Release Helm charts 0.2.0 (#50)

https://circleci.com/gh/DACH-NY/daml-enterprise-k8s-support/6566

Notable changes:
* JWT custom audience (participant)
* Move key `bootstrap` into new key `testing` (domain and participant)
* New Canton image with non-root user
* Run all pods/containers with a `securityContext`

Co-authored-by: DA Machine <da-machine@digitalasset.com>

Author: githubuser-da

charts/canton-domain/Chart.yaml

@@ -1,8 +1,8 @@
 ---
 apiVersion: v2
 name: "canton-domain"
-version: 0.1.0
-appVersion: 2.6.4
+version: 0.2.0
+appVersion: 2.6.5
 kubeVersion: ">= 1.22.0-0"
 description: "A Helm chart for Canton Domains"
 home: https://github.com/digital-asset/daml-helm-charts/tree/main/charts/canton-domain

charts/canton-domain/README.md

@@ -65,7 +65,24 @@ Return image for containers.
 {{- if .Values.image.registry }}
     {{- printf "%s/%s%s%s" .Values.image.registry .Values.image.repository $separator $termination -}}
 {{- else -}}
-    {{- printf "%s%s%s"  .Values.image.repository $separator $termination -}}
+    {{- printf "%s%s%s" .Values.image.repository $separator $termination -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return image for console containers.
+*/}}
+{{- define "console.image" -}}
+{{- $separator := ":" -}}
+{{- $termination := .Values.console.image.tag | default .Chart.AppVersion -}}
+{{- if .Values.console.image.digest }}
+    {{- $separator = "@" -}}
+    {{- $termination = .Values.console.image.digest -}}
+{{- end -}}
+{{- if .Values.image.registry }}
+    {{- printf "%s/%s%s%s" .Values.image.registry .Values.console.image.repository $separator $termination -}}
+{{- else -}}
+    {{- printf "%s%s%s" .Values.console.image.repository $separator $termination -}}
 {{- end -}}
 {{- end -}}
 

charts/canton-domain/templates/_helpers.tpl

@@ -9,7 +9,7 @@ Params:
   - Context - Dict - Required. Current context for the template evaluation.
 */}}
 {{ define "remoteParticipants" }}
-{{ range $remoteParticipant := .Values.common.remoteParticipants }}
+{{ range $remoteParticipant := .Values.testing.bootstrap.remoteParticipants }}
 remote-participants {
   {{ $remoteParticipant.name }} {
     ledger-api {
@@ -36,7 +36,7 @@ Params:
   - Context - Dict - Required. Current context for the template evaluation.
 */}}
 {{- define "remoteParticipants.volumeMounts" }}
-{{- range $remoteParticipant := .Values.common.remoteParticipants }}
+{{- range $remoteParticipant := .Values.testing.bootstrap.remoteParticipants }}
 {{- if (($remoteParticipant.tls).admin).enabled }}
 - name: tls-{{ $remoteParticipant.name }}
   mountPath: "/tls-{{ $remoteParticipant.name }}"
@@ -87,7 +87,7 @@ Params:
 {{- define "remoteParticipants.volumes" }}
 {{- $top              := index . 0 }}
 {{- $component        := index . 1 }}
-{{- range $remoteParticipant := $top.Values.common.remoteParticipants }}
+{{- range $remoteParticipant := $top.Values.testing.bootstrap.remoteParticipants }}
 {{- if and (($remoteParticipant.tls).admin).enabled ((($remoteParticipant.tls).admin).certManager).issuerName }}
 # Dummy certificate only used to mount the root CA certificate
 {{- include "certManager.csi" (list $top $component (include "remoteParticipant.tls.name" $remoteParticipant.name) $remoteParticipant.tls.admin.certManager "") }}

charts/canton-domain/templates/_remotes.tpl

@@ -14,6 +14,10 @@ data:
   bootstrap.canton: |
     logger.info("Bootstrap start")
 
+    val domainManager = domainManagers.remote.head
+    val mediator = mediators.remote.head
+    val sequencer = sequencers.remote.head
+
     import com.digitalasset.canton.config.NonNegativeDuration
 
     logger.debug("Setting script commands timeout")
@@ -24,28 +28,28 @@ data:
       node.health.wait_for_running()
     }
 
-    logger.info(s"Bootstrapping domain ${domainManagers.remote.head.name}")
-    domainManagers.remote.head.setup.bootstrap_domain(sequencers.all, Seq(mediators.remote.head))
+    logger.info(s"Bootstrapping domain ${domainManager.name}")
+    domainManager.setup.bootstrap_domain(Seq(sequencer), Seq(mediator))
 
-    {{ if .Values.common.remoteParticipants -}}
+    {{ if .Values.testing.bootstrap.remoteParticipants -}}
     logger.info("Bootstrapping participant(s)")
     participants.remote.foreach { participant =>
       logger.info(s"Waiting for participant ${participant.name} to be initialized")
       participant.health.wait_for_initialized()
 
       {{- if .Values.manager.topology.open }}
-      logger.warn(s"Your domain ${domainManagers.remote.head.name} is open, any participant can join ⚠️")
+      logger.warn(s"Your domain ${domainManager.name} is open, any participant can join ⚠️")
       {{- else }}
-      if (domainManagers.remote.head.participants.list.forall(_.item.participant != participant.id)) {
-        logger.info(s"Registering participant ${participant.name} to domain ${domainManagers.remote.head.name}")
-        domainManagers.remote.head.participants.set_state(participant.id, ParticipantPermission.Submission, TrustLevel.Ordinary)
+      if (domainManager.participants.list.exists(_.item.participant == participant.id)) {
+        logger.info(s"Participant ${participant.name} already registered to domain ${domainManager.name}")
       } else {
-        logger.info(s"Participant already registered in domain ${domainManagers.remote.head.name}")
+        logger.info(s"Registering participant ${participant.name} to domain ${domainManager.name}")
+        domainManager.participants.set_state(participant.id, ParticipantPermission.Submission, TrustLevel.Ordinary)
       }
       {{- end }}
 
-      logger.info(s"Connecting participant ${participant.name} to domain ${domainManagers.remote.head.name} and sequencer(s) ${sequencers.remote.head.name}")
-      participant.domains.connect_multi(domainManagers.remote.head.name, Seq(sequencers.remote.head))
+      logger.info(s"Connecting participant ${participant.name} to domain ${domainManager.name} and sequencer(s) ${sequencer.name}")
+      participant.domains.connect_multi(domainManager.name, Seq(sequencer))
 
       logger.info(s"Pinging participant ${participant.name} to make sure everything is alright")
       participant.health.ping(participant)

charts/canton-domain/templates/bootstrap/configmap.yaml

@@ -48,10 +48,16 @@ spec:
       imagePullSecrets: {{- toYaml . | nindent 8 }}
       {{- end }}
       restartPolicy: Never
+      {{- if .Values.bootstrap.pod.securityContext.enabled }}
+      securityContext: {{- omit .Values.bootstrap.pod.securityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
       containers:
         - name: canton
           image: {{ include "common.image" . | quote }}
           imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
+          {{- if .Values.bootstrap.securityContext.enabled }}
+          securityContext: {{- omit .Values.bootstrap.securityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
           args:
             - "run"
             - "--log-profile=container"

charts/canton-domain/templates/bootstrap/job.yaml

@@ -52,10 +52,16 @@ spec:
       imagePullSecrets: {{- toYaml . | nindent 8 }}
       {{- end }}
       terminationGracePeriodSeconds: {{ .Values.console.terminationGracePeriodSeconds }}
+      {{- if .Values.console.pod.securityContext.enabled }}
+      securityContext: {{- omit .Values.console.pod.securityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
       containers:
-        - name: canton
-          image: {{ include "common.image" . | quote }}
+        - name: console
+          image: {{ include "console.image" . | quote }}
           imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
+          {{- if .Values.console.securityContext.enabled }}
+          securityContext: {{- omit .Values.console.securityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
           command: ["tail", "-f", "/dev/null"]
           envFrom:
             {{- if .Values.console.environment }}

charts/canton-domain/templates/console/deployment.yaml

@@ -45,10 +45,16 @@ spec:
       {{- with .Values.image.pullSecrets }}
       imagePullSecrets: {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if .Values.common.pod.securityContext.enabled }}
+      securityContext: {{- omit .Values.common.pod.securityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
       containers:
         - name: canton
           image: {{ include "common.image" . | quote }}
           imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
+          {{- if .Values.common.securityContext.enabled }}
+          securityContext: {{- omit .Values.common.securityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
           args:
             - "daemon"
             - "--log-profile=container"

charts/canton-domain/templates/manager/deployment.yaml

@@ -45,10 +45,16 @@ spec:
       {{- with .Values.image.pullSecrets }}
       imagePullSecrets: {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if .Values.common.pod.securityContext.enabled }}
+      securityContext: {{- omit .Values.common.pod.securityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
       containers:
         - name: canton
           image: {{ include "common.image" . | quote }}
           imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
+          {{- if .Values.common.securityContext.enabled }}
+          securityContext: {{- omit .Values.common.securityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
           args:
             - "daemon"
             - "--log-profile=container"

charts/canton-domain/templates/mediator/deployment.yaml

@@ -46,10 +46,16 @@ spec:
       {{- with .Values.image.pullSecrets }}
       imagePullSecrets: {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if .Values.common.pod.securityContext.enabled }}
+      securityContext: {{- omit .Values.common.pod.securityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
       containers:
         - name: canton
           image: {{ include "common.image" . | quote }}
           imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
+          {{- if .Values.common.securityContext.enabled }}
+          securityContext: {{- omit .Values.common.securityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
           args:
             - "daemon"
             - "--log-profile=container"