Add initializer job for hyades

Introduces a `Job` that executes in the `post-install` and `post-upgrade` phases of a Helm deployment. The job executes initialization tasks and exits.

Pods that depend on successful execution of the job will wait for it, using new init containers. Since this waiting requires interacting with the Kubernetes API, pods will need `get`, `list`, and `watch` permissions on the `batch/jobs` resource. Creation of a `Role` with those permissions can be enabled.

This new functionality is disabled by default for now. The plan is to enable it per default once it's thoroughly tested, and we are confident it's the best way forward.

Depends on DependencyTrack/hyades-apiserver#873

Closes #136

Signed-off-by: nscuro <[email protected]>

charts/hyades/ci/test-initializer-values.yaml

@@ -0,0 +1,182 @@
+common:
+  database:
+    jdbcUrl: "jdbc:postgresql://postgres.{{ .Release.Namespace }}.svc.cluster.local:5432/dtrack"
+    username: "dtrack"
+    password: "dtrack"
+  kafka:
+    bootstrapServers: "redpanda.{{ .Release.Namespace }}.svc.cluster.local:9092"
+  secretKey:
+    createSecret: true
+  serviceAccount:
+    automount: true
+
+apiServer:
+  resources:
+    requests:
+      cpu: 100m
+      memory: 512Mi
+    limits:
+      cpu: "2"
+      memory: 512Mi
+
+initializer:
+  enabled: true
+  # chart-testing executes `helm install` with `--wait` flag,
+  # causing post-install hooks to never run.
+  # See https://github.com/helm/chart-testing/issues/202.
+  noHelmHook: true
+
+mirrorService:
+  resources: &hyadesResources
+    requests:
+      cpu: 100m
+      memory: 256Mi
+    limits:
+      cpu: 500m
+      memory: 256Mi
+
+repoMetaAnalyzer:
+  resources: *hyadesResources
+
+vulnAnalyzer:
+  resources: *hyadesResources
+
+extraObjects:
+- apiVersion: apps/v1
+  kind: Deployment
+  metadata:
+    name: postgres
+    namespace: "{{ .Release.Namespace }}"
+  spec:
+    replicas: 1
+    selector:
+      matchLabels:
+        app.kubernetes.io/instance: "{{ .Release.Name }}"
+        app.kubernetes.io/name: "{{ printf \"%s-postgres\" (include \"hyades.name\" .) }}"
+        app.kubernetes.io/component: postgres
+    template:
+      metadata:
+        labels:
+          app.kubernetes.io/instance: "{{ .Release.Name }}"
+          app.kubernetes.io/name: "{{ printf \"%s-postgres\" (include \"hyades.name\" .) }}"
+          app.kubernetes.io/component: postgres
+      spec:
+        containers:
+        - name: postgres
+          image: postgres:16-alpine
+          env:
+          - name: POSTGRES_DB
+            value: dtrack
+          - name: POSTGRES_USER
+            value: dtrack
+          - name: POSTGRES_PASSWORD
+            value: dtrack
+          ports:
+          - name: postgres
+            containerPort: 5432
+            protocol: TCP
+- apiVersion: v1
+  kind: Service
+  metadata:
+    name: postgres
+    namespace: "{{ .Release.Namespace }}"
+    labels:
+      app.kubernetes.io/instance: "{{ .Release.Name }}"
+      app.kubernetes.io/name: "{{ printf \"%s-postgres\" (include \"hyades.name\" .) }}"
+      app.kubernetes.io/component: postgres
+  spec:
+    type: ClusterIP
+    selector:
+      app.kubernetes.io/instance: "{{ .Release.Name }}"
+      app.kubernetes.io/name: "{{ printf \"%s-postgres\" (include \"hyades.name\" .) }}"
+      app.kubernetes.io/component: postgres
+    ports:
+    - port: 5432
+      targetPort: 5432
+- apiVersion: apps/v1
+  kind: Deployment
+  metadata:
+    name: redpanda
+    namespace: "{{ .Release.Namespace }}"
+  spec:
+    replicas: 1
+    selector:
+      matchLabels:
+        app.kubernetes.io/instance: "{{ .Release.Name }}"
+        app.kubernetes.io/name: "{{ printf \"%s-redpanda\" (include \"hyades.name\" .) }}"
+        app.kubernetes.io/component: redpanda
+    template:
+      metadata:
+        labels:
+          app.kubernetes.io/instance: "{{ .Release.Name }}"
+          app.kubernetes.io/name: "{{ printf \"%s-redpanda\" (include \"hyades.name\" .) }}"
+          app.kubernetes.io/component: redpanda
+      spec:
+        containers:
+        - name: redpanda
+          image: docker.redpanda.com/vectorized/redpanda:v24.1.7
+          args:
+          - redpanda
+          - start
+          - --smp
+          - '1'
+          - --reserve-memory
+          - 0M
+          - --memory
+          - 512M
+          - --overprovisioned
+          - --node-id
+          - '0'
+          - --kafka-addr
+          - PLAINTEXT://0.0.0.0:9092
+          - --advertise-kafka-addr
+          - PLAINTEXT://redpanda.{{ .Release.Namespace }}.svc.cluster.local:9092
+        ports:
+        - name: kafka-api
+          containerPort: 9092
+          protocol: TCP
+        - name: redpanda-admin
+          containerPort: 9644
+          protocol: TCP
+- apiVersion: v1
+  kind: Service
+  metadata:
+    name: redpanda
+    namespace: "{{ .Release.Namespace }}"
+    labels:
+      app.kubernetes.io/instance: "{{ .Release.Name }}"
+      app.kubernetes.io/name: "{{ printf \"%s-redpanda\" (include \"hyades.name\" .) }}"
+      app.kubernetes.io/component: redpanda
+  spec:
+    type: ClusterIP
+    selector:
+      app.kubernetes.io/instance: "{{ .Release.Name }}"
+      app.kubernetes.io/name: "{{ printf \"%s-redpanda\" (include \"hyades.name\" .) }}"
+      app.kubernetes.io/component: redpanda
+    ports:
+    - name: kafka-api
+      port: 9092
+      targetPort: 9092
+    - name: redpanda-admin
+      port: 9644
+      targetPort: 9644
+- apiVersion: batch/v1
+  kind: Job
+  metadata:
+    name: redpanda-init
+    namespace: "{{ .Release.Namespace }}"
+  spec:
+    template:
+      spec:
+        containers:
+        - name: redpanda
+          image: docker.redpanda.com/vectorized/redpanda:v24.1.7
+          command:
+          - /bin/bash
+          args:
+          - -c
+          - bash <(curl -s https://raw.githubusercontent.com/DependencyTrack/hyades/main/scripts/create-topics.sh)
+          env:
+          - name: REDPANDA_BROKERS
+            value: "redpanda.{{ .Release.Namespace }}.svc.cluster.local:9092"
+        restartPolicy: OnFailure

charts/hyades/ci/test-values.yaml

@@ -11,38 +11,26 @@ common:
 apiServer:
   resources:
     requests:
-      cpu: 500m
+      cpu: 100m
       memory: 512Mi
     limits:
-      cpu: 500m
+      cpu: "2"
       memory: 512Mi
 
 mirrorService:
-  resources:
+  resources: &hyadesResources
     requests:
-      cpu: 500m
+      cpu: 100m
       memory: 256Mi
     limits:
       cpu: 500m
       memory: 256Mi
 
 repoMetaAnalyzer:
-  resources:
-    requests:
-      cpu: 500m
-      memory: 256Mi
-    limits:
-      cpu: 500m
-      memory: 256Mi
+  resources: *hyadesResources
 
 vulnAnalyzer:
-  resources:
-    requests:
-      cpu: 500m
-      memory: 256Mi
-    limits:
-      cpu: 500m
-      memory: 256Mi
+  resources: *hyadesResources
 
 extraObjects:
 - apiVersion: apps/v1

charts/hyades/ci/test-vulnanalyzer-statefulset-values.yaml

@@ -11,39 +11,27 @@ common:
 apiServer:
   resources:
     requests:
-      cpu: 500m
+      cpu: 100m
       memory: 512Mi
     limits:
-      cpu: 500m
+      cpu: "2"
       memory: 512Mi
 
 mirrorService:
-  resources:
+  resources: &hyadesResources
     requests:
-      cpu: 500m
+      cpu: 100m
       memory: 256Mi
     limits:
       cpu: 500m
       memory: 256Mi
 
 repoMetaAnalyzer:
-  resources:
-    requests:
-      cpu: 500m
-      memory: 256Mi
-    limits:
-      cpu: 500m
-      memory: 256Mi
+  resources: *hyadesResources
 
 vulnAnalyzer:
   useStatefulSet: true
-  resources:
-    requests:
-      cpu: 500m
-      memory: 256Mi
-    limits:
-      cpu: 500m
-      memory: 256Mi
+  resources: *hyadesResources
   persistentVolume:
     enabled: true
   extraEnv:

charts/hyades/templates/_helpers.tpl

@@ -91,6 +91,92 @@ API server image
 {{- end -}}
 
 
+{{/*
+Initializer labels
+*/}}
+{{- define "hyades.initializerLabels" -}}
+{{ include "hyades.commonLabels" . }}
+{{ include "hyades.initializerSelectorLabels" . }}
+app.kubernetes.io/version: {{ .Chart.AppVersion }}
+{{- end -}}
+
+{{/*
+Initializer selector labels
+*/}}
+{{- define "hyades.initializerSelectorLabels" -}}
+{{ include "hyades.commonSelectorLabels" . }}
+app.kubernetes.io/name: {{ printf "%s-initializer" (include "hyades.name" .) }}
+app.kubernetes.io/component: initializer
+{{- end -}}
+
+{{/*
+Initializer name
+*/}}
+{{- define "hyades.initializerName" -}}
+{{- printf "%s-initializer" (include "hyades.name" .) -}}
+{{- end -}}
+
+{{/*
+Initializer fully qualified name
+*/}}
+{{- define "hyades.initializerFullname" -}}
+{{- printf "%s-initializer" (include "hyades.fullname" .) -}}
+{{- end -}}
+
+{{/*
+Initializer image
+*/}}
+{{- define "hyades.initializerImage" -}}
+{{- if eq (substr 0 7 .Values.initializer.image.tag) "sha256:" -}}
+{{- printf "%s/%s@%s" (.Values.initializer.image.registry | default .Values.common.image.registry) .Values.initializer.image.repository .Values.initializer.image.tag -}}
+{{- else -}}
+{{- printf "%s/%s:%s" (.Values.initializer.image.registry | default .Values.common.image.registry) .Values.initializer.image.repository (.Values.initializer.image.tag | default .Chart.AppVersion) -}}
+{{- end -}}
+{{- end -}}
+
+
+{{/*
+Initializer waiter name
+*/}}
+{{- define "hyades.initializerWaiterName" -}}
+{{- printf "%s-waiter" (include "hyades.initializerName" .) -}}
+{{- end -}}
+
+{{/*
+Initializer waiter fully qualified name
+*/}}
+{{- define "hyades.initializerWaiterFullname" -}}
+{{- printf "%s-waiter" (include "hyades.initializerFullname" .) -}}
+{{- end -}}
+
+{{/*
+Initializer waiter image
+*/}}
+{{- define "hyades.initializerWaiterImage" -}}
+{{- if eq (substr 0 7 .Values.initializer.waiter.image.tag) "sha256:" -}}
+{{- printf "%s/%s@%s" (.Values.initializer.waiter.image.registry | default .Values.common.image.registry) .Values.initializer.waiter.image.repository .Values.initializer.waiter.image.tag -}}
+{{- else -}}
+{{- printf "%s/%s:%s" (.Values.initializer.waiter.image.registry | default .Values.common.image.registry) .Values.initializer.waiter.image.repository (.Values.initializer.waiter.image.tag | default .Chart.AppVersion) -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Initializer waiter container
+*/}}
+{{- define "hyades.initializerWaiterContainer" -}}
+name: {{ include "hyades.initializerWaiterName" . }}
+image: {{ include "hyades.initializerWaiterImage" . }}
+imagePullPolicy: {{ .Values.initializer.waiter.image.pullPolicy }}
+args:
+- wait
+- --for
+- condition=complete
+- --timeout
+- "5m"
+- job/{{ include "hyades.initializerFullname" . }}
+{{- end -}}
+
+
 {{/*
 Frontend labels
 */}}

charts/hyades/templates/api-server/deployment.yaml

@@ -24,6 +24,9 @@ spec:
       imagePullSecrets: {{- toYaml . | nindent 6 }}
       {{- end }}
       initContainers:
+      {{- if .Values.initializer.enabled }}
+      - {{ include "hyades.initializerWaiterContainer" . | nindent 8 }}
+      {{- end }}
       {{- with .Values.apiServer.initContainers }}
       {{- tpl (toYaml .) $ | nindent 6 }}
       {{- end }}
@@ -48,10 +51,6 @@ spec:
         - name: ALPINE_SECRET_KEY_PATH
           value: "/var/run/secrets/secret.key"
         {{- end }}
-        - name: ALPINE_DATABASE_MODE
-          value: "external"
-        - name: ALPINE_DATABASE_DRIVER
-          value: "org.postgresql.Driver"
         {{- with .Values.common.database.jdbcUrl }}
         - name: ALPINE_DATABASE_URL
           value: {{ tpl . $ | quote }}
@@ -64,6 +63,10 @@ spec:
         - name: ALPINE_DATABASE_PASSWORD
           value: {{ . | quote }}
         {{- end }}
+        {{- if .Values.initializer.enabled }}
+        - name: INIT_TASKS_ENABLED
+          value: "false"
+        {{- end }}
         - name: KAFKA_BOOTSTRAP_SERVERS
           value: {{ tpl .Values.common.kafka.bootstrapServers $ | quote }}
         {{- with .Values.common.kafka.topicPrefix }}