Adding health probes, resource requests and fixing container permissions (#210)

* Adding health probes and fixing container permissions

* Bump version

* Cleanup

* No ServiceAccount anymore

* No ServiceAccount anymore

* Update pull secrets

* Fixing yaml issue

* Fixed resource requests and limits

* Bumping version

Author: jansenfuller

.github/workflows/helm-test.yml

@@ -49,7 +49,6 @@ jobs:
           grep -q 'kind: Deployment' /tmp/helm-sqlite.yaml
           grep -q 'kind: Service' /tmp/helm-sqlite.yaml
           grep -q 'kind: Ingress' /tmp/helm-sqlite.yaml
-          grep -q 'kind: ServiceAccount' /tmp/helm-sqlite.yaml
 
           # Verify SQLite-specific rendering
           grep -q 'emptyDir' /tmp/helm-sqlite.yaml
@@ -82,7 +81,6 @@ jobs:
           grep -q 'kind: Deployment' /tmp/helm-postgres.yaml
           grep -q 'kind: Service' /tmp/helm-postgres.yaml
           grep -q 'kind: Secret' /tmp/helm-postgres.yaml
-          grep -q 'kind: ServiceAccount' /tmp/helm-postgres.yaml
 
           # Verify PostgreSQL-specific rendering
           grep -q 'kind: HTTPRoute' /tmp/helm-postgres.yaml

helm/taskchampion-sync-server/.helmignore

@@ -1,5 +1,5 @@
 # Patterns to ignore when building the Helm chart
 .git
-.gitignore
-*.md
 examples/
+.DS_Store
+*.tgz

helm/taskchampion-sync-server/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: taskchampion-sync-server
 description: A Helm chart for deploying TaskChampion Sync Server on Kubernetes
 type: application
-version: 0.1.2
+version: 0.2.0
 appVersion: "0.7.0"
 keywords:
   - taskchampion

helm/taskchampion-sync-server/examples/postgres-values.yaml

@@ -10,17 +10,20 @@ postgres:
 clientIdSecret: "taskchampion-client-ids"
 
 env:
-  RUST_LOG: debug
-  LISTEN: "0.0.0.0:8080"
-  CREATE_CLIENTS: "false"
+  - name: RUST_LOG
+    value: debug
+  - name: LISTEN
+    value: "0.0.0.0:8080"
+  - name: CREATE_CLIENTS
+    value: "false"
 
 replicas:
   enabled: true
   count: 3
 
 image:
   pullSecrets:
-    - my-registry-secret
+    - name: my-registry-secret
 
 httpRoute:
   enabled: true

helm/taskchampion-sync-server/examples/sqlite-values.yaml

@@ -12,9 +12,12 @@ postgres:
 clientIdSecret: "taskchampion-client-ids"
 
 env:
-  RUST_LOG: info
-  LISTEN: "0.0.0.0:8080"
-  CREATE_CLIENTS: "false"
+  - name: RUST_LOG
+    value: info
+  - name: LISTEN
+    value: "0.0.0.0:8080"
+  - name: CREATE_CLIENTS
+    value: "false"
 
 ingress:
   enabled: true

helm/taskchampion-sync-server/templates/NOTES.txt

@@ -0,0 +1,46 @@
+Thank you for installing {{ .Chart.Name }} — version {{ .Chart.Version }} (app: {{ .Chart.AppVersion }}).
+
+## Storage Backend
+
+{{- if eq .Values.sqlite.enabled true }}
+**SQLite** — Data is stored at `{{ .Values.sqlite.dataDir }}`.
+{{- if .Values.sqlite.persistence.enabled }}
+  PersistentVolumeClaim: `{{ include "taskchampion-sync-server.fullname" . }}-pvc`
+{{- else if .Values.sqlite.existingPV }}
+  Using existing PVC: `{{ .Values.sqlite.existingPV }}`
+{{- else }}
+  Using an emptyDir volume (ephemeral — data is lost on pod restart).
+  Set `sqlite.persistence.enabled=true` for persistent storage.
+{{- end }}
+{{- end }}
+
+{{- if eq .Values.postgres.enabled true }}
+**PostgreSQL** — Connection URI stored in Secret `{{ include "taskchampion-sync-server.postgres-secret-name" . }}`.
+  Host: {{ .Values.postgres.host }}:{{ .Values.postgres.port }}
+  Database: {{ .Values.postgres.database }}
+{{- end }}
+
+## Verify the Deployment
+
+  kubectl get pods -l {{ include "taskchampion-sync-server.selectorLabels" . | replace ": " "=" | replace "\n" "," | trimSuffix "," }}
+
+## Check Pod Logs
+
+  kubectl logs -l {{ include "taskchampion-sync-server.selectorLabels" . | replace ": " "=" | replace "\n" "," | trimSuffix "," }}
+
+## Test the API
+
+  kubectl port-forward svc/{{ include "taskchampion-sync-server.fullname" . }} {{ .Values.service.port }}:{{ .Values.service.port }}
+  curl http://localhost:{{ .Values.service.port }}/
+
+## View Connection Secret (PostgreSQL only)
+
+{{- if eq .Values.postgres.enabled true }}
+  kubectl get secret {{ include "taskchampion-sync-server.postgres-secret-name" . }} -o jsonpath="{.data.connection}" | base64 -d
+{{- end }}
+
+## Configuration
+
+For full configuration options, see:
+
+  https://github.com/GothenburgBitFactory/taskchampion-sync-server

helm/taskchampion-sync-server/templates/_helpers.tpl

@@ -23,6 +23,7 @@ taskchampion-sync-server helpers
 helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 app.kubernetes.io/name: {{ include "taskchampion-sync-server.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/component: server
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
@@ -32,13 +33,6 @@ app.kubernetes.io/name: {{ include "taskchampion-sync-server.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
-{{- define "taskchampion-sync-server.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "taskchampion-sync-server.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}
 
 {{- define "taskchampion-sync-server.postgres-connection" -}}
   {{- $host := .Values.postgres.host -}}

helm/taskchampion-sync-server/templates/deployment.yaml

@@ -18,10 +18,10 @@ spec:
       labels:
         {{- include "taskchampion-sync-server.selectorLabels" . | nindent 8 }}
     spec:
-      {{- if .Values.serviceAccount.create }}
-      serviceAccountName: {{ include "taskchampion-sync-server.fullname" . }}
-      {{- else if .Values.serviceAccount.name }}
-      serviceAccountName: {{ .Values.serviceAccount.name }}
+
+      {{- with .Values.image.pullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
       {{- end }}
       securityContext:
         {{- toYaml .Values.securityContext | nindent 8 }}
@@ -32,6 +32,8 @@ spec:
           imagePullPolicy: {{ .Values.postgres.initContainer.imagePullPolicy }}
           securityContext:
             allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            runAsUser: 999
           env:
             - name: PGURI
               valueFrom:
@@ -90,11 +92,18 @@ spec:
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           securityContext:
             allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            runAsUser: 1092
+            readOnlyRootFilesystem: true
+          {{- if eq .Values.postgres.enabled true }}
+          command:
+            - /bin/taskchampion-sync-server-postgres
+          {{- else }}
+          command:
+            - /bin/taskchampion-sync-server
+          {{- end }}
           env:
-            {{- range $name, $value := .Values.env }}
-            - name: {{ $name }}
-              value: {{ $value | quote }}
-            {{- end }}
+            {{- toYaml .Values.env | nindent 12 }}
             {{- if .Values.clientIdSecret }}
             - name: CLIENT_ID
               valueFrom:
@@ -117,9 +126,24 @@ spec:
             - name: http
               containerPort: {{ .Values.service.targetPort }}
               protocol: TCP
-          {{- with .Values.resources }}
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          {{- if eq .Values.postgres.enabled true }}
+          resources:
+            {{- toYaml .Values.postgres.resources | nindent 12 }}
+          {{- else }}
           resources:
-            {{- toYaml . | nindent 12 }}
+            {{- toYaml .Values.sqlite.resources | nindent 12 }}
           {{- end }}
           {{- if eq .Values.sqlite.enabled true }}
           volumeMounts:

helm/taskchampion-sync-server/templates/ingress.yaml

@@ -18,16 +18,41 @@ spec:
     {{- toYaml .Values.ingress.tls | nindent 4 }}
   {{- end }}
   rules:
+    {{- $svcName := include "taskchampion-sync-server.fullname" . -}}
+    {{- $svcPort := $.Values.service.port -}}
     {{- range .Values.ingress.hosts }}
+    {{- if kindIs "string" . }}
     - host: {{ . | quote }}
       http:
         paths:
           - path: /
             pathType: Prefix
             backend:
               service:
-                name: {{ include "taskchampion-sync-server.fullname" $ }}
+                name: {{ $svcName }}
                 port:
-                  number: {{ $.Values.service.port }}
+                  number: {{ $svcPort }}
+    {{- else }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path | default "/" | quote }}
+            pathType: {{ .pathType | default "Prefix" }}
+            backend:
+              service:
+                name: {{ $svcName }}
+                port:
+                  number: {{ $svcPort }}
+          {{- else }}
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ $svcName }}
+                port:
+                  number: {{ $svcPort }}
+          {{- end }}
+    {{- end }}
     {{- end }}
 {{- end }}