Merge pull request #428 from percona/EVEREST-107-configmap-bug

EVEREST-107 | Fix bug with Everest ConfigMaps (RBAC, settings) getting reset on upgrade
percona · Nov 25, 2024 · 217d812 · 217d812
2 parents f1ec542 + c21bfe1
commit 217d812
Show file tree

Hide file tree

Showing 7 changed files with 35 additions and 10 deletions.
diff --git a/charts/everest/README.md b/charts/everest/README.md
@@ -82,8 +82,9 @@ The following table shows the configurable parameters of the Percona Everest cha
 | server.apiRequestsRateLimit | int | `100` | Set the allowed number of requests per second. |
 | server.image | string | `"perconalab/everest"` | Image to use for the server container. |
 | server.initialAdminPassword | string | `""` | The initial password configured for the admin user. If unset, a random password is generated. It is strongly recommended to reset the admin password after installation. |
-| server.oidc | object | `{}` | OIDC configuration for Everest. |
-| server.rbac | string | `"g, admin, role:admin\n"` | RBAC policy for Everest. |
+| server.oidc | object | `{}` | OIDC configuration for Everest. The config specified here is applied during installation only. During upgrades, the existing config is preserved. To change the config after installation, you need to manually manage the `everest-settigs` ConfigMap. |
+| server.rbac.enabled | bool | `false` | If set, enables RBAC for Everest. |
+| server.rbac.policy | string | `"g, admin, role:admin\n"` | RBAC policy configuration. Ignored if `rbac.enabled` is false. The policy specified here is applied during installation only. During upgrades, the existing policy is preserved. To change the policy after installation, you need to manually manage the `everest-rbac` ConfigMap. |
 | server.resources | object | `{"limits":{"cpu":"200m","memory":"500Mi"},"requests":{"cpu":"100m","memory":"20Mi"}}` | Resources to allocate for the server container. |
 | telemetry | bool | `true` | If set, enabled sending telemetry information. |
 | upgrade.preflightChecks | bool | `true` | If set, run preliminary checks before upgrading. It is strongly recommended to enable this setting. |

diff --git a/charts/everest/templates/everest-server/accounts.secret.yaml b/charts/everest/templates/everest-server/accounts.secret.yaml
@@ -3,7 +3,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: everest-accounts
+  name: {{ $secretName }}
   namespace: {{ include  "everest.namespace" . }}
   annotations:
   {{- if not $secret }}

diff --git a/charts/everest/templates/everest-server/jwt.secret.yaml b/charts/everest/templates/everest-server/jwt.secret.yaml
@@ -3,7 +3,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: everest-jwt
+  name: {{ $secretName }}
   namespace: {{ include  "everest.namespace" . }}
 data:
   {{- if not $secret }}

diff --git a/charts/everest/templates/everest-server/rbac.configmap.yaml b/charts/everest/templates/everest-server/rbac.configmap.yaml
@@ -1,8 +1,17 @@
+{{- $cmName := (printf "everest-rbac") -}}
+{{- $cm := (lookup "v1" "ConfigMap" (include "everest.namespace" .) $cmName ) -}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: everest-rbac
+  name: {{ $cmName }}
   namespace: {{ include  "everest.namespace" . }}
 data:
+  {{- if or (not $cm) .Release.IsInstall }}
+  enabled: {{ .Values.server.rbac.enabled | default "false" | quote }}
   policy.csv: |
-    {{- .Values.server.rbac | nindent 4 }}
+    {{- .Values.server.rbac.policy | nindent 4 }}
+  {{- else }}
+  {{- range $key, $value := $cm.data }}
+  {{ $key }}: {{ $value }}
+  {{- end }}
+  {{- end }}
diff --git a/charts/everest/templates/everest-server/settings.configmap.yaml b/charts/everest/templates/everest-server/settings.configmap.yaml
@@ -1,11 +1,19 @@
+{{- $cmName := (printf "everest-settings") -}}
+{{- $cm := (lookup "v1" "ConfigMap" (include "everest.namespace" .) $cmName ) -}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: everest-settings
+  name: {{ $cmName }}
   namespace: {{ include  "everest.namespace" . }}
 data:
+  {{- if or (not $cm) .Release.IsInstall }}
   {{- if .Values.server.oidc }}
   oidc.config: |
     {{- toYaml .Values.server.oidc | nindent 4 }}
   {{- end }}
+  {{- else }}
+  {{- range $key, $value := $cm.data }}
+  {{ $key }}: {{ $value }}
+  {{- end }}
+  {{- end }}
 
diff --git a/charts/everest/test.yaml b/charts/everest/test.yaml
diff --git a/charts/everest/values.yaml b/charts/everest/values.yaml
@@ -17,10 +17,17 @@ server:
     requests:
       cpu: 100m
       memory: 20Mi
-  # -- RBAC policy for Everest.
-  rbac: |
-    g, admin, role:admin
+  rbac:
+    # -- If set, enables RBAC for Everest.
+    enabled: false
+    # -- RBAC policy configuration. Ignored if `rbac.enabled` is false.
+    # The policy specified here is applied during installation only. During upgrades, the existing policy is preserved.
+    # To change the policy after installation, you need to manually manage the `everest-rbac` ConfigMap.
+    policy: |
+      g, admin, role:admin
   # -- OIDC configuration for Everest.
+  # The config specified here is applied during installation only. During upgrades, the existing config is preserved.
+  # To change the config after installation, you need to manually manage the `everest-settigs` ConfigMap.
   oidc: {}
   # issuerUrl: ""
   # clientId: ""