diff --git a/charts/fleet/templates/deployment.yaml b/charts/fleet/templates/deployment.yaml index eca1eb899c..2b9ee2f8b8 100644 --- a/charts/fleet/templates/deployment.yaml +++ b/charts/fleet/templates/deployment.yaml @@ -31,15 +31,8 @@ spec: spec: containers: - name: fleet - command: - {{- if .Values.fleet.autoApplySQLMigrations }} - - /bin/sh - - -c - - /usr/bin/fleet prepare db --no-prompt && /usr/bin/fleet serve - {{ else }} - - /usr/bin/fleet - - serve - {{- end }} + command: [/usr/bin/fleet] + args: ["serve"] image: fleetdm/fleet:{{ .Values.imageTag }} ports: - name: fleet diff --git a/charts/fleet/templates/job-migration.yaml b/charts/fleet/templates/job-migration.yaml new file mode 100644 index 0000000000..7a3f2f2bec --- /dev/null +++ b/charts/fleet/templates/job-migration.yaml @@ -0,0 +1,138 @@ +{{- if .Values.fleet.autoApplySQLMigrations }} +apiVersion: batch/v1 +kind: Job +metadata: + labels: + app: fleet + chart: fleet + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: fleet-migration + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: +{{- with .Values.podAnnotations }} + annotations: +{{- toYaml . | trim | nindent 8 }} +{{- end }} + labels: + app: fleet + chart: fleet + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + spec: + restartPolicy: Never + containers: + - name: fleet-migration + command: [/usr/bin/fleet] + args: ["prepare","db","--no-prompt"] + image: fleetdm/fleet:{{ .Values.imageTag }} + resources: + limits: + cpu: {{ .Values.resources.limits.cpu }} + memory: {{ .Values.resources.limits.memory }} + requests: + cpu: {{ .Values.resources.requests.cpu }} + memory: {{ .Values.resources.requests.memory }} + env: + - name: FLEET_SERVER_ADDRESS + value: "0.0.0.0:{{ .Values.fleet.listenPort }}" + - name: FLEET_AUTH_BCRYPT_COST + value: "{{ .Values.fleet.auth.bcryptCost }}" + - name: FLEET_AUTH_SALT_KEY_SIZE + value: "{{ .Values.fleet.auth.saltKeySize }}" + - name: FLEET_APP_TOKEN_KEY_SIZE + value: "{{ .Values.fleet.app.tokenKeySize }}" + - name: FLEET_APP_TOKEN_VALIDITY_PERIOD + value: "{{ .Values.fleet.app.inviteTokenValidityPeriod }}" + - name: FLEET_SESSION_KEY_SIZE + value: "{{ .Values.fleet.session.keySize }}" + - name: FLEET_SESSION_DURATION + value: "{{ .Values.fleet.session.duration }}" + - name: FLEET_LOGGING_DEBUG + value: "{{ .Values.fleet.logging.debug }}" + - name: FLEET_LOGGING_JSON + value: "{{ .Values.fleet.logging.json }}" + - name: FLEET_LOGGING_DISABLE_BANNER + value: "{{ .Values.fleet.logging.disableBanner }}" + - name: FLEET_SERVER_TLS + value: "{{ .Values.fleet.tls.enabled }}" + {{- if .Values.fleet.tls.enabled }} + - name: FLEET_SERVER_TLS_COMPATIBILITY + value: "{{ .Values.fleet.tls.compatibility }}" + - name: FLEET_SERVER_CERT + value: "/secrets/tls/{{ .Values.fleet.tls.certSecretKey }}" + - name: FLEET_SERVER_KEY + value: "/secrets/tls/{{ .Values.fleet.tls.keySecretKey }}" + {{- end }} + ## END FLEET SECTION + ## BEGIN MYSQL SECTION + - name: FLEET_MYSQL_ADDRESS + value: "{{ .Values.mysql.address }}" + - name: FLEET_MYSQL_DATABASE + value: "{{ .Values.mysql.database }}" + - name: FLEET_MYSQL_USERNAME + value: "{{ .Values.mysql.username }}" + - name: FLEET_MYSQL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.mysql.secretName }} + key: {{ .Values.mysql.passwordKey }} + - name: FLEET_MYSQL_MAX_OPEN_CONNS + value: "{{ .Values.mysql.maxOpenConns }}" + - name: FLEET_MYSQL_MAX_IDLE_CONNS + value: "{{ .Values.mysql.maxIdleConns }}" + - name: FLEET_MYSQL_CONN_MAX_LIFETIME + value: "{{ .Values.mysql.connMaxLifetime }}" + {{- if .Values.mysql.tls.enabled }} + - name: FLEET_MYSQL_TLS_CA + value: "/secrets/mysql/{{ .Values.mysql.tls.caCertKey }}" + - name: FLEET_MYSQL_TLS_CERT + value: "/secrets/mysql/{{ .Values.mysql.tls.certKey }}" + - name: FLEET_MYSQL_TLS_KEY + value: "/secrets/mysql/{{ .Values.mysql.tls.keyKey }}" + - name: FLEET_MYSQL_TLS_CONFIG + value: "{{ .Values.mysql.tls.config }}" + - name: FLEET_MYSQL_TLS_SERVER_NAME + value: "{{ .Values.mysql.tls.serverName }}" + {{- end }} + ## END MYSQL SECTION + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: [ALL] + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 3333 + runAsUser: 3333 + runAsNonRoot: true + volumeMounts: + {{- if .Values.mysql.tls.enabled }} + - name: mysql-tls + readOnly: true + mountPath: /secrets/mysql + {{- end }} + volumes: + {{- if .Values.mysql.tls.enabled }} + - name: mysql-tls + secret: + secretName: "{{ .Values.mysql.secretName }}" + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/fleet/values.yaml b/charts/fleet/values.yaml index 8a8eba59f4..f168675604 100644 --- a/charts/fleet/values.yaml +++ b/charts/fleet/values.yaml @@ -44,8 +44,7 @@ fleet: # Name of the Secret resource storing TLS and S3 bucket secrets secretName: fleet # Whether or not to run `fleet db prepare` to run SQL migrations before starting Fleet - # WARNING: This may cause database corruption if more than one migration is attempted at a time - autoApplySQLMigrations: false + autoApplySQLMigrations: true tls: enabled: true compatibility: modern