote }}
   SERVER_SECRET: {{ .Values.secrets.serverSecret | quote }}
   DATABASE_PASSWORD: {{ .Values.secrets.databasePassword | quote }}
+  REDIS_PASSWORD: {{ .Values.secrets.redisPassword | quote }}
   GOOGLE_CLIENT_ID: {{ .Values.secrets.googleClientId | quote }}
   GOOGLE_CLIENT_SECRET: {{ .Values.secrets.googleClientSecret | quote }}
+  GOOGLE_OIDC_CLIENT_ID: {{ .Values.secrets.googleOidcClientId | quote }}
+  GOOGLE_OIDC_CLIENT_SECRET: {{ .Values.secrets.googleOidcClientSecret | quote }}
+  JUMPCLOUD_OIDC_CLIENT_ID: {{ .Values.secrets.jumpcloudOidcClientId | quote }}
+  JUMPCLOUD_OIDC_CLIENT_SECRET: {{ .Values.secrets.jumpcloudOidcClientSecret | quote }}
   GITHUB_CLIENT_ID: {{ .Values.secrets.githubClientId | quote }}
   GITHUB_CLIENT_SECRET: {{ .Values.secrets.githubClientSecret | quote }}
   GITLAB_CLIENT_ID: {{ .Values.secrets.gitlabClientId | quote }}

phase-console/values.yaml

@@ -15,13 +15,20 @@ sso:
   providers: "google,github,gitlab"
 
 # Secrets (DO NOT use these in production, generate your own secure values)
+# Docs: https://docs.phase.dev/self-hosting/configuration/envars
+
 secrets:
   nextauthSecret: "efd7e1e87edd416bc8ee28e7ee1d961ab7f4a4724ea4249d36f07c92616a322d"
   secretKey: "ee728b91f92b48841a847fad61549f9f0b384f172b74bdcc859c1aadbfb633bd"
   serverSecret: "896d2d2462ebd12683cee44d7808939217da961d1f15e69c977ae250f23a65c9"
   databasePassword: "f5cc076c4788bba216567380247b394d71a2fa0c8970052005a824bad340c6be"
+  redisPassword: "98948797d7d3dc209bd3a6384a5e1438dc1e1cc3972305b9ca67c3b3c1b2bf01"
   googleClientId: ""
   googleClientSecret: ""
+  googleOidcClientId: ""
+  googleOidcClientSecret: ""
+  jumpcloudOidcClientId: ""
+  jumpcloudOidcClientSecret: ""
   githubClientId: ""
   githubClientSecret: ""
   gitlabClientId: ""
@@ -89,6 +96,14 @@ app:
         cpu: 250m
         memory: 512Mi
 
+  migrations:
+    image:
+      pullPolicy: IfNotPresent
+    resources:
+      requests:
+        cpu: 125m
+        memory: 256Mi
+
 database:
   external: false
   host: "{{ .Release.Name }}-postgres"
@@ -130,7 +145,6 @@ redis:
       cpu: 100m
       memory: 256Mi
 
-
 # Autoscaling settings
 autoscaling:
   frontend:
@@ -147,4 +161,4 @@ autoscaling:
     enabled: false
     minReplicas: 1
     maxReplicas: 10
-    targetCPUUtilizationPercentage: 80
+    targetCPUUtilizationPercentage: 80