chore(infra): bump chart to 0.3.0 for possible breaking configuration

deployment/helm/charts/onyx/Chart.yaml

@@ -5,7 +5,7 @@ home: https://www.onyx.app/
 sources:
   - "https://github.com/onyx-dot-app/onyx"
 type: application
-version: 0.2.11
+version: 0.3.0
 appVersion: latest
 annotations:
   category: Productivity

deployment/helm/charts/onyx/templates/_helpers.tpl

@@ -65,19 +65,23 @@ Create the name of the service account to use
 Set secret name
 */}}
 {{- define "onyx-stack.secretName" -}}
-{{- default (default "onyx-secrets" .Values.auth.secretName) .Values.auth.existingSecret }}
+{{- default .secretName .existingSecret }}
 {{- end }}
 
 {{/*
 Create env vars from secrets
 */}}
 {{- define "onyx-stack.envSecrets" -}}
-    {{- range $name, $key := .Values.auth.secretKeys }}
+    {{- range $secretSuffix, $secretContent := .Values.auth }}
+    {{- if and (ne $secretContent.enabled false) ($secretContent.secretKeys) }}
+    {{- range $name, $key := $secretContent.secretKeys }}
 - name: {{ $name | upper | replace "-" "_" | quote }}
   valueFrom:
     secretKeyRef:
-      name: {{ include "onyx-stack.secretName" $ }}
+      name: {{ include "onyx-stack.secretName" $secretContent }}
       key: {{ default $name $key }}
     {{- end }}
+    {{- end }}
+    {{- end }}
 {{- end }}
 

deployment/helm/charts/onyx/templates/api-deployment.yaml

@@ -17,8 +17,9 @@ spec:
       {{- end }}
   template:
     metadata:
-      {{- with .Values.api.podAnnotations }}
       annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+      {{- with .Values.api.podAnnotations }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:

deployment/helm/charts/onyx/templates/auth-secrets.yaml

@@ -0,0 +1,17 @@
+{{- if hasKey .Values.auth "secretKeys" }}
+{{- fail "ERROR: Secrets handling has been refactored under 'auth' and must be updated before upgrading to this chart version." }}
+{{- end }}
+{{- range $secretContent := .Values.auth }}
+{{- if and (empty $secretContent.existingSecret) (ne ($secretContent.enabled | default true) false) }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "onyx-stack.secretName" $secretContent }}
+type: Opaque
+stringData:
+  {{- range $name, $value := $secretContent.values }}
+  {{ $name }}: {{ $value | quote }}
+  {{- end }}
+{{- end }}
+{{- end }}

deployment/helm/charts/onyx/templates/celery-beat.yaml

@@ -15,8 +15,9 @@ spec:
       {{- end }}
   template:
     metadata:
-      {{- with .Values.celery_beat.podAnnotations }}
       annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+      {{- with .Values.celery_beat.podAnnotations }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:

deployment/helm/charts/onyx/templates/celery-worker-docfetching.yaml

@@ -17,8 +17,9 @@ spec:
       {{- end }}
   template:
     metadata:
-      {{- with .Values.celery_worker_docfetching.podAnnotations }}
       annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+      {{- with .Values.celery_worker_docfetching.podAnnotations }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:

deployment/helm/charts/onyx/templates/celery-worker-docprocessing.yaml

@@ -17,8 +17,9 @@ spec:
       {{- end }}
   template:
     metadata:
-      {{- with .Values.celery_worker_docprocessing.podAnnotations }}
       annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+      {{- with .Values.celery_worker_docprocessing.podAnnotations }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:

deployment/helm/charts/onyx/templates/celery-worker-heavy.yaml

@@ -17,8 +17,9 @@ spec:
       {{- end }}
   template:
     metadata:
-      {{- with .Values.celery_worker_heavy.podAnnotations }}
       annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+      {{- with .Values.celery_worker_heavy.podAnnotations }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:

deployment/helm/charts/onyx/templates/celery-worker-light.yaml

@@ -17,8 +17,9 @@ spec:
       {{- end }}
   template:
     metadata:
-      {{- with .Values.celery_worker_light.podAnnotations }}
       annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+      {{- with .Values.celery_worker_light.podAnnotations }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:

deployment/helm/charts/onyx/templates/celery-worker-monitoring.yaml

@@ -17,8 +17,9 @@ spec:
       {{- end }}
   template:
     metadata:
-      {{- with .Values.celery_worker_monitoring.podAnnotations }}
       annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+      {{- with .Values.celery_worker_monitoring.podAnnotations }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:

deployment/helm/charts/onyx/templates/celery-worker-primary.yaml

@@ -17,8 +17,9 @@ spec:
       {{- end }}
   template:
     metadata:
-      {{- with .Values.celery_worker_primary.podAnnotations }}
       annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+      {{- with .Values.celery_worker_primary.podAnnotations }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:

deployment/helm/charts/onyx/templates/celery-worker-user-files-indexing.yaml

@@ -17,8 +17,9 @@ spec:
       {{- end }}
   template:
     metadata:
-      {{- with .Values.celery_worker_user_files_indexing.podAnnotations }}
       annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+      {{- with .Values.celery_worker_user_files_indexing.podAnnotations }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:

deployment/helm/charts/onyx/templates/configmap.yaml

@@ -6,13 +6,21 @@ metadata:
     {{- include "onyx-stack.labels" . | nindent 4 }}
 data:
   INTERNAL_URL: "http://{{ include "onyx-stack.fullname" . }}-api-service:{{ .Values.api.service.port | default 8080 }}"
+  {{- if .Values.postgresql.enabled }}
   POSTGRES_HOST: {{ .Release.Name }}-postgresql
+  {{- end }}
+  {{- if .Values.vespa.enabled }}
   VESPA_HOST: {{ .Values.vespa.name }}.{{ .Values.vespa.service.name }}.{{ .Release.Namespace }}.svc.cluster.local
+  {{- end }}
+  {{- if .Values.redis.enabled }}
   REDIS_HOST: {{ .Release.Name }}-redis-master
+  {{- end }}
   MODEL_SERVER_HOST: "{{ include "onyx-stack.fullname" . }}-inference-model-service"
   INDEXING_MODEL_SERVER_HOST: "{{ include "onyx-stack.fullname" . }}-indexing-model-service"
 {{- range $key, $value := .Values.configMap }}
+{{- if not (empty $value) }}
   {{ $key }}: "{{ $value }}"
+{{- end }}
 {{- end }}
   {{- if .Values.minio.enabled }}
   S3_ENDPOINT_URL: "http://{{ .Release.Name }}-minio:{{ .Values.minio.service.ports.api | default 9000 }}"

deployment/helm/charts/onyx/templates/indexing-model-deployment.yaml

@@ -15,8 +15,9 @@ spec:
       {{- end }}
   template:
     metadata:
-      {{- with .Values.indexCapability.podAnnotations }}
       annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+      {{- with .Values.indexCapability.podAnnotations }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:

deployment/helm/charts/onyx/templates/inference-model-deployment.yaml

@@ -16,6 +16,8 @@ spec:
       {{- end }}
   template:
     metadata:
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
       labels:
         {{- range .Values.inferenceCapability.podLabels }}
         {{ .key }}: {{ .value }}

deployment/helm/charts/onyx/templates/slackbot.yaml

@@ -14,8 +14,9 @@ spec:
       {{- end }}
   template:
     metadata:
-      {{- with .Values.slackbot.podAnnotations }}
       annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+      {{- with .Values.slackbot.podAnnotations }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:

deployment/helm/charts/onyx/templates/webserver-deployment.yaml

@@ -17,8 +17,9 @@ spec:
       {{- end }}
   template:
     metadata:
-      {{- with .Values.webserver.podAnnotations }}
       annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+      {{- with .Values.webserver.podAnnotations }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:

deployment/helm/charts/onyx/values.yaml

@@ -18,7 +18,7 @@ postgresql:
       sizeLimit: 2Gi
   enabled: true
   auth:
-    existingSecret: onyx-secrets
+    existingSecret: onyx-postgresql
     secretKeys:
       # overwriting as postgres typically expects 'postgres-password'
       adminPasswordKey: postgres_password
@@ -567,13 +567,13 @@ redis:
     type: ClusterIP
     port: 6379
   auth:
-    existingSecret: onyx-secrets
+    existingSecret: onyx-redis
     existingSecretPasswordKey: redis_password
 
 minio:
   enabled: true
   auth:
-    existingSecret: onyx-secrets
+    existingSecret: onyx-objectstorage
     rootUserSecretKey: s3_aws_access_key_id
     rootPasswordSecretKey: s3_aws_secret_access_key
   defaultBuckets: "onyx-file-store-bucket"
@@ -602,35 +602,79 @@ letsencrypt:
   enabled: false
   email: "abc@abc.com"
 
+# -- Governs all Secrets created or used by this chart. Values set by this chart will be base64 encoded in the k8s cluster.
 auth:
-  # existingSecret onyx-secret for storing smtp, oauth, slack, and other secrets
-  # keys are lowercased version of env vars (e.g. SMTP_USER -> smtp_user)
-  existingSecret: ""
-  # optionally override the secret keys to reference in the secret
-  # this is used to populate the env vars in individual deployments
-  # the values here reference the keys in secrets below
-  secretKeys:
-    postgres_password: "postgres_password"
-    smtp_pass: ""
-    oauth_client_id: ""
-    oauth_client_secret: ""
-    oauth_cookie_secret: ""
-    redis_password: "redis_password"
-    s3_aws_access_key_id: "s3_aws_access_key_id"
-    s3_aws_secret_access_key: "s3_aws_secret_access_key"
-  # will be overridden by the existingSecret if set
-  secretName: "onyx-secrets"
-  # set values as strings, they will be base64 encoded
-  # this is used to populate the secrets yaml
-  secrets:
-    postgres_password: "postgres"
-    smtp_pass: ""
-    oauth_client_id: ""
-    oauth_client_secret: ""
-    oauth_cookie_secret: ""
-    redis_password: "password"
-    s3_aws_access_key_id: "minioadmin"
-    s3_aws_secret_access_key: "minioadmin"
+  postgresql:
+    # -- Enable or disable this secret entirely. Will remove from env var configurations and remove any created secrets.
+    enabled: true
+    # -- Overwrite the default secret name, ignored if existingSecret is defined
+    secretName: 'onyx-postgresql'
+    # -- Use a secret specified elsewhere
+    existingSecret: ""
+    # -- This defines the env var to secret map, key is always upper-cased as an env var
+    secretKeys:
+      POSTGRES_PASSWORD: "postgres_password"
+    # -- Secrets values IF existingSecret is empty. Key here must match the value in secretKeys to be used. Values will be base64 encoded in the k8s cluster.
+    values:
+      postgres_password: "postgres"
+  redis:
+    # -- Enable or disable this secret entirely. Will remove from env var configurations and remove any created secrets.
+    enabled: true
+    # -- Overwrite the default secret name, ignored if existingSecret is defined
+    secretName: 'onyx-redis'
+    # -- Use a secret specified elsewhere
+    existingSecret: ""
+    # -- This defines the env var to secret map, key is always upper-cased as an env var
+    secretKeys:
+      REDIS_PASSWORD: redis_password
+    # -- Secrets values IF existingSecret is empty. Key here must match the value in secretKeys to be used. Values will be base64 encoded in the k8s cluster.
+    values:
+      redis_password: "password"
+  objectstorage:
+    # -- Enable or disable this secret entirely. Will remove from env var configurations and remove any created secrets.
+    enabled: true
+    # -- Overwrite the default secret name, ignored if existingSecret is defined
+    secretName: 'onyx-objectstorage'
+    # -- Use a secret specified elsewhere
+    existingSecret: ""
+    # -- This defines the env var to secret map, key is always upper-cased as an env var
+    secretKeys:
+      S3_AWS_ACCESS_KEY_ID: s3_aws_access_key_id
+      S3_AWS_SECRET_ACCESS_KEY: s3_aws_secret_access_key
+    # -- Secrets values IF existingSecret is empty. Key here must match the value in secretKeys to be used. Values will be base64 encoded in the k8s cluster.
+    values:
+      s3_aws_access_key_id: "minioadmin"
+      s3_aws_secret_access_key: "minioadmin"
+  oauth:
+    # -- Enable or disable this secret entirely. Will remove from env var configurations and remove any created secrets.
+    enabled: false
+    # -- Overwrite the default secret name, ignored if existingSecret is defined
+    secretName: 'onyx-oauth'
+    # -- Use a secret specified elsewhere
+    existingSecret: ""
+    # -- This defines the env var to secret map, key is always upper-cased as an env var
+    secretKeys:
+      OAUTH_CLIENT_ID: "oauth_client_id"
+      OAUTH_CLIENT_SECRET: "oauth_client_secret"
+      OAUTH_COOKIE_SECRET: "oauth_cookie_secret"
+    # -- Secrets values IF existingSecret is empty. Key here must match the value in secretKeys to be used. Values will be base64 encoded in the k8s cluster.
+    values:
+      oauth_client_id: ""
+      oauth_client_secret: ""
+      oauth_cookie_secret: ""
+  smtp:
+    # -- Enable or disable this secret entirely. Will remove from env var configurations and remove any created secrets.
+    enabled: false
+    # -- Overwrite the default secret name, ignored if existingSecret is defined
+    secretName: 'onyx-smtp'
+    # -- Use a secret specified elsewhere
+    existingSecret: ""
+    # -- This defines the env var to secret map, key is always upper-cased as an env var
+    secretKeys:
+      SMTP_PASS: "smtp_pass"
+    # -- Secrets values IF existingSecret is empty. Key here must match the value in secretKeys to be used. Values will be base64 encoded in the k8s cluster.
+    values:
+      smtp_pass: ""
 
 configMap:
   # Change this for production uses unless Onyx is only accessible behind VPN