From 86cc0283a0bf408641f2dd1d786928185aa3b6c4 Mon Sep 17 00:00:00 2001
From: antonis-snowplow <antonis.kostoudis@snowplowanalytics.com>
Date: Wed, 4 Sep 2024 17:51:12 +0300
Subject: [PATCH] Implement helm hook job for dev db user setup

---
 CHANGELOG                                     |  4 +
 charts/snowplow-iglu-server/Chart.yaml        |  2 +-
 charts/snowplow-iglu-server/README.md         |  5 ++
 .../templates/iglu-hooks.yaml                 | 75 +++++++++++++++++--
 .../values-azure.yaml.tmpl                    |  6 ++
 charts/snowplow-iglu-server/values.yaml       |  7 ++
 6 files changed, 90 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index ee59836..3e53475 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,7 @@
+Version 0.1.75 (2024-08-30)
+---------------------------
+charts/snowplow-iglu-server: Create Helm Hook Job for DB users and permissions (closes #196)
+
 Version 0.1.74 (2024-08-30)
 ---------------------------
 charts/aws-otel-collector: change default resource allocation (#198)
diff --git a/charts/snowplow-iglu-server/Chart.yaml b/charts/snowplow-iglu-server/Chart.yaml
index 0bffd07..e6156da 100644
--- a/charts/snowplow-iglu-server/Chart.yaml
+++ b/charts/snowplow-iglu-server/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: snowplow-iglu-server
 description: A Helm Chart to deploy the Snowplow Iglu Server project
-version: 0.7.0
+version: 0.8.0
 appVersion: "0.12.0"
 icon: https://raw.githubusercontent.com/snowplow-devops/helm-charts/master/docs/logo/snowplow.png
 home: https://github.com/snowplow-devops/helm-charts
diff --git a/charts/snowplow-iglu-server/README.md b/charts/snowplow-iglu-server/README.md
index 9cd89ac..99590cf 100644
--- a/charts/snowplow-iglu-server/README.md
+++ b/charts/snowplow-iglu-server/README.md
@@ -118,6 +118,8 @@ You will need to fill these targeted fields:
 
 ### Azure (AKS) settings
 
+When `dev_db` is `true` the hook job `-dev-db-user-setup` will be initiated
+
 ### AWS (EKS) settings
 
 #### TargetGroup binding
@@ -163,6 +165,9 @@ You will need to fill these targeted fields:
 | service.config.repoServer.hsts.enable | bool | `true` | Whether to enable sending HSTS headers (>=0.12.0) |
 | service.config.secrets.superApiKey | string | `""` | Lowercase uuidv4 to use as admin apikey of the service (default: auto-generated) |
 | service.deploySetupHooks | bool | `true` | Whether to run the post-deploy setup hooks |
+| service.azure.dev_db | bool | `false` | Whether we deploy for dev db in Azure |
+| service.azure.secrets.admin_username | string | `""` | The admin username that will be used for the psql command |
+| service.azure.secrets.admin_password | string | `""` | The admin password that will be used for the psql command |
 | service.gcp.deployProxy | bool | `false` | Whether to use CloudSQL Proxy (note: requires GCP service account to be attached) |
 | service.gcp.networkEndpointGroupName | string | `""` | Name of the Network Endpoint Group to bind onto |
 | service.gcp.proxy.image.isRepositoryPublic | bool | `true` | Whether the repository is public |
diff --git a/charts/snowplow-iglu-server/templates/iglu-hooks.yaml b/charts/snowplow-iglu-server/templates/iglu-hooks.yaml
index 859dd5e..76ea37a 100644
--- a/charts/snowplow-iglu-server/templates/iglu-hooks.yaml
+++ b/charts/snowplow-iglu-server/templates/iglu-hooks.yaml
@@ -1,5 +1,6 @@
 {{- if .Values.service.deploySetupHooks }}
 {{- if eq (include "iglu.service.config.database.type" .) "postgres" }}
+
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -9,6 +10,7 @@ metadata:
   annotations:
     "helm.sh/hook": post-install,post-upgrade
     "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+    "helm.sh/hook-weight": "2"  
 spec:
   template:
     metadata:
@@ -17,12 +19,10 @@ spec:
       restartPolicy: Never
       containers:
       - name: {{ include "iglu.hooks.name" . }}
-        image: {{ .Values.service.image.repository}}:{{ .Values.service.image.tag}}
+        image: {{ .Values.service.image.repository}}:{{ .Values.service.image.tag }}
         imagePullPolicy: Always
-
         args:
         - "setup"
-
         env:
         {{- range $k, $v := .Values.service.config.env }}
         - name: "{{ $k }}"
@@ -31,21 +31,80 @@ spec:
         - name: "JDK_JAVA_OPTIONS"
           value: "-Dconfig.override_with_env_vars=true"
         {{- if .Values.service.gcp.deployProxy }}
-        - name : "CONFIG_FORCE_iglu_database_host"
+        - name: "CONFIG_FORCE_iglu_database_host"
           value: {{ include "iglu.cloudsqlproxy.host" . }}
-        - name : "CONFIG_FORCE_iglu_database_port"
+        - name: "CONFIG_FORCE_iglu_database_port"
           value: "{{ .Values.service.gcp.proxy.port }}"
         {{- else }}
-        - name : "CONFIG_FORCE_iglu_database_host"
+        - name: "CONFIG_FORCE_iglu_database_host"
           value: "{{ .Values.service.config.database.host }}"
-        - name : "CONFIG_FORCE_iglu_database_port"
+        - name: "CONFIG_FORCE_iglu_database_port"
           value: "{{ .Values.service.config.database.port }}"
         {{- end }}
-        - name : "CONFIG_FORCE_iglu_database_dbname"
+        - name: "CONFIG_FORCE_iglu_database_dbname"
           value: "{{ .Values.service.config.database.dbname }}"
+        envFrom:
+        - secretRef:
+            name: {{ include "iglu.app.secret.name" . }}
+
+{{- if .Values.service.azure.dev_db }}
+
+---
 
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "iglu.hooks.name" . }}-dev-db-user-setup
+  labels:
+    {{- include "snowplow.labels" $ | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+    "helm.sh/hook-weight": "1" 
+spec:
+  template:
+    metadata:
+      name: {{ include "iglu.hooks.name" . }}-dev-db-user-setup
+    spec:
+      restartPolicy: Never
+      containers:
+      - name: {{ include "iglu.hooks.name" . }}-dev-db-user-setup
+        image: postgres:15-alpine
+        imagePullPolicy: Always
+        command: ["/bin/bash", "-c"]
+        args:
+          - |
+            export PGPASSWORD="${CONFIG_FORCE_iglu_database_admin_password}" 
+            psql -h "${CONFIG_FORCE_iglu_database_host}" \
+                 -U "${CONFIG_FORCE_iglu_database_admin_username}" \
+                 -d "${CONFIG_FORCE_iglu_database_dbname}" \
+                 -c "CREATE USER ${CONFIG_FORCE_iglu_database_dev_username} WITH PASSWORD '${CONFIG_FORCE_iglu_database_dev_password}';" && echo "OK"
+            psql -h "${CONFIG_FORCE_iglu_database_host}" \
+                 -U "${CONFIG_FORCE_iglu_database_admin_username}" \
+                 -d "${CONFIG_FORCE_iglu_database_dbname}" \
+                 -c "GRANT ALL PRIVILEGES ON DATABASE ${CONFIG_FORCE_iglu_database_dbname} TO ${CONFIG_FORCE_iglu_database_dev_username};" && echo "OK"
+            psql -h "${CONFIG_FORCE_iglu_database_host}" \
+                 -U "${CONFIG_FORCE_iglu_database_admin_username}" \
+                 -d "${CONFIG_FORCE_iglu_database_dbname}" \
+                 -c "GRANT USAGE, CREATE ON SCHEMA public TO ${CONFIG_FORCE_iglu_database_dev_username};" && echo "OK"
+        env:
+        - name: "CONFIG_FORCE_iglu_database_admin_password"
+          value: "{{ .Values.service.azure.secrets.admin_password }}"
+        - name: "CONFIG_FORCE_iglu_database_admin_username"
+          value: "{{ .Values.service.azure.secrets.admin_username }}"
+        - name: "CONFIG_FORCE_iglu_database_dev_username"
+          value: "{{ .Values.service.config.database.secrets.username }}"
+        - name: "CONFIG_FORCE_iglu_database_dev_password"
+          value: "{{ .Values.service.config.database.secrets.password }}"
+        - name: "CONFIG_FORCE_iglu_database_host"
+          value: "{{ .Values.service.config.database.host }}"
+        - name: "CONFIG_FORCE_iglu_database_dbname"
+          value: "{{ .Values.service.config.database.dbname }}"
+        - name: "CONFIG_FORCE_iglu_database_port"
+          value: "{{ .Values.service.gcp.proxy.port }}"
         envFrom:
         - secretRef:
             name: {{ include "iglu.app.secret.name" . }}
 {{- end }}
 {{- end }}
+{{- end }}
diff --git a/charts/snowplow-iglu-server/values-azure.yaml.tmpl b/charts/snowplow-iglu-server/values-azure.yaml.tmpl
index 83c7eba..322e396 100644
--- a/charts/snowplow-iglu-server/values-azure.yaml.tmpl
+++ b/charts/snowplow-iglu-server/values-azure.yaml.tmpl
@@ -32,3 +32,9 @@ service:
   ingress: 
     ingress-01:
       hostname: "iglu-server.example.com"
+  
+  azure: 
+    dev_db: "<dev_db>"
+    secrets:
+      admin_username: "<admin_username>"
+      dev_username "<dev_username>"
diff --git a/charts/snowplow-iglu-server/values.yaml b/charts/snowplow-iglu-server/values.yaml
index 6f761fa..5cb950d 100644
--- a/charts/snowplow-iglu-server/values.yaml
+++ b/charts/snowplow-iglu-server/values.yaml
@@ -86,6 +86,13 @@ service:
     # -- EC2 TargetGroup ARN to bind the service onto
     targetGroupARN: ""
 
+  azure:
+    # -- Whether we deploy for dev db
+    dev_db: false
+    secrets:
+      admin_username: ""
+      dev_username: ""
+
   gcp:
     # -- Name of the Network Endpoint Group to bind onto
     networkEndpointGroupName: ""