Merge branch 'issue/3473' into release/v2.2.5-alpha.1

Author: t83714

deploy/helm/internal-charts/cloud-sql-proxy/templates/deployment.yaml

@@ -30,47 +30,58 @@ spec:
       {{- include "magda.imagePullSecrets" . | indent 6 }}
       containers:
       - name: cloud-sql-proxy
+        ports:
+        - containerPort: 5432
+          name: db
+          protocol: TCP
         image: {{ include "magda.image" . | quote }}
         imagePullPolicy: {{ include "magda.imagePullPolicy" . | quote }}
-        command: ["/cloud_sql_proxy",
-                  "-instances={{ .Values.instanceConnectionName }}=tcp:0.0.0.0:5432",
+        command: 
+          - "/cloud_sql_proxy"
+          - "-instances={{ .Values.instanceConnectionName }}=tcp:0.0.0.0:5432"
 {{- if .Values.enableIamLogin }}
-                  "-enable_iam_login={{ .Values.enableIamLogin }}",
+          - "-enable_iam_login"
 {{- end }}
 {{- if .Values.maxConnections }}
-                  "-max_connections={{ .Values.maxConnections }}",
+          - "-max_connections={{ .Values.maxConnections }}"
 {{- end }}
 {{- if .Values.ipAddressTypes }}
-                  "-ip_address_types={{ .Values.ipAddressTypes }}",
+          - "-ip_address_types={{ .Values.ipAddressTypes }}"
 {{- end }}
 {{- if .Values.termTimeout }}
-                  "-term_timeout={{ .Values.termTimeout }}s",
+          - "-term_timeout={{ .Values.termTimeout }}s"
 {{- end }}
 {{- if .Values.skipFailedInstanceConfig }}
-                  "-skip_failed_instance_config={{ .Values.skipFailedInstanceConfig }}",
+          - "-skip_failed_instance_config={{ .Values.skipFailedInstanceConfig }}"
 {{- end }}
 {{- if .Values.logDebugStdout }}
-                  "-log_debug_stdout={{ .Values.logDebugStdout }}",
+          - "-log_debug_stdout={{ .Values.logDebugStdout }}"
 {{- end }}
 {{- if .Values.structuredLogs }}
-                  "-structured_logs={{ .Values.structuredLogs }}",
+          - "-structured_logs={{ .Values.structuredLogs }}"
+{{- end }}
+{{- if empty .Values.enableIamLogin }}
+          - "-credential_file=/secrets/cloudsql/credentials.json"
 {{- end }}
-                  "-credential_file=/secrets/cloudsql/credentials.json"]
 {{- if .Values.global.enableLivenessProbes }}
         livenessProbe:
           exec:
             command: ["nc", "-z", "127.0.0.1", "5432"]
 {{- end }}
         resources:
 {{ toYaml .Values.resources | indent 10 }}
+{{- if empty .Values.enableIamLogin }}
         volumeMounts:
         - name: cloudsql-instance-credentials
           mountPath: /secrets/cloudsql
           readOnly: true
+{{- end }}
       volumes:
+{{- if empty .Values.enableIamLogin }}
       - name: cloudsql-instance-credentials
         secret:
           secretName: cloudsql-instance-credentials
+{{- end }}
       - name: cloudsql
         emptyDir:
 {{- end }}

deploy/helm/magda-core/README.md

@@ -65,8 +65,8 @@ A complete solution for managing, publishing and discovering government data, pr
 | global.postgresql.existingSecret | string | `"db-main-account-secret"` | the secret that contains privileged PostgreSQL account password. The password will be loaded from key "postgresql-password" of the secret data. Previously (before v1.0.0), we used to load the password from "cloudsql-db-credentials" secret `password` field when use cloud provider DB services. Since v1.0.0, our helm chart can auto-create the secret and copy the content of "cloudsql-db-credentials" secret when: <ul>   <li> "autoCreateSecret" is set to true</li>   <li> "cloudsql-db-credentials" exists </li> </ul> for backward compatibility purposes. |
 | global.postgresql.postgresqlUsername | string | `"postgres"` | PostgreSQL username For in-k8s PostgreSQL, a user account will be auto-created with superuser privileges when username is `postgres`. It's recommended use superuser `postgres` for both in-k8s PostgreSQL or cloud provider DB services (e.g. CloudSQL or AWS RDS). This user will only be used for DB schema migrators to cerate DB schema and restricted DB accounts that are used by Magda internal services to access DB. If you have to use a user account rather than `postgres`, the user account needs to have sufficient permissions to run all DB migration scripts ([e.g. here](https://github.com/magda-io/magda/tree/master/magda-migrator-registry-db/sql)). Note: Until the ticket #3126 is fixed, using a DB username rather than `postgres` will trigger an error when content DB migrate runs. |
 | global.rollingUpdate.maxUnavailable | int | `0` |  |
-| global.useAwsRdsDb | bool | `false` | whether to use AWS RDS DB config.  When this option is on, all other database type e.g. `useCombinedDb` & `useCloudSql` must be turned off. |
-| global.useCloudSql | bool | `false` | whether to use Google Cloud SQL database.  When this option is on, all other database type e.g. `useCombinedDb` & `useAwsRdsDb` must be turned off. |
+| global.useAwsRdsDb | bool | `false` | whether to use AWS RDS DB config.  When this option is on, all other database type e.g. `useCombinedDb` & `useCloudSql` must be turned off. When this option is on and you want to set `autoCreateSecret` = true in order to auto create DB client password secret, you need to make sure magda.combined-db chart is selected (i.e. tags.combined-db = true). Otherwise, there will be no DB client password secret to be created (although `autoCreateSecret` = true ) |
+| global.useCloudSql | bool | `false` | whether to use Google Cloud SQL database.  When this option is on, all other database type e.g. `useCombinedDb` & `useAwsRdsDb` must be turned off. When this option is on and you want to set `autoCreateSecret` = true in order to auto create DB client password secret, you need to make sure magda.combined-db chart is selected (i.e. tags.combined-db = true). Otherwise, there will be no DB client password secret to be created (although `autoCreateSecret` = true ) |
 | global.useCombinedDb | bool | `true` |  |
 | global.useInK8sDbInstance | object | `{"authorization-db":false,"content-db":false,"registry-db":false,"session-db":false,"tenant-db":false}` | When `useCombinedDb` = false, setting any key to true will create an in-k8s DB instance for the particular database. Please note: you must set `useCombinedDb` = false before set any of the field to `true`. Otherwise, all db requests will still be forwarded to the combined DB instance other than each individual database instance. |
 | tags | object | see default value of each individual tag below. | (object) Control on/ off of each modules.  To turn on/off openfaas, please set value to `global.openfaas.enabled` |

deploy/helm/magda-core/values.yaml

@@ -39,10 +39,16 @@ global:
 
   # -- whether to use Google Cloud SQL database. 
   # When this option is on, all other database type e.g. `useCombinedDb` & `useAwsRdsDb` must be turned off.
+  # When this option is on and you want to set `autoCreateSecret` = true in order to auto create DB client password secret,
+  # you need to make sure magda.combined-db chart is selected (i.e. tags.combined-db = true).
+  # Otherwise, there will be no DB client password secret to be created (although `autoCreateSecret` = true )
   useCloudSql: false
 
   # -- whether to use AWS RDS DB config. 
   # When this option is on, all other database type e.g. `useCombinedDb` & `useCloudSql` must be turned off.
+  # When this option is on and you want to set `autoCreateSecret` = true in order to auto create DB client password secret,
+  # you need to make sure magda.combined-db chart is selected (i.e. tags.combined-db = true).
+  # Otherwise, there will be no DB client password secret to be created (although `autoCreateSecret` = true )
   useAwsRdsDb: false
 
   # -- AWS RDS DB instance access endpoint. e.g. xxxx.xxxx.ap-southeast-2.rds.amazonaws.com.