Helm chart: allow templating in chart values (#9202)

CHANGELOG.md

@@ -8,6 +8,24 @@ as necessary. Empty sections will not end in the release notes.
 
 ### Highlights
 
+- Helm chart: it is now possible to use Helm templating in all values; any [built-in
+  object](https://helm.sh/docs/chart_template_guide/builtin_objects/) can be specified. This is
+  particularly useful for dynamically passing the namespace to the Helm chart, but cross-referencing
+  values from different sections is also possible, e.g.:
+
+  ```yaml
+  mongodb:
+    name: nessie
+    connectionString: mongodb+srv://mongodb.{{ .Release.Namespace }}.svc.cluster.local:27017/{{ .Values.mongodb.name }}
+  ```
+
+  The above would result in the following properties when deploying to namespace `nessie-ns`:
+
+  ```properties
+  quarkus.mongodb.database=nessie
+  quarkus.mongodb.connection-string=mongodb://mongodb.nessie-ns.svc.cluster.local:27017/nessie
+  ```
+
 ### Upgrade notes
 
 ### Breaking changes

helm/nessie/ci/inmemory-values.yaml

@@ -7,6 +7,10 @@ metrics:
   tags:
     service: nessie
     environment: dev
+podLabels:
+  app: nessie-{{ .Release.Namespace }}-{{ .Values.versionStoreType }}
+podAnnotations:
+  app: nessie-{{ .Release.Namespace }}-{{ .Values.versionStoreType }}
 service:
   ports:
     nessie-mgmt: 9001
@@ -26,7 +30,7 @@ catalog:
       override2: value2
     warehouses:
     - name: warehouse1
-      location: s3://bucket1.prod-us/warehouse
+      location: "s3://bucket1.prod-us/warehouse-{{ .Release.Namespace }}"
       configDefaults:
         default1: value11
         default2: value22
@@ -45,10 +49,10 @@ catalog:
 #          awsAccessKeyId: access-key-id
 #          awsSecretAccessKey: secret-access-key
       buckets:
-        - name: bucket1.prod-us
+        - name: bucket1.{{ .Release.Namespace }}
           endpoint: prod-us.s3.amazonaws.com
           region: us-east-1
-        - name: bucket2.prod-us
+        - name: bucket2.{{ .Release.Namespace }}
           endpoint: prod-us2.s3.amazonaws.com
           region: us-east-2
 #          accessKeySecret:
@@ -64,9 +68,9 @@ catalog:
 #          name: gcs-credentials
 #          key: credentials.json
       buckets:
-      - name: bucket1.prod-us
+      - name: bucket1.{{ .Release.Namespace }}
         projectId: project-id
-      - name: bucket2.prod-us
+      - name: bucket2.{{ .Release.Namespace }}
         projectId: project-id
 #        authCredentialsJsonSecret:
 #          name: gcs-credentials
@@ -94,13 +98,13 @@ catalog:
 #          accountName: account-name
 #          accountKey: account-key
       filesystems:
-      - name: filesystem1
+      - name: filesystem1-{{ .Release.Namespace }}
         endpoint: https://account1.azuredatalakestore.net
         maxRetries: 3
         retryInterval: PT5S
         retryPolicy: EXPONENTIAL_BACKOFF
         retryDelay: PT1S
-      - name: filesystem2
+      - name: filesystem2-{{ .Release.Namespace }}
         endpoint: https://account2.azuredatalakestore.net
         maxRetries: 3
         retryInterval: PT5S

helm/nessie/templates/_helpers.tpl

@@ -258,27 +258,34 @@ Apply ADLS catalog options.
 Define environkent variables for catalog storage options.
 */}}
 {{- define "nessie.catalogStorageEnv" -}}
-{{- include "nessie.secretToEnv" (list .s3.defaultOptions.accessKeySecret "awsAccessKeyId" "nessie.catalog.service.s3.default-options.access-key.name") }}
-{{- include "nessie.secretToEnv" (list .s3.defaultOptions.accessKeySecret "awsSecretAccessKey" "nessie.catalog.service.s3.default-options.access-key.secret") }}
-{{- range $i, $bucket := .s3.buckets -}}
-{{- include "nessie.secretToEnv" (list $bucket.accessKeySecret "awsAccessKeyId" (printf "nessie.catalog.service.s3.buckets.bucket%d.access-key.name" (add $i 1))) }}
-{{- include "nessie.secretToEnv" (list $bucket.accessKeySecret "awsSecretAccessKey" (printf "nessie.catalog.service.s3.buckets.bucket%d.access-key.secret" (add $i 1))) }}
-{{- end -}}
-{{- include "nessie.secretToEnv" (list .gcs.defaultOptions.authCredentialsJsonSecret "key" "nessie.catalog.service.gcs.default-options.auth-credentials-json") }}
-{{- include "nessie.secretToEnv" (list .gcs.defaultOptions.oauth2TokenSecret "token" "nessie.catalog.service.gcs.default-options.oauth-token.token") }}
-{{- include "nessie.secretToEnv" (list .gcs.defaultOptions.oauth2TokenSecret "expiresAt" "nessie.catalog.service.gcs.default-options.oauth-token.expiresAt") }}
-{{- range $i, $bucket := .gcs.buckets -}}
-{{- include "nessie.secretToEnv" (list $bucket.authCredentialsJsonSecret "key" (printf "nessie.catalog.service.gcs.buckets.bucket%d.auth-credentials-json" (add $i 1))) }}
-{{- include "nessie.secretToEnv" (list $bucket.oauth2TokenSecret "token" (printf "nessie.catalog.service.gcs.buckets.bucket%d.oauth-token.token" (add $i 1))) }}
-{{- include "nessie.secretToEnv" (list $bucket.oauth2TokenSecret "expiresAt" (printf "nessie.catalog.service.gcs.buckets.bucket%d.oauth-token.expires-at" (add $i 1))) }}
-{{- end -}}
-{{- include "nessie.secretToEnv" (list .adls.defaultOptions.accountSecret "accountName" "nessie.catalog.service.adls.default-options.account.name") }}
-{{- include "nessie.secretToEnv" (list .adls.defaultOptions.accountSecret "accountKey" "nessie.catalog.service.adls.default-options.account.secret") }}
-{{- include "nessie.secretToEnv" (list .adls.defaultOptions.sasTokenSecret "sasToken" "nessie.catalog.service.adls.default-options.sas-token") }}
-{{- range $i, $filesystem := .adls.filesystems -}}
-{{- include "nessie.secretToEnv" (list $filesystem.accountSecret "accountName" (printf "nessie.catalog.service.adls.file-systems.filesystem%d.account.name" (add $i 1))) }}
-{{- include "nessie.secretToEnv" (list $filesystem.accountSecret "accountKey" (printf "nessie.catalog.service.adls.file-systems.filesystem%d.account.secret" (add $i 1))) }}
-{{- include "nessie.secretToEnv" (list $filesystem.sasTokenSecret "sasToken" (printf "nessie.catalog.service.adls.file-systems.filesystem%d.sas-token" (add $i 1))) }}
+{{ $global := .}}
+{{- include "nessie.secretToEnv" (list .Values.catalog.storage.s3.defaultOptions.accessKeySecret "awsAccessKeyId" "nessie.catalog.service.s3.default-options.access-key.name" . ) }}
+{{- include "nessie.secretToEnv" (list .Values.catalog.storage.s3.defaultOptions.accessKeySecret "awsSecretAccessKey" "nessie.catalog.service.s3.default-options.access-key.secret" . ) }}
+{{- range $i, $bucket := .Values.catalog.storage.s3.buckets -}}
+{{- with $global }}
+{{- include "nessie.secretToEnv" (list $bucket.accessKeySecret "awsAccessKeyId" (printf "nessie.catalog.service.s3.buckets.bucket%d.access-key.name" (add $i 1)) . ) }}
+{{- include "nessie.secretToEnv" (list $bucket.accessKeySecret "awsSecretAccessKey" (printf "nessie.catalog.service.s3.buckets.bucket%d.access-key.secret" (add $i 1)) . ) }}
+{{- end -}}
+{{- end -}}
+{{- include "nessie.secretToEnv" (list .Values.catalog.storage.gcs.defaultOptions.authCredentialsJsonSecret "key" "nessie.catalog.service.gcs.default-options.auth-credentials-json" . ) }}
+{{- include "nessie.secretToEnv" (list .Values.catalog.storage.gcs.defaultOptions.oauth2TokenSecret "token" "nessie.catalog.service.gcs.default-options.oauth-token.token" . ) }}
+{{- include "nessie.secretToEnv" (list .Values.catalog.storage.gcs.defaultOptions.oauth2TokenSecret "expiresAt" "nessie.catalog.service.gcs.default-options.oauth-token.expiresAt" . ) }}
+{{- range $i, $bucket := .Values.catalog.storage.gcs.buckets -}}
+{{- with $global }}
+{{- include "nessie.secretToEnv" (list $bucket.authCredentialsJsonSecret "key" (printf "nessie.catalog.service.gcs.buckets.bucket%d.auth-credentials-json" (add $i 1)) . ) }}
+{{- include "nessie.secretToEnv" (list $bucket.oauth2TokenSecret "token" (printf "nessie.catalog.service.gcs.buckets.bucket%d.oauth-token.token" (add $i 1)) . ) }}
+{{- include "nessie.secretToEnv" (list $bucket.oauth2TokenSecret "expiresAt" (printf "nessie.catalog.service.gcs.buckets.bucket%d.oauth-token.expires-at" (add $i 1)) . ) }}
+{{- end -}}
+{{- end -}}
+{{- include "nessie.secretToEnv" (list .Values.catalog.storage.adls.defaultOptions.accountSecret "accountName" "nessie.catalog.service.adls.default-options.account.name" . ) }}
+{{- include "nessie.secretToEnv" (list .Values.catalog.storage.adls.defaultOptions.accountSecret "accountKey" "nessie.catalog.service.adls.default-options.account.secret" . ) }}
+{{- include "nessie.secretToEnv" (list .Values.catalog.storage.adls.defaultOptions.sasTokenSecret "sasToken" "nessie.catalog.service.adls.default-options.sas-token" . ) }}
+{{- range $i, $filesystem := .Values.catalog.storage.adls.filesystems -}}
+{{- with $global }}
+{{- include "nessie.secretToEnv" (list $filesystem.accountSecret "accountName" (printf "nessie.catalog.service.adls.file-systems.filesystem%d.account.name" (add $i 1)) . ) }}
+{{- include "nessie.secretToEnv" (list $filesystem.accountSecret "accountKey" (printf "nessie.catalog.service.adls.file-systems.filesystem%d.account.secret" (add $i 1)) . ) }}
+{{- include "nessie.secretToEnv" (list $filesystem.sasTokenSecret "sasToken" (printf "nessie.catalog.service.adls.file-systems.filesystem%d.sas-token" (add $i 1)) . ) }}
+{{- end -}}
 {{- end -}}
 {{- end -}}
 
@@ -289,15 +296,18 @@ Define an env var from secret key.
 {{- $secret := index . 0 -}}
 {{- $key := index . 1 -}}
 {{- $envVarName := index . 2 -}}
+{{- $global := index . 3 -}}
 {{- if $secret -}}
 {{- $secretName := get $secret "name" -}}
 {{- $secretKey := get $secret $key -}}
+{{- with $global -}}
 {{- if (and $secretName $secretKey) -}}
 - name: {{ $envVarName | quote }}
   valueFrom:
     secretKeyRef:
-      name: {{ $secretName | quote }}
-      key: {{ $secretKey | quote }}
+      name: {{ (tpl $secretName . ) | quote }}
+      key: {{ (tpl $secretKey . ) | quote }}
 {{ end -}}
 {{- end -}}
 {{- end -}}
+{{- end -}}

helm/nessie/templates/configmap.yaml

@@ -152,7 +152,9 @@ data:
     {{- end -}}
 
     {{- list .Values.advancedConfig "" $map | include "nessie.mergeAdvancedConfig" }}
-
+    {{- $global := . -}}
     {{- range $k, $v := $map }}
-    {{ printf "%s=%s" $k ( eq $v nil | ternary "" ( toString $v )) }}
+    {{- with $global }}
+    {{ printf "%s=%s" $k ( eq $v nil | ternary "" ( tpl (toString $v) . )) }}
+    {{- end }}
     {{- end }}

helm/nessie/templates/deployment.yaml

@@ -5,7 +5,7 @@ metadata:
   labels:
     {{- include "nessie.labels" . | nindent 4 }}
     {{- if .Values.podLabels }}
-    {{- toYaml .Values.podLabels | nindent 4 }}
+    {{- tpl (toYaml .Values.podLabels) . | nindent 4 }}
     {{- end }}
 spec:
   {{- if not .Values.autoscaling.enabled }}
@@ -18,28 +18,28 @@ spec:
     metadata:
       annotations:
         projectnessie.org/config-checksum: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
-      {{- with .Values.podAnnotations }}
-        {{- toYaml . | nindent 8 }}
+      {{- if .Values.podAnnotations }}
+        {{- tpl (toYaml .Values.podAnnotations) . | nindent 8 }}
       {{- end }}
       labels:
         {{- include "nessie.selectorLabels" . | nindent 8 }}
         {{- if .Values.podLabels }}
-        {{- toYaml .Values.podLabels | nindent 8 }}
+        {{- tpl (toYaml .Values.podLabels) . | nindent 8 }}
         {{- end }}
     spec:
-      {{- with .Values.imagePullSecrets }}
+      {{- if .Values.imagePullSecrets }}
       imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
+        {{- tpl (toYaml .Values.imagePullSecrets) . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "nessie.serviceAccountName" . }}
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- tpl (toYaml .Values.podSecurityContext) . | nindent 8 }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.Version }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
+            {{- tpl (toYaml .Values.securityContext) . | nindent 12 }}
+          image: "{{ tpl .Values.image.repository . }}:{{ tpl .Values.image.tag . | default .Chart.Version }}"
+          imagePullPolicy: {{ tpl .Values.image.pullPolicy . }}
           volumeMounts:
             - name: nessie-config
               mountPath: {{ trimSuffix "/" .Values.image.configDir }}/application.properties
@@ -54,25 +54,25 @@ spec:
           {{- end }}
           env:
             {{- if or (eq .Values.versionStoreType "DYNAMODB") (eq .Values.versionStoreType "DYNAMO") -}}
-            {{- include "nessie.secretToEnv" (list .Values.dynamodb.secret "awsAccessKeyId" "AWS_ACCESS_KEY_ID" ) | trim | nindent 12 -}}
-            {{- include "nessie.secretToEnv" (list .Values.dynamodb.secret "awsSecretAccessKey" "AWS_SECRET_ACCESS_KEY" ) | trim | nindent 12 -}}
+            {{- include "nessie.secretToEnv" (list .Values.dynamodb.secret "awsAccessKeyId" "AWS_ACCESS_KEY_ID" . ) | trim | nindent 12 -}}
+            {{- include "nessie.secretToEnv" (list .Values.dynamodb.secret "awsSecretAccessKey" "AWS_SECRET_ACCESS_KEY" . ) | trim | nindent 12 -}}
             {{- end -}}
             {{- if or (eq .Values.versionStoreType "MONGODB") (eq .Values.versionStoreType "MONGO") }}
-            {{- include "nessie.secretToEnv" (list .Values.mongodb.secret "username" "quarkus.mongodb.credentials.username" ) | trim | nindent 12 -}}
-            {{- include "nessie.secretToEnv" (list .Values.mongodb.secret "password" "quarkus.mongodb.credentials.password" ) | trim | nindent 12 -}}
+            {{- include "nessie.secretToEnv" (list .Values.mongodb.secret "username" "quarkus.mongodb.credentials.username" . ) | trim | nindent 12 -}}
+            {{- include "nessie.secretToEnv" (list .Values.mongodb.secret "password" "quarkus.mongodb.credentials.password" . ) | trim | nindent 12 -}}
             {{- end -}}
             {{- if eq .Values.versionStoreType "CASSANDRA" }}
-            {{- include "nessie.secretToEnv" (list .Values.cassandra.secret "username" "quarkus.cassandra.auth.username" ) | trim | nindent 12 -}}
-            {{- include "nessie.secretToEnv" (list .Values.cassandra.secret "password" "quarkus.cassandra.auth.password" ) | trim | nindent 12 -}}
+            {{- include "nessie.secretToEnv" (list .Values.cassandra.secret "username" "quarkus.cassandra.auth.username" . ) | trim | nindent 12 -}}
+            {{- include "nessie.secretToEnv" (list .Values.cassandra.secret "password" "quarkus.cassandra.auth.password" . ) | trim | nindent 12 -}}
             {{- end -}}
             {{- if or (eq .Values.versionStoreType "JDBC") (eq .Values.versionStoreType "TRANSACTIONAL") }}
             {{- $oldConfig := .Values.postgres | default dict }}
             {{- $newConfig := .Values.jdbc | default dict }}
             {{- $jdbcUrl := coalesce $oldConfig.jdbcUrl $newConfig.jdbcUrl }}
             {{- $secret := coalesce $oldConfig.secret $newConfig.secret }}
             {{- $dbKind := include "nessie.dbKind" $jdbcUrl }}
-            {{- include "nessie.secretToEnv" (list $secret "username" (printf "quarkus.datasource.%s.username" $dbKind)) | trim | nindent 12 }}
-            {{- include "nessie.secretToEnv" (list $secret "password" (printf "quarkus.datasource.%s.password" $dbKind)) | trim | nindent 12 }}
+            {{- include "nessie.secretToEnv" (list $secret "username" (printf "quarkus.datasource.%s.username" $dbKind) . ) | trim | nindent 12 }}
+            {{- include "nessie.secretToEnv" (list $secret "password" (printf "quarkus.datasource.%s.password" $dbKind) . ) | trim | nindent 12 }}
             {{- end -}}
             {{- if eq .Values.versionStoreType "BIGTABLE" }}
             {{- if .Values.bigtable.secret }}
@@ -81,13 +81,13 @@ spec:
             {{- end }}
             {{- end -}}
             {{- if .Values.authentication.enabled -}}
-            {{- include "nessie.secretToEnv" (list .Values.authentication.oidcClientSecret "key" "quarkus.oidc.credentials.secret" ) | trim | nindent 12 -}}
+            {{- include "nessie.secretToEnv" (list .Values.authentication.oidcClientSecret "key" "quarkus.oidc.credentials.secret" . ) | trim | nindent 12 -}}
             {{- end -}}
             {{- if .Values.catalog.enabled -}}
-            {{- include "nessie.catalogStorageEnv" .Values.catalog.storage | trim | nindent 12 -}}
+            {{- include "nessie.catalogStorageEnv" . | trim | nindent 12 -}}
             {{- end -}}
             {{- if .Values.extraEnv }}
-            {{- toYaml .Values.extraEnv | nindent 12 }}
+            {{- tpl (toYaml .Values.extraEnv) . | nindent 12 }}
             {{- end }}
           ports:
             {{- range $portName, $portNumber := .Values.service.ports }}
@@ -116,7 +116,7 @@ spec:
             successThreshold: 1
             timeoutSeconds: 10
           resources:
-            {{- toYaml .Values.resources | nindent 12 }}
+            {{- tpl (toYaml .Values.resources) . | nindent 12 }}
       volumes:
         - name: nessie-config
           configMap:
@@ -134,15 +134,15 @@ spec:
               - key: {{ .Values.bigtable.secret.key }}
                 path: sa_credentials.json
       {{- end }}
-      {{- with .Values.nodeSelector }}
+      {{- if .Values.nodeSelector }}
       nodeSelector:
-        {{- toYaml . | nindent 8 }}
+        {{- tpl (toYaml .Values.nodeSelector) . | nindent 8 }}
       {{- end }}
-      {{- with .Values.affinity }}
+      {{- if .Values.affinity }}
       affinity:
-        {{- toYaml . | nindent 8 }}
+        {{- tpl (toYaml .Values.affinity) . | nindent 8 }}
       {{- end }}
-      {{- with .Values.tolerations }}
+      {{- if .Values.tolerations }}
       tolerations:
-        {{- toYaml . | nindent 8 }}
+        {{- tpl (toYaml .Values.tolerations) . | nindent 8 }}
       {{- end }}