{{$stlServiceName := include "lib.call-nested" (list . "sawtooth" "common.names.fullname")}} --- apiVersion: apps/v1 kind: StatefulSet metadata: name: {{ include "common.names.fullname" . }}-chronicle labels: {{ include "chronicle.labels" . | nindent 4 }} component: chronicle spec: replicas: {{ include "chronicle.replicas" . }} selector: matchLabels: {{ include "chronicle.labels.matchLabels" . | nindent 6 }} component: chronicle serviceName: {{ include "common.names.fullname" . }} template: metadata: labels: {{ include "chronicle.labels" . | nindent 8 }} component: chronicle spec: serviceAccountName: {{ include "lib.serviceAccountName" . }} affinity: {{ include "lib.safeToYaml" .Values.affinity | nindent 8 }} initContainers: - name: chronicle-permissions image: busybox:1.36 command: [ "sh", "-c"] args: - | chown -R 999:999 /var/lib/chronicle || true volumeMounts: - name: chronicle-config mountPath: /etc/chronicle/config/ - name: chronicle-secrets mountPath: /var/lib/chronicle/secrets/ readOnly: false - name: chronicle-keystore {{- include "lib.image" (dict "imageRoot" .Values.image "global" .Values.global ) | nindent 10 }} command: [ "bash", "-c"] args: - | /usr/local/bin/chronicle \ -c /etc/chronicle/config/config.toml \ verify-keystore env: {{ include "lib.safeToYaml" .Values.env | nindent 12 }} - name: RUST_LOG value: {{ .Values.logLevel }} volumeMounts: - name: chronicle-config mountPath: /etc/chronicle/config/ - name: chronicle-secrets mountPath: /var/lib/chronicle/secrets/ readOnly: false {{- if and .Values.opa.enabled .Values.opa.policy.url }} - name: wait-for-opa-settings {{- include "lib.image" (dict "imageRoot" .Values.sawset.image "global" .Values.global ) | nindent 10 }} command: [ "bash", "-exc"] args: - | keepTrying=true while [ $keepTrying = "true" ]; do if sawtooth settings list --url http://$HOST:$PORT | grep -q "chronicle.opa.policy_name"; then break else echo "Waiting for OPA policy id." sleep 10 fi done env: - name: HOST value: {{ $stlServiceName }}.{{ .Release.Namespace }}.svc.cluster.local - name: PORT value: "{{ include "chronicle.sawtooth.rest" . }}" {{- end }} containers: {{- if .Values.postgres.enabled }} - name: postgres {{- include "lib.image" (dict "imageRoot" .Values.postgres.image "global" .Values.global ) | nindent 10 }} ports: - containerPort: {{.Values.postgres.port }} resources: {{- include "lib.safeToYaml" .Values.postgres.resources | nindent 12 }} env: - name: PGDATA value: /data/chronicle - name: POSTGRES_PASSWORD {{- if .Values.postgres.existingPasswordSecret }} valueFrom: secretKeyRef: name: {{ .Values.postgres.existingPasswordSecret }} key: {{ .Values.postgres.existingPasswordSecretKey }} {{- else }} value: {{ .Values.postgres.password }} {{- end }} {{- include "lib.safeToYaml" .Values.postgres.env | nindent 12 }} volumeMounts: - mountPath: /data name: "pgdata" {{- include "lib.volumeMounts" .Values.extraVolumeMounts | nindent 12 }} {{- end }} - name: chronicle {{- include "lib.image" (dict "imageRoot" .Values.image "global" .Values.global ) | nindent 10 }} ports: - containerPort: {{ .Values.port }} command: [ "bash", "-c"] args: - | {{ if .Values.auth.required }} {{ if and (not .Values.auth.jwks.url) (not .Values.auth.userinfo.url) (not .Values.devIdProvider.enabled) }} {{ required "If auth.required you need to provide at least auth.jwks.url or auth.userinfo.url" .Values.auth.jwks.url }} {{ end }} {{ end }} echo "Waiting 20 seconds for postgres to start"; sleep 20; chronicle \ -c /etc/chronicle/config/config.toml \ --console-logging json \ --sawtooth tcp://{{ include "chronicle.sawtooth.service" . }}:{{ include "chronicle.sawtooth.sawcomp" . }} \ --remote-database \ --database-name {{ .Values.postgres.database }} \ --database-username {{ .Values.postgres.user }} \ --database-host {{ .Values.postgres.host }} \ {{- if not .Values.opa.enabled }} --embedded-opa-policy \ {{- end }} serve-api \ --interface 0.0.0.0:{{ .Values.port}} \ {{- if .Values.auth.required }} --require-auth \ --id-claims {{ .Values.auth.id.claims }} \ {{- if .Values.auth.jwks.enabled }} --jwks-address {{ include "chronicle.jwksUrl" . }} \ {{- end }} {{- if .Values.auth.userinfo.url }} --userinfo-address {{ include "chronicle.userinfoUrl" . }} \ {{- end }} {{- end }} ; env: {{ include "lib.safeToYaml" .Values.env | nindent 12 }} - name: RUST_LOG value: {{ .Values.logLevel }} - name: PGPASSWORD {{- if .Values.postgres.existingPasswordSecret }} valueFrom: secretKeyRef: name: {{ .Values.postgres.existingPasswordSecret }} key: {{ .Values.postgres.existingPasswordSecretKey }} {{- else }} value: {{ .Values.postgres.password }} {{- end }} {{- include "lib.safeToYaml" .Values.postgres.env | nindent 12 }} resources: {{- include "lib.safeToYaml" .Values.resources | nindent 12 }} volumeMounts: - name: chronicle-config mountPath: /etc/chronicle/config/ - name: chronicle-secrets mountPath: /var/lib/chronicle/secrets/ readOnly: true - name: chronicle-data mountPath: /var/lib/chronicle/store/ {{- include "lib.volumeMounts" .Values.extraVolumeMounts | nindent 12 }} volumes: - name: chronicle-secrets persistentVolumeClaim: claimName: chronicle-secrets - name: chronicle-data persistentVolumeClaim: claimName: chronicle-data - name: chronicle-config configMap: name: {{ .Release.Name }}-chronicle-config {{- if not .Values.postgres.persistence.enabled }} - name: "pgdata" emptyDir: {} {{- end }} volumeClaimTemplates: - metadata: name: chronicle-data spec: accessModes: - ReadWriteOnce resources: requests: storage: 6Gi {{- if .Values.postgres.persistence.enabled }} - metadata: name: "pgdata" annotations: {{- include "lib.safeToYaml" .Values.postgres.persistence.annotations | nindent 10 }} spec: accessModes: {{- include "lib.safeToYaml" .Values.postgres.persistence.accessModes | nindent 10 }} storageClassName: {{ .Values.postgres.persistence.storageClass | quote }} resources: requests: storage: {{ .Values.postgres.persistence.size | quote }} {{- end }}