From 0f7cb6dc8a2100a50f16811f0a2a4d96c06021aa Mon Sep 17 00:00:00 2001 From: Mihail Radkov Date: Mon, 21 Oct 2024 21:32:55 +0300 Subject: [PATCH 1/2] Added new license configurations Added new configuration properties for the license that aim to improve the configurability if needed. The new properties are as follows: - Added `license.mountPath` to configure where the license volume is mounted - Added `license.optional` to configure the license volume as optional if needed - Added `license.readOnly` to configure the read/write mode of the license volume mount Additionally, changed the license directory to `/opt/graphdb/home/conf/license/` with `license.mountPath` in order to avoid using a `subPath` volume mount. This allows kubelet to update the license when the Secret has been updated. Finally, changed the license volume mount as read-only by default with `license.readOnly` --- CHANGELOG.md | 10 ++++++++++ templates/graphdb/configmap-properties.yaml | 1 + templates/graphdb/statefulset.yaml | 5 +++-- values.yaml | 11 +++++++++++ 4 files changed, 25 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 58bc231..0d36d80 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,9 +2,19 @@ ## Version 11.3.0 +### New + +- Added new configuration properties for the license + - Added `license.mountPath` to configure where the license volume is mounted + - Added `license.optional` to configure the license volume as optional if needed + - Added `license.readOnly` to configure the read/write mode of the license volume mount + ### Updated - Removed any pre-install, pre-upgrade, pre-rollback Helm hooks annotations to allow seamless ArgoCD deployments. +- Changed the license directory to `/opt/graphdb/home/conf/license/` with `license.mountPath` in order to avoid using a `subPath` volume + mount. This allows kubelet to update the license when the Secret has been updated. +- Changed the license volume mount as read-only by default with `license.readOnly` ## Version 11.2.2 diff --git a/templates/graphdb/configmap-properties.yaml b/templates/graphdb/configmap-properties.yaml index a5a2469..f7ba910 100644 --- a/templates/graphdb/configmap-properties.yaml +++ b/templates/graphdb/configmap-properties.yaml @@ -15,6 +15,7 @@ data: # See https://graphdb.ontotext.com/documentation/ for supported properties graphdb.connector.port={{ .Values.containerPorts.http }} graphdb.append.request.id.headers=true + graphdb.license.file={{ .Values.license.mountPath | trimSuffix "/" }}/{{ .Values.license.licenseFilename }} graphdb.workbench.importDirectory=/opt/graphdb/home/graphdb-import graphdb.ontop.jdbc.path=/opt/graphdb/home/jdbc-driver graphdb.extra.plugins=/opt/graphdb/home/extra-plugins diff --git a/templates/graphdb/statefulset.yaml b/templates/graphdb/statefulset.yaml index 90f1c11..3aca1d8 100644 --- a/templates/graphdb/statefulset.yaml +++ b/templates/graphdb/statefulset.yaml @@ -115,6 +115,7 @@ spec: - name: graphdb-license secret: secretName: {{ tpl .Values.license.existingSecret . }} + optional: {{ .Values.license.optional }} {{- end }} {{- if or .Values.security.enabled .Values.configuration.initialSettings.existingConfigmap }} - name: graphdb-initial-settings-config @@ -346,8 +347,8 @@ spec: mountPath: /tmp {{- if .Values.license.existingSecret }} - name: graphdb-license - mountPath: /opt/graphdb/home/conf/graphdb.license - subPath: {{ .Values.license.licenseFilename }} + mountPath: {{ .Values.license.mountPath }} + readOnly: {{ .Values.license.readOnly }} {{- end }} {{- if .Values.configuration.logback.existingConfigmap }} - name: graphdb-logback-config diff --git a/values.yaml b/values.yaml index 9d4407c..021cbb7 100644 --- a/values.yaml +++ b/values.yaml @@ -129,6 +129,17 @@ license: # File name of the GraphDB license file in the existing license secret. # The default is graphdb.license, but it can be changed to map to a different secret key. licenseFilename: graphdb.license + # Directory where the license file will be mounted. + # Can be used to place the license outside the persistence directory if needed. + # Note: We use the license/ sub-folder instead of subPath volume mount so kubelet can replace the mounted license at runtime when the + # Secret is updated with a new GraphDB license. This avoids having to restart the GraphDB pods. + mountPath: /opt/graphdb/home/conf/license/ + # Defines the secret volume as optional or not. + # Note: Useful if the GraphDB license has not yet been provisioned but will be, for example by an external system or an operator such as + # External Secret Operator. + optional: false + # Marks the secret mount as read-only to prevent any modifications to the license file. + readOnly: true # GraphDB runtime configuration settings. # For reference, see https://graphdb.ontotext.com/documentation/10.7/directories-and-config-properties.html From c72156de1a1969bcfc29910781e58653325b7ad5 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 21 Oct 2024 18:34:01 +0000 Subject: [PATCH 2/2] Updated the README --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 8d462b0..115618c 100644 --- a/README.md +++ b/README.md @@ -439,6 +439,9 @@ IMPORTANT: This is generated by helm-docs, do not attempt modifying it on hand a | labels | object | `{}` | | | license.existingSecret | string | `""` | | | license.licenseFilename | string | `"graphdb.license"` | | +| license.mountPath | string | `"/opt/graphdb/home/conf/license/"` | | +| license.optional | bool | `false` | | +| license.readOnly | bool | `true` | | | livenessProbe.httpGet.path | string | `"/protocol"` | | | livenessProbe.httpGet.port | string | `"http"` | | | livenessProbe.initialDelaySeconds | int | `60` | |