feat(pontoon): add self-host postgres and rabbitmq

the chart now works out of the box, tested with KIND

Author: michaellzc

charts/pontoon/Chart.lock

@@ -0,0 +1,9 @@
+dependencies:
+- name: postgresql
+  repository: https://charts.bitnami.com/bitnami
+  version: 10.2.0
+- name: rabbitmq
+  repository: https://charts.bitnami.com/bitnami
+  version: 8.6.0
+digest: sha256:acbca669c00cbf636183b351ee7606b260c0f831b7fe4a4a53064f11f62f6795
+generated: "2020-12-19T15:28:59.246349-07:00"

charts/pontoon/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: pontoon
 home: https://github.com/mozilla/pontoon
-version: 1.0.2
+version: 1.1.0
 # Pontoon no longer cuts releases.
 # See https://github.com/mozilla/pontoon/releases/tag/2018-12-19
 appVersion: latest
@@ -12,4 +12,15 @@ keywords:
   - pontoon
 sources:
   - https://github.com/mozilla/pontoon
+  - https://github.com/ibm-skills-network/charts
 icon: https://pontoon.mozilla.org/static/img/logo.svg
+dependencies:
+  - name: postgresql
+    version: 10.2.0
+    repository: https://charts.bitnami.com/bitnami
+    condition: postgres.enabled
+    alias: postgres
+  - name: rabbitmq
+    version: 8.6.0
+    repository: https://charts.bitnami.com/bitnami
+    condition: rabbitmq.enabled

charts/pontoon/README.md

@@ -2,5 +2,80 @@
 
 ## Prerequisites
 
-- A valid domain name and TLS cert manager
+- A valid domain name and TLS certificate (Optional, recommended for production deployment)
+- An external managed PostgreSQL and RabbitMQ (Optional, recommended for production deployment)
 - Kubernetes 1.12+
+- Helm 3+
+
+## Chart Details
+
+This chart will do the following
+
+- Deploy Pontoon server(s) and Celery worker deployment(s).
+- Deploy a PostgreSQL database and a RabbitMQ instance **NOTE**: For production deployment it is recommended to use external managed services.
+
+## Installing the Chart
+
+### Add skills-network Helm Repository
+
+```bash
+helm repo add sn https://charts.skills.network
+```
+
+### Install Chart (Non-Production)
+
+If you are looking to try out Pontoon in a non-production environment, such as, [kind](https://kind.sigs.k8s.io/), [minikube](https://minikube.sigs.k8s.io). Save [values-unsafe.yaml](./values-unsafe.yaml) locally.
+
+```bash
+helm install pontoon sn/pontoon --values ./values-unsafe.yaml
+```
+
+### Install Chart (Production-ish)
+
+This will deploy both Pontoon server and a Celery worker instance, along with both Postgres and RabbitMQ. However, it's still not suitable for production-grade deployment. Save [values-demo.yaml](./values-demo.yaml) locally.
+
+```bash
+helm install pontoon sn/pontoon --values ./values-demo.yaml
+```
+
+### Install Chart (Production)
+
+Create a value file with the configuration
+
+`values-production.yaml`
+
+```yml
+siteUrl: "https://pontoon.example.com"
+
+secretKey: "randomsecret"
+
+extraEnvVars:
+  - name: ALLOWED_HOSTS
+    value: "pontoon.example.com"
+
+postgres:
+  enabled: false
+  databaseUrl: postgres://username:[email protected]:5432/pontoon
+
+rabbitmq:
+  enabled: false
+  url: amqps://username:[email protected]:5672/pontoon
+
+ingress:
+  enabled: true
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: "pontoon.example.com"
+    external-dns.alpha.kubernetes.io/target: "ingress.hostname"
+    cert-manager.io/cluster-issuer: acme-issuer
+    acme.cert-manager.io/http01-edit-in-place: "true"
+  hosts:
+    - "pontoon.example.com"
+  tls:
+  - hosts:
+    - "pontoon.example.com"
+    secretName: "tls-cert-secret"
+```
+
+```bash
+helm install pontoon sn/pontoon --values ./values-production.yaml
+```

charts/pontoon/templates/NOTES.txt

@@ -22,5 +22,5 @@ kubectl --namespace {{ .Release.Namespace }} exec -ti $POD_NAME -- python manage
 {{- else if contains "ClusterIP" .Values.service.type }}
   export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "component=pontoon" -o jsonpath="{.items[0].metadata.name}")
   echo "Visit http://127.0.0.1:8080 to use your application"
-  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:8000
 {{- end }}

charts/pontoon/templates/_helpers.tpl

@@ -61,6 +61,38 @@ Create the name of the service account to use
 {{- end }}
 {{- end }}
 
+{{- define "postgres.fullname" -}}
+{{- printf "%s-%s" .Release.Name "postgres" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "rabbitmq.fullname" -}}
+{{- printf "%s-%s" .Release.Name "rabbitmq" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "pontoon.database_url" -}}
+{{- if .Values.postgres.enabled }}
+- name: DATABASE_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      key: postgresql-password
+      name: {{ include "postgres.fullname" . }}
+- name: DATABASE_URL
+  value: "{{ printf "postgres://%s:$(DATABASE_PASSWORD)@%s/%s" .Values.postgres.postgresqlUsername  (include "postgres.fullname" .) .Values.postgres.postgresqlDatabase }}"
+{{- end }}
+{{- end }}
+
+{{- define "pontoon.rabbitmq_url" -}}
+{{- if .Values.postgres.enabled }}
+- name: RABBITMQ_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      key: rabbitmq-password
+      name: {{ include "rabbitmq.fullname" . }}
+- name: RABBITMQ_URL
+  value: "{{ printf "amqp://%s:$(RABBITMQ_PASSWORD)@%s-headless/" .Values.rabbitmq.auth.username  (include "rabbitmq.fullname" .) }}"
+{{- end }}
+{{- end }}
+
 {{/* vim: set filetype=mustache: */}}
 {{/*
 Renders a value that contains template.
@@ -73,4 +105,4 @@ Usage:
     {{- else }}
         {{- tpl (.value | toYaml) .context }}
     {{- end }}
-{{- end -}}
+{{- end -}}

charts/pontoon/templates/pontoon-deployment.yaml

@@ -24,6 +24,7 @@ spec:
         checksum/pontoon-secrets: {{ include (print $.Template.BasePath "/pontoon-secrets.yaml") . | sha256sum }}
         checksum/pontoon-ssh-secrets: {{ include (print $.Template.BasePath "/pontoon-ssh-secrets.yaml") . | sha256sum }}
         checksum/pontoon-settings: {{ include (print $.Template.BasePath "/pontoon-settings-configmap.yaml") . | sha256sum }}
+        checksum/pontoon-unsafe-wsgi: {{ include (print $.Template.BasePath "/pontoon-unsafe-wsgi-configmap.yaml") . | sha256sum }}
         {{- range $key, $value := .Values.podAnnotations }}
         {{ $key }}: {{ $value | quote }}
         {{- end }}
@@ -89,6 +90,8 @@ spec:
             {{- if .Values.extraEnvVars }}
             {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }}
             {{- end }}
+            {{- include "pontoon.database_url" . | indent 12 }}
+            {{- include "pontoon.rabbitmq_url" . | indent 12 }}
           volumeMounts:
             {{- if .Values.extraSettingsModule }}
             - mountPath: "{{ .Values.pontoonHome }}/pontoon/settings/custom.py"
@@ -99,6 +102,11 @@ spec:
             - name: "dummy-volume"
               mountPath: {{ .Values.ssh.mountPath | quote }}
             {{- end }}
+            {{- if not .Values.forceSsl }}
+            - mountPath: "{{ .Values.pontoonHome }}/pontoon/wsgi.py"
+              name: "pontoon-wsgi"
+              subPath: "wsgi.py"
+            {{- end }}
       volumes:
         {{- if .Values.extraSettingsModule }}
         - name: "pontoon-settings"
@@ -113,6 +121,11 @@ spec:
         - name: "dummy-volume"
           emptyDir: {}
         {{- end }}
+        {{- if not .Values.forceSsl }}
+        - name: "pontoon-wsgi"
+          configMap:
+            name: "{{ include "pontoon.fullname" . }}-unsafe-wsgi-configmap"
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/pontoon/templates/pontoon-migration-job.yaml

@@ -49,6 +49,8 @@ spec:
             {{- if .Values.extraEnvVars }}
             {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }}
             {{- end }}
+            {{- include "pontoon.database_url" . | indent 12 }}
+            {{- include "pontoon.rabbitmq_url" . | indent 12 }}
           volumeMounts:
             {{- if .Values.extraSettingsModule }}
             - mountPath: "{{ .Values.pontoonHome }}/pontoon/settings/custom.py"

charts/pontoon/templates/pontoon-secrets.yaml

@@ -5,5 +5,9 @@ metadata:
 type: Opaque
 data:
   SECRET_KEY: {{ .Values.secretKey | b64enc | quote }}
+  {{- if not .Values.postgres.enabled }}
   DATABASE_URL: {{ .Values.postgres.databaseUrl | b64enc | quote }}
+  {{- end }}
+  {{- if not .Values.rabbitmq.enabled }}
   RABBITMQ_URL: {{ .Values.rabbitmq.url | b64enc | quote }}
+  {{- end }}

charts/pontoon/templates/pontoon-sync-projects-cronjob.yaml

@@ -73,6 +73,8 @@ spec:
                 {{- if .Values.extraEnvVars }}
                 {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 16 }}
                 {{- end }}
+                {{- include "pontoon.database_url" . | indent 16 }}
+                {{- include "pontoon.rabbitmq_url" . | indent 16 }}
               volumeMounts:
                 {{- if .Values.extraSettingsModule }}
                 - mountPath: "{{ .Values.pontoonHome }}/pontoon/settings/custom.py"

charts/pontoon/templates/pontoon-unsafe-wsgi-configmap.yaml

@@ -0,0 +1,38 @@
+{{ if not .Values.forceSsl }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "{{ include "pontoon.fullname" . }}-unsafe-wsgi-configmap"
+  labels:
+    app: {{ include "pontoon.fullname" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+data:
+  # This file is taken from https://github.com/mozilla/pontoon/blob/master/pontoon/wsgi.py
+  # and remove `wsgi_sslify` in order to make it works without a valid TLS certificate
+  wsgi.py: |-
+    """
+    WSGI config for Pontoon.
+    It exposes the WSGI callable as a module-level variable named ``application``.
+    For more information on this file, see
+    https://docs.djangoproject.com/en/1.8/howto/deployment/wsgi/
+    """
+    import os
+
+    import dotenv
+    from django.core.wsgi import get_wsgi_application
+    from wsgi_sslify import sslify
+
+
+    if "DOTENV_PATH" in os.environ:
+        dotenv.read_dotenv(os.environ["DOTENV_PATH"])
+
+    # Set settings env var before importing whitenoise as it depends on
+    # some settings.
+    os.environ.setdefault("DJANGO_SETTINGS_MODULE", "pontoon.settings")
+
+    # sslify sets a Strict-Transport-Security header,
+    # which instructs browsers to always use HTTPS.
+    application = get_wsgi_application()
+{{- end }}