From ab560df532d46a85526cbace1652e64188c77dda Mon Sep 17 00:00:00 2001 From: Jason Staack Date: Tue, 17 Mar 2026 18:39:30 -0500 Subject: [PATCH] chore(helm): remove old chart templates for rewrite Co-Authored-By: Claude Opus 4.6 (1M context) --- infrastructure/helm/templates/_helpers.tpl | 171 ------------------ .../helm/templates/api-deployment.yaml | 76 -------- .../helm/templates/api-service.yaml | 15 -- infrastructure/helm/templates/configmap.yaml | 21 --- .../helm/templates/frontend-deployment.yaml | 56 ------ infrastructure/helm/templates/ingress.yaml | 57 ------ .../helm/templates/nats-statefulset.yaml | 115 ------------ .../helm/templates/poller-deployment.yaml | 62 ------- .../helm/templates/postgres-statefulset.yaml | 137 -------------- .../helm/templates/redis-deployment.yaml | 60 ------ infrastructure/helm/templates/secrets.yaml | 15 -- 11 files changed, 785 deletions(-) delete mode 100644 infrastructure/helm/templates/_helpers.tpl delete mode 100644 infrastructure/helm/templates/api-deployment.yaml delete mode 100644 infrastructure/helm/templates/api-service.yaml delete mode 100644 infrastructure/helm/templates/configmap.yaml delete mode 100644 infrastructure/helm/templates/frontend-deployment.yaml delete mode 100644 infrastructure/helm/templates/ingress.yaml delete mode 100644 infrastructure/helm/templates/nats-statefulset.yaml delete mode 100644 infrastructure/helm/templates/poller-deployment.yaml delete mode 100644 infrastructure/helm/templates/postgres-statefulset.yaml delete mode 100644 infrastructure/helm/templates/redis-deployment.yaml delete mode 100644 infrastructure/helm/templates/secrets.yaml diff --git a/infrastructure/helm/templates/_helpers.tpl b/infrastructure/helm/templates/_helpers.tpl deleted file mode 100644 index c1b7855..0000000 --- a/infrastructure/helm/templates/_helpers.tpl +++ /dev/null @@ -1,171 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "the-other-dude.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "the-other-dude.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "the-other-dude.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels applied to all resources. -*/}} -{{- define "the-other-dude.labels" -}} -helm.sh/chart: {{ include "the-other-dude.chart" . }} -{{ include "the-other-dude.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels — used in Deployments/Services to match pods. -*/}} -{{- define "the-other-dude.selectorLabels" -}} -app.kubernetes.io/name: {{ include "the-other-dude.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -API component labels -*/}} -{{- define "the-other-dude.apiLabels" -}} -{{ include "the-other-dude.labels" . }} -app.kubernetes.io/component: api -{{- end }} - -{{/* -API selector labels -*/}} -{{- define "the-other-dude.apiSelectorLabels" -}} -{{ include "the-other-dude.selectorLabels" . }} -app.kubernetes.io/component: api -{{- end }} - -{{/* -Frontend component labels -*/}} -{{- define "the-other-dude.frontendLabels" -}} -{{ include "the-other-dude.labels" . }} -app.kubernetes.io/component: frontend -{{- end }} - -{{/* -Frontend selector labels -*/}} -{{- define "the-other-dude.frontendSelectorLabels" -}} -{{ include "the-other-dude.selectorLabels" . }} -app.kubernetes.io/component: frontend -{{- end }} - -{{/* -PostgreSQL component labels -*/}} -{{- define "the-other-dude.postgresLabels" -}} -{{ include "the-other-dude.labels" . }} -app.kubernetes.io/component: postgres -{{- end }} - -{{/* -PostgreSQL selector labels -*/}} -{{- define "the-other-dude.postgresSelectorLabels" -}} -{{ include "the-other-dude.selectorLabels" . }} -app.kubernetes.io/component: postgres -{{- end }} - -{{/* -Redis component labels -*/}} -{{- define "the-other-dude.redisLabels" -}} -{{ include "the-other-dude.labels" . }} -app.kubernetes.io/component: redis -{{- end }} - -{{/* -Redis selector labels -*/}} -{{- define "the-other-dude.redisSelectorLabels" -}} -{{ include "the-other-dude.selectorLabels" . }} -app.kubernetes.io/component: redis -{{- end }} - -{{/* -Create the name of the service account to use. -*/}} -{{- define "the-other-dude.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "the-other-dude.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} - -{{/* -Database URL for the API service (constructed from service names). -Uses external URL if postgres.enabled=false. -*/}} -{{- define "the-other-dude.databaseUrl" -}} -{{- if .Values.postgres.enabled }} -{{- printf "postgresql+asyncpg://%s:%s@%s-postgres:%d/%s" .Values.postgres.auth.username .Values.secrets.dbPassword (include "the-other-dude.fullname" .) (int .Values.postgres.service.port) .Values.postgres.auth.database }} -{{- else }} -{{- .Values.postgres.externalUrl }} -{{- end }} -{{- end }} - -{{/* -App user database URL (RLS enforced). -*/}} -{{- define "the-other-dude.appUserDatabaseUrl" -}} -{{- if .Values.postgres.enabled }} -{{- printf "postgresql+asyncpg://%s:%s@%s-postgres:%d/%s" .Values.postgres.auth.appUsername .Values.secrets.dbAppPassword (include "the-other-dude.fullname" .) (int .Values.postgres.service.port) .Values.postgres.auth.database }} -{{- else }} -{{- .Values.postgres.externalUrl }} -{{- end }} -{{- end }} - -{{/* -Sync database URL for Alembic migrations. -*/}} -{{- define "the-other-dude.syncDatabaseUrl" -}} -{{- if .Values.postgres.enabled }} -{{- printf "postgresql+psycopg2://%s:%s@%s-postgres:%d/%s" .Values.postgres.auth.username .Values.secrets.dbPassword (include "the-other-dude.fullname" .) (int .Values.postgres.service.port) .Values.postgres.auth.database }} -{{- else }} -{{- .Values.postgres.externalUrl | replace "asyncpg" "psycopg2" }} -{{- end }} -{{- end }} - -{{/* -Redis URL (constructed from service name). -*/}} -{{- define "the-other-dude.redisUrl" -}} -{{- if .Values.redis.enabled }} -{{- printf "redis://%s-redis:%d/0" (include "the-other-dude.fullname" .) (int .Values.redis.service.port) }} -{{- else }} -{{- .Values.redis.externalUrl | default "redis://localhost:6379/0" }} -{{- end }} -{{- end }} diff --git a/infrastructure/helm/templates/api-deployment.yaml b/infrastructure/helm/templates/api-deployment.yaml deleted file mode 100644 index d76b7c0..0000000 --- a/infrastructure/helm/templates/api-deployment.yaml +++ /dev/null @@ -1,76 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "the-other-dude.fullname" . }}-api - labels: - {{- include "the-other-dude.apiLabels" . | nindent 4 }} -spec: - replicas: {{ .Values.api.replicaCount }} - selector: - matchLabels: - {{- include "the-other-dude.apiSelectorLabels" . | nindent 6 }} - template: - metadata: - labels: - {{- include "the-other-dude.apiSelectorLabels" . | nindent 8 }} - spec: - securityContext: - runAsNonRoot: true - runAsUser: 1001 - runAsGroup: 1001 - containers: - - name: api - image: "{{ .Values.api.image.repository }}:{{ .Values.api.image.tag }}" - imagePullPolicy: {{ .Values.api.image.pullPolicy }} - ports: - - name: http - containerPort: 8000 - protocol: TCP - # Load non-sensitive config from ConfigMap - envFrom: - - configMapRef: - name: {{ include "the-other-dude.fullname" . }}-config - # Load secrets as individual environment variables - env: - - name: JWT_SECRET_KEY - valueFrom: - secretKeyRef: - name: {{ include "the-other-dude.fullname" . }}-secrets - key: JWT_SECRET_KEY - - name: CREDENTIAL_ENCRYPTION_KEY - valueFrom: - secretKeyRef: - name: {{ include "the-other-dude.fullname" . }}-secrets - key: CREDENTIAL_ENCRYPTION_KEY - - name: FIRST_ADMIN_EMAIL - valueFrom: - secretKeyRef: - name: {{ include "the-other-dude.fullname" . }}-secrets - key: FIRST_ADMIN_EMAIL - - name: FIRST_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "the-other-dude.fullname" . }}-secrets - key: FIRST_ADMIN_PASSWORD - livenessProbe: - httpGet: - path: {{ .Values.api.probes.liveness.path }} - port: http - initialDelaySeconds: {{ .Values.api.probes.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.api.probes.liveness.periodSeconds }} - failureThreshold: {{ .Values.api.probes.liveness.failureThreshold }} - readinessProbe: - httpGet: - path: {{ .Values.api.probes.readiness.path }} - port: http - initialDelaySeconds: {{ .Values.api.probes.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.api.probes.readiness.periodSeconds }} - failureThreshold: {{ .Values.api.probes.readiness.failureThreshold }} - resources: - {{- toYaml .Values.api.resources | nindent 12 }} - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: false - capabilities: - drop: - - ALL diff --git a/infrastructure/helm/templates/api-service.yaml b/infrastructure/helm/templates/api-service.yaml deleted file mode 100644 index 2329db6..0000000 --- a/infrastructure/helm/templates/api-service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "the-other-dude.fullname" . }}-api - labels: - {{- include "the-other-dude.apiLabels" . | nindent 4 }} -spec: - type: {{ .Values.api.service.type }} - ports: - - port: {{ .Values.api.service.port }} - targetPort: http - protocol: TCP - name: http - selector: - {{- include "the-other-dude.apiSelectorLabels" . | nindent 4 }} diff --git a/infrastructure/helm/templates/configmap.yaml b/infrastructure/helm/templates/configmap.yaml deleted file mode 100644 index ef0bed8..0000000 --- a/infrastructure/helm/templates/configmap.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "the-other-dude.fullname" . }}-config - labels: - {{- include "the-other-dude.labels" . | nindent 4 }} -data: - DATABASE_URL: {{ include "the-other-dude.databaseUrl" . | quote }} - SYNC_DATABASE_URL: {{ include "the-other-dude.syncDatabaseUrl" . | quote }} - APP_USER_DATABASE_URL: {{ include "the-other-dude.appUserDatabaseUrl" . | quote }} - REDIS_URL: {{ include "the-other-dude.redisUrl" . | quote }} - NATS_URL: {{ printf "nats://%s-nats:%d" (include "the-other-dude.fullname" .) (int .Values.nats.service.port) | quote }} - JWT_ALGORITHM: "HS256" - JWT_ACCESS_TOKEN_EXPIRE_MINUTES: {{ .Values.api.env.jwtAccessTokenExpireMinutes | quote }} - JWT_REFRESH_TOKEN_EXPIRE_DAYS: {{ .Values.api.env.jwtRefreshTokenExpireDays | quote }} - CORS_ORIGINS: {{ .Values.api.env.corsOrigins | quote }} - DEBUG: {{ .Values.api.env.debug | quote }} - APP_NAME: "TOD - The Other Dude" - APP_VERSION: {{ .Chart.AppVersion | quote }} - POLL_INTERVAL_SECONDS: {{ .Values.poller.env.pollIntervalSeconds | quote }} - POLLER_LOG_LEVEL: {{ .Values.poller.env.logLevel | quote }} diff --git a/infrastructure/helm/templates/frontend-deployment.yaml b/infrastructure/helm/templates/frontend-deployment.yaml deleted file mode 100644 index 6a3028e..0000000 --- a/infrastructure/helm/templates/frontend-deployment.yaml +++ /dev/null @@ -1,56 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "the-other-dude.fullname" . }}-frontend - labels: - {{- include "the-other-dude.frontendLabels" . | nindent 4 }} -spec: - replicas: {{ .Values.frontend.replicaCount }} - selector: - matchLabels: - {{- include "the-other-dude.frontendSelectorLabels" . | nindent 6 }} - template: - metadata: - labels: - {{- include "the-other-dude.frontendSelectorLabels" . | nindent 8 }} - spec: - containers: - - name: frontend - image: "{{ .Values.frontend.image.repository }}:{{ .Values.frontend.image.tag }}" - imagePullPolicy: {{ .Values.frontend.image.pullPolicy }} - ports: - - name: http - containerPort: 80 - protocol: TCP - resources: - {{- toYaml .Values.frontend.resources | nindent 12 }} - livenessProbe: - httpGet: - path: /nginx-health - port: http - initialDelaySeconds: 10 - periodSeconds: 10 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /nginx-health - port: http - initialDelaySeconds: 5 - periodSeconds: 5 - failureThreshold: 3 ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ include "the-other-dude.fullname" . }}-frontend - labels: - {{- include "the-other-dude.frontendLabels" . | nindent 4 }} -spec: - type: {{ .Values.frontend.service.type }} - ports: - - port: {{ .Values.frontend.service.port }} - targetPort: http - protocol: TCP - name: http - selector: - {{- include "the-other-dude.frontendSelectorLabels" . | nindent 4 }} diff --git a/infrastructure/helm/templates/ingress.yaml b/infrastructure/helm/templates/ingress.yaml deleted file mode 100644 index 97cf6cc..0000000 --- a/infrastructure/helm/templates/ingress.yaml +++ /dev/null @@ -1,57 +0,0 @@ -{{- if .Values.ingress.enabled }} -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ include "the-other-dude.fullname" . }} - labels: - {{- include "the-other-dude.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - {{- if .Values.ingress.className }} - ingressClassName: {{ .Values.ingress.className }} - {{- end }} - {{- if .Values.ingress.tls.enabled }} - tls: - - hosts: - - {{ .Values.ingress.host | default "the-other-dude.local" | quote }} - secretName: {{ .Values.ingress.tls.secretName | default (printf "%s-tls" (include "the-other-dude.fullname" .)) | quote }} - {{- end }} - rules: - - host: {{ .Values.ingress.host | default "the-other-dude.local" | quote }} - http: - paths: - # API routes — send /api/* to the FastAPI service - - path: /api - pathType: Prefix - backend: - service: - name: {{ include "the-other-dude.fullname" . }}-api - port: - number: {{ .Values.api.service.port }} - # Docs routes — proxy /docs and /redoc to API as well - - path: /docs - pathType: Prefix - backend: - service: - name: {{ include "the-other-dude.fullname" . }}-api - port: - number: {{ .Values.api.service.port }} - - path: /redoc - pathType: Prefix - backend: - service: - name: {{ include "the-other-dude.fullname" . }}-api - port: - number: {{ .Values.api.service.port }} - # Frontend SPA — all other routes go to nginx - - path: / - pathType: Prefix - backend: - service: - name: {{ include "the-other-dude.fullname" . }}-frontend - port: - number: {{ .Values.frontend.service.port }} -{{- end }} diff --git a/infrastructure/helm/templates/nats-statefulset.yaml b/infrastructure/helm/templates/nats-statefulset.yaml deleted file mode 100644 index dedfbc5..0000000 --- a/infrastructure/helm/templates/nats-statefulset.yaml +++ /dev/null @@ -1,115 +0,0 @@ -{{- if .Values.nats.enabled }} ---- -# NATS headless service for StatefulSet DNS -apiVersion: v1 -kind: Service -metadata: - name: {{ include "the-other-dude.fullname" . }}-nats-headless - labels: - {{- include "the-other-dude.labels" . | nindent 4 }} - app.kubernetes.io/component: nats -spec: - clusterIP: None - ports: - - name: client - port: 4222 - targetPort: 4222 - selector: - {{- include "the-other-dude.selectorLabels" . | nindent 4 }} - app.kubernetes.io/component: nats ---- -# NATS ClusterIP service for client access -apiVersion: v1 -kind: Service -metadata: - name: {{ include "the-other-dude.fullname" . }}-nats - labels: - {{- include "the-other-dude.labels" . | nindent 4 }} - app.kubernetes.io/component: nats -spec: - type: ClusterIP - ports: - - name: client - port: {{ .Values.nats.service.port }} - targetPort: 4222 - - name: monitoring - port: 8222 - targetPort: 8222 - selector: - {{- include "the-other-dude.selectorLabels" . | nindent 4 }} - app.kubernetes.io/component: nats ---- -# NATS JetStream StatefulSet (needs stable storage) -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "the-other-dude.fullname" . }}-nats - labels: - {{- include "the-other-dude.labels" . | nindent 4 }} - app.kubernetes.io/component: nats -spec: - replicas: 1 - serviceName: {{ include "the-other-dude.fullname" . }}-nats-headless - selector: - matchLabels: - {{- include "the-other-dude.selectorLabels" . | nindent 6 }} - app.kubernetes.io/component: nats - template: - metadata: - labels: - {{- include "the-other-dude.selectorLabels" . | nindent 8 }} - app.kubernetes.io/component: nats - spec: - containers: - - name: nats - image: "{{ .Values.nats.image.repository }}:{{ .Values.nats.image.tag }}" - imagePullPolicy: {{ .Values.nats.image.pullPolicy }} - args: - - "-js" - - "--store_dir" - - "/data" - - "-m" - - "8222" - ports: - - name: client - containerPort: 4222 - protocol: TCP - - name: monitoring - containerPort: 8222 - protocol: TCP - livenessProbe: - httpGet: - path: /healthz - port: 8222 - initialDelaySeconds: 10 - periodSeconds: 10 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /healthz - port: 8222 - initialDelaySeconds: 5 - periodSeconds: 5 - failureThreshold: 3 - resources: - requests: - cpu: {{ .Values.nats.resources.requests.cpu }} - memory: {{ .Values.nats.resources.requests.memory }} - limits: - cpu: {{ .Values.nats.resources.limits.cpu }} - memory: {{ .Values.nats.resources.limits.memory }} - volumeMounts: - - name: nats-data - mountPath: /data - volumeClaimTemplates: - - metadata: - name: nats-data - spec: - accessModes: ["ReadWriteOnce"] - {{- if .Values.nats.storageClass }} - storageClassName: {{ .Values.nats.storageClass | quote }} - {{- end }} - resources: - requests: - storage: {{ .Values.nats.storage }} -{{- end }} diff --git a/infrastructure/helm/templates/poller-deployment.yaml b/infrastructure/helm/templates/poller-deployment.yaml deleted file mode 100644 index 51415f8..0000000 --- a/infrastructure/helm/templates/poller-deployment.yaml +++ /dev/null @@ -1,62 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "the-other-dude.fullname" . }}-poller - labels: - {{- include "the-other-dude.labels" . | nindent 4 }} - app.kubernetes.io/component: poller -spec: - replicas: {{ .Values.poller.replicaCount }} - selector: - matchLabels: - {{- include "the-other-dude.selectorLabels" . | nindent 6 }} - app.kubernetes.io/component: poller - template: - metadata: - labels: - {{- include "the-other-dude.selectorLabels" . | nindent 8 }} - app.kubernetes.io/component: poller - spec: - containers: - - name: poller - image: "{{ .Values.poller.image.repository }}:{{ .Values.poller.image.tag }}" - imagePullPolicy: {{ .Values.poller.image.pullPolicy }} - env: - - name: DATABASE_URL - valueFrom: - secretKeyRef: - name: {{ include "the-other-dude.fullname" . }}-secrets - key: POLLER_DATABASE_URL - - name: CREDENTIAL_ENCRYPTION_KEY - valueFrom: - secretKeyRef: - name: {{ include "the-other-dude.fullname" . }}-secrets - key: CREDENTIAL_ENCRYPTION_KEY - - name: NATS_URL - valueFrom: - configMapKeyRef: - name: {{ include "the-other-dude.fullname" . }}-config - key: NATS_URL - - name: REDIS_URL - valueFrom: - configMapKeyRef: - name: {{ include "the-other-dude.fullname" . }}-config - key: REDIS_URL - - name: POLL_INTERVAL_SECONDS - valueFrom: - configMapKeyRef: - name: {{ include "the-other-dude.fullname" . }}-config - key: POLL_INTERVAL_SECONDS - - name: LOG_LEVEL - valueFrom: - configMapKeyRef: - name: {{ include "the-other-dude.fullname" . }}-config - key: POLLER_LOG_LEVEL - resources: - requests: - cpu: {{ .Values.poller.resources.requests.cpu }} - memory: {{ .Values.poller.resources.requests.memory }} - limits: - cpu: {{ .Values.poller.resources.limits.cpu }} - memory: {{ .Values.poller.resources.limits.memory }} diff --git a/infrastructure/helm/templates/postgres-statefulset.yaml b/infrastructure/helm/templates/postgres-statefulset.yaml deleted file mode 100644 index ba36333..0000000 --- a/infrastructure/helm/templates/postgres-statefulset.yaml +++ /dev/null @@ -1,137 +0,0 @@ -{{- if .Values.postgres.enabled }} -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "the-other-dude.fullname" . }}-postgres - labels: - {{- include "the-other-dude.postgresLabels" . | nindent 4 }} -spec: - serviceName: {{ include "the-other-dude.fullname" . }}-postgres - replicas: 1 - selector: - matchLabels: - {{- include "the-other-dude.postgresSelectorLabels" . | nindent 6 }} - template: - metadata: - labels: - {{- include "the-other-dude.postgresSelectorLabels" . | nindent 8 }} - spec: - containers: - - name: postgres - image: "{{ .Values.postgres.image.repository }}:{{ .Values.postgres.image.tag }}" - imagePullPolicy: {{ .Values.postgres.image.pullPolicy }} - ports: - - name: postgres - containerPort: 5432 - protocol: TCP - env: - - name: POSTGRES_DB - value: {{ .Values.postgres.auth.database | quote }} - - name: POSTGRES_USER - value: {{ .Values.postgres.auth.username | quote }} - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "the-other-dude.fullname" . }}-secrets - key: DB_PASSWORD - - name: APP_USER - value: {{ .Values.postgres.auth.appUsername | quote }} - - name: APP_USER_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "the-other-dude.fullname" . }}-secrets - key: DB_APP_PASSWORD - volumeMounts: - - name: postgres-data - mountPath: /var/lib/postgresql/data - - name: init-scripts - mountPath: /docker-entrypoint-initdb.d - readOnly: true - resources: - {{- toYaml .Values.postgres.resources | nindent 12 }} - livenessProbe: - exec: - command: - - pg_isready - - -U - - {{ .Values.postgres.auth.username | quote }} - - -d - - {{ .Values.postgres.auth.database | quote }} - initialDelaySeconds: 30 - periodSeconds: 10 - failureThreshold: 5 - readinessProbe: - exec: - command: - - pg_isready - - -U - - {{ .Values.postgres.auth.username | quote }} - - -d - - {{ .Values.postgres.auth.database | quote }} - initialDelaySeconds: 10 - periodSeconds: 5 - failureThreshold: 3 - volumes: - - name: init-scripts - configMap: - name: {{ include "the-other-dude.fullname" . }}-postgres-init - volumeClaimTemplates: - - metadata: - name: postgres-data - spec: - accessModes: ["ReadWriteOnce"] - {{- if .Values.postgres.storageClass }} - storageClassName: {{ .Values.postgres.storageClass | quote }} - {{- end }} - resources: - requests: - storage: {{ .Values.postgres.storage }} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ include "the-other-dude.fullname" . }}-postgres - labels: - {{- include "the-other-dude.postgresLabels" . | nindent 4 }} -spec: - type: ClusterIP - clusterIP: None - ports: - - port: {{ .Values.postgres.service.port }} - targetPort: postgres - protocol: TCP - name: postgres - selector: - {{- include "the-other-dude.postgresSelectorLabels" . | nindent 4 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "the-other-dude.fullname" . }}-postgres-init - labels: - {{- include "the-other-dude.postgresLabels" . | nindent 4 }} -data: - init.sql: | - -- Create non-superuser app_user role for RLS enforcement - -- This runs on first container start via docker-entrypoint-initdb.d - DO $$ - BEGIN - IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = '{{ .Values.postgres.auth.appUsername }}') THEN - CREATE ROLE {{ .Values.postgres.auth.appUsername }} WITH LOGIN PASSWORD '{{ .Values.secrets.dbAppPassword }}'; - END IF; - END $$; - - -- Grant connection and usage permissions - GRANT CONNECT ON DATABASE {{ .Values.postgres.auth.database }} TO {{ .Values.postgres.auth.appUsername }}; - GRANT USAGE ON SCHEMA public TO {{ .Values.postgres.auth.appUsername }}; - - -- Grant DML permissions (INSERT, SELECT, UPDATE, DELETE — no DDL) - GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO {{ .Values.postgres.auth.appUsername }}; - GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO {{ .Values.postgres.auth.appUsername }}; - - -- Set default privileges so future tables are also accessible - ALTER DEFAULT PRIVILEGES IN SCHEMA public - GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO {{ .Values.postgres.auth.appUsername }}; - ALTER DEFAULT PRIVILEGES IN SCHEMA public - GRANT USAGE, SELECT ON SEQUENCES TO {{ .Values.postgres.auth.appUsername }}; -{{- end }} diff --git a/infrastructure/helm/templates/redis-deployment.yaml b/infrastructure/helm/templates/redis-deployment.yaml deleted file mode 100644 index e24f98b..0000000 --- a/infrastructure/helm/templates/redis-deployment.yaml +++ /dev/null @@ -1,60 +0,0 @@ -{{- if .Values.redis.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "the-other-dude.fullname" . }}-redis - labels: - {{- include "the-other-dude.redisLabels" . | nindent 4 }} -spec: - replicas: 1 - selector: - matchLabels: - {{- include "the-other-dude.redisSelectorLabels" . | nindent 6 }} - template: - metadata: - labels: - {{- include "the-other-dude.redisSelectorLabels" . | nindent 8 }} - spec: - containers: - - name: redis - image: "{{ .Values.redis.image.repository }}:{{ .Values.redis.image.tag }}" - imagePullPolicy: {{ .Values.redis.image.pullPolicy }} - ports: - - name: redis - containerPort: 6379 - protocol: TCP - resources: - {{- toYaml .Values.redis.resources | nindent 12 }} - livenessProbe: - exec: - command: - - redis-cli - - ping - initialDelaySeconds: 10 - periodSeconds: 10 - failureThreshold: 3 - readinessProbe: - exec: - command: - - redis-cli - - ping - initialDelaySeconds: 5 - periodSeconds: 5 - failureThreshold: 3 ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ include "the-other-dude.fullname" . }}-redis - labels: - {{- include "the-other-dude.redisLabels" . | nindent 4 }} -spec: - type: ClusterIP - ports: - - port: {{ .Values.redis.service.port }} - targetPort: redis - protocol: TCP - name: redis - selector: - {{- include "the-other-dude.redisSelectorLabels" . | nindent 4 }} -{{- end }} diff --git a/infrastructure/helm/templates/secrets.yaml b/infrastructure/helm/templates/secrets.yaml deleted file mode 100644 index 95fbc67..0000000 --- a/infrastructure/helm/templates/secrets.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "the-other-dude.fullname" . }}-secrets - labels: - {{- include "the-other-dude.labels" . | nindent 4 }} -type: Opaque -stringData: - JWT_SECRET_KEY: {{ .Values.secrets.jwtSecretKey | quote }} - CREDENTIAL_ENCRYPTION_KEY: {{ .Values.secrets.credentialEncryptionKey | quote }} - FIRST_ADMIN_EMAIL: {{ .Values.secrets.firstAdminEmail | quote }} - FIRST_ADMIN_PASSWORD: {{ .Values.secrets.firstAdminPassword | quote }} - DB_PASSWORD: {{ .Values.secrets.dbPassword | quote }} - DB_APP_PASSWORD: {{ .Values.secrets.dbAppPassword | quote }} - POLLER_DATABASE_URL: {{ printf "postgres://poller_user:%s@%s-postgres:%d/%s" .Values.secrets.dbPollerPassword (include "the-other-dude.fullname" .) (int .Values.postgres.service.port) .Values.postgres.auth.database | quote }}