feat: Enhance udash helm chart

charts/udash/Chart.yaml

@@ -4,4 +4,5 @@ description: Udash, the Updatecli DASHboard
 icon: https://www.updatecli.io/images/updatecli_transparent.png
 name: udash
 type: application
-version: 0.25.0
+version: 0.26.0
+

charts/udash/README.md

@@ -1,6 +1,6 @@
 # udash
 
-![Version: 0.25.0](https://img.shields.io/badge/Version-0.25.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=flat-square)
+![Version: 0.26.0](https://img.shields.io/badge/Version-0.26.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=flat-square)
 
 Udash, the Updatecli DASHboard
 
@@ -23,7 +23,24 @@ An optional **Ingress** routes:
 
 - Kubernetes 1.19+
 - Helm 3.x
-- A running **PostgreSQL** instance accessible from the cluster
+- **[CloudNative-PG operator](https://cloudnative-pg.io/)** (when `cnpg.enabled: true`, which is the default)
+
+Install the CNPG operator before installing this chart, and use `--wait` to ensure the operator
+pod is fully ready (including its admission webhook) before proceeding:
+
+```console
+helm repo add cnpg https://cloudnative-pg.github.io/charts
+helm upgrade --install cnpg \
+  --namespace cnpg-system \
+  --create-namespace \
+  cnpg/cloudnative-pg \
+  --wait
+```
+
+Without `--wait`, the operator pod may not be ready when the chart creates the `Cluster` resource,
+causing: `failed calling webhook "mcluster.cnpg.io": no endpoints available for service "cnpg-webhook-service"`.
+
+If you prefer to bring your own PostgreSQL instance, set `cnpg.enabled=false` and supply the connection URI via `secrets.database.stringdata.uri`.
 
 ## Get Repository Info
 
@@ -40,12 +57,21 @@ helm install udash updatecli/udash
 
 ## Installing the Chart
 
-### Read-only mode (default)
+### Default (CloudNative-PG managed PostgreSQL)
+
+By default the chart provisions a CNPG `Cluster` and injects credentials automatically. Just install the CNPG operator first (see Prerequisites), then:
+
+```console
+helm install udash updatecli/udash
+```
+
+### Read-only mode with external PostgreSQL
 
-In read-only mode the server runs without authentication (dry-run). No OAuth credentials are required.
+Disable CNPG and supply your own connection URI:
 
 ```console
 helm install udash updatecli/udash \
+  --set cnpg.enabled=false \
   --set secrets.database.stringdata.uri="postgres://user:pass@postgres:5432/udash?sslmode=disable"
 ```
 
@@ -56,21 +82,88 @@ Set `readonly: false` and supply your OAuth2 provider details:
 ```console
 helm install udash updatecli/udash \
   --set readonly=false \
-  --set secrets.database.stringdata.uri="postgres://user:pass@postgres:5432/udash?sslmode=disable" \
   --set secrets.auth.stringdata.clientid="my-client-id" \
   --set secrets.auth.stringdata.audience="https://udash.example/api" \
   --set secrets.auth.stringdata.issuer="https://auth.example"
 ```
 
-### With Ingress
+When using an external PostgreSQL in full mode, also set `cnpg.enabled=false` and `secrets.database.stringdata.uri`.
+
+### With Ingress (same host, default paths)
+
+Routes `udash.example.com/` to the front and `udash.example.com/api` to the server:
 
 ```console
 helm install udash updatecli/udash \
   --set ingress.enabled=true \
-  --set ingress.className=nginx \
+  --set ingress.className=traefik \
   --set "ingress.hosts[0].host=udash.example.com"
 ```
 
+### With Ingress (split domain)
+
+Routes the front and API to different hostnames. Set `front.apiBaseUrl` to the absolute API URL
+so the browser knows where to reach the server:
+
+```yaml
+front:
+  apiBaseUrl: "https://api.udash.example.com/api"
+
+ingress:
+  enabled: true
+  className: traefik
+  hosts:
+    - host: udash.example.com
+  tls:
+    - secretName: udash-tls
+      hosts: [udash.example.com]
+  server:
+    host: api.udash.example.com
+    tls:
+      - secretName: udash-api-tls
+        hosts: [api.udash.example.com]
+```
+
+### With Ingress (split domain and custom sub-paths)
+
+Serves the front at `domain.example/project` and the API at `api.domain.example/myproject`.
+When the external server sub-path differs from `/api`, Traefik requires a `Middleware` resource
+to rewrite the path to the server's internal `/api` prefix. Create the middleware first:
+
+```yaml
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: udash-api-rewrite
+  namespace: default
+spec:
+  replacePathRegex:
+    regex: "^/myproject(.*)"
+    replacement: "/api$1"
+```
+
+Then reference it via `ingress.server.annotations` (the middleware name format is
+`<namespace>-<middlewareName>@kubernetescrd`):
+
+```yaml
+front:
+  appBasePath: "/project"
+  apiBaseUrl: "https://api.domain.example/myproject"
+
+ingress:
+  enabled: true
+  className: traefik
+  hosts:
+    - host: domain.example
+  paths:
+    front: "/project"
+  server:
+    host: api.domain.example
+    path: "/myproject"
+    annotations:
+      traefik.ingress.kubernetes.io/router.middlewares: default-udash-api-rewrite@kubernetescrd
+```
+
 ## Uninstalling the Chart
 
 ```console
@@ -88,23 +181,36 @@ helm uninstall udash
 | autoscaling.maxReplicas | int | `100` | Maximum number of replicas. |
 | autoscaling.minReplicas | int | `1` | Minimum number of replicas. |
 | autoscaling.targetCPUUtilizationPercentage | int | `80` | Target CPU utilization percentage for autoscaling. |
+| cnpg.database | string | `"udash"` | PostgreSQL database name created during cluster bootstrap. |
+| cnpg.enabled | bool | `true` | Enable CloudNative-PG managed PostgreSQL cluster. When true, the chart provisions a CNPG Cluster and injects credentials automatically. Requires the CNPG operator to be installed separately. |
+| cnpg.instances | int | `1` | Number of PostgreSQL instances in the CNPG cluster. |
+| cnpg.owner | string | `"udash"` | PostgreSQL role/owner created during cluster bootstrap. |
+| cnpg.storage.size | string | `"1Gi"` | Storage size for each PostgreSQL instance. |
 | configMap.annotations | object | `{}` | Annotations to add to the ConfigMap. |
 | configMap.name | string | `""` | The name of the ConfigMap used to store server/front configuration. If not set, a name is generated using the fullname template. |
+| front.apiBaseUrl | string | `"/api"` | API base URL used by the browser. Use a relative path (e.g. "/api") for same-host routing. Use an absolute URL (e.g. "https://api.domain.example/api") for split-domain routing. |
+| front.appBasePath | string | `"/"` | Base path for the SPA. Change when the front is mounted at a sub-path (e.g. "/project"). |
 | fullnameOverride | string | `""` | Full override for the chart name used in resource names. |
 | imagePullSecrets | list | `[]` | Secrets for pulling images from private registries. |
 | images.front.pullPolicy | string | `"IfNotPresent"` | Image pull policy for the udash-front image. |
 | images.front.repository | string | `"ghcr.io/updatecli/udash-front"` | Repository for the udash-front image. |
-| images.front.tag | string | `"v0.17.0@sha256:9afa7d7b0d8a8bc70154b83fd3ded620714cd79443c9e17a72bc5d7611c22f28"` | Overrides the image tag whose default is the chart appVersion. |
+| images.front.tag | string | `"v0.19.0@sha256:b220b047a7536ab3bd77a5a312da10a051802a674385cd50ac7df00e652c7e5e"` | Overrides the image tag whose default is the chart appVersion. |
 | images.server.args | list | `["server","start"]` | Arguments for the udash-server container. |
 | images.server.command | list | `["udash"]` | Command override for the udash-server container. |
 | images.server.pullPolicy | string | `"IfNotPresent"` | Image pull policy for the udash-server image. |
 | images.server.repository | string | `"ghcr.io/updatecli/udash"` | Repository for the udash-server image. |
 | images.server.tag | string | `"v0.14.0@sha256:a52edcb9535d8c392a2e592bf7c3b4fc0c14ecd4b1360aa96639145038b5da75"` | Overrides the image tag whose default is the chart appVersion. |
-| ingress.annotations | object | `{}` | Annotations to add to the Ingress resource. |
+| ingress.annotations | object | `{}` | Annotations to add to the front Ingress resource. |
 | ingress.className | string | `""` | IngressClass name (Kubernetes >= 1.18). |
 | ingress.enabled | bool | `false` | Enable Ingress resource creation. |
-| ingress.hosts | list | `[{"host":"udash.local"}]` | Ingress host rules. Traffic to `/` is forwarded to udash-front; traffic to `/api` is forwarded to udash-server. |
-| ingress.tls | list | `[]` | TLS configuration for the Ingress. |
+| ingress.hosts | list | `[{"host":"udash.local"}]` | Ingress host rules for the front. Traffic is forwarded according to ingress.paths. |
+| ingress.paths.front | string | `"/"` | Path prefix for udash-front on same-host routing. |
+| ingress.paths.server | string | `"/api"` | Path prefix for udash-server on same-host routing (when ingress.server.host is empty). |
+| ingress.server.annotations | object | `{}` | Annotations to add to the server Ingress resource (e.g. rewrite-target when path differs from /api). |
+| ingress.server.host | string | `""` | Optional separate hostname for the API server. When empty (default): udash-server is routed via ingress.paths.server on each front host. When set: a second Ingress is created for this host routing to udash-server. |
+| ingress.server.path | string | `"/api"` | Path prefix for udash-server on the separate server host. |
+| ingress.server.tls | list | `[]` | TLS configuration for the server Ingress. |
+| ingress.tls | list | `[]` | TLS configuration for the front Ingress. |
 | nameOverride | string | `""` | Override for the chart name used in resource names. |
 | nodeSelector | object | `{}` | Node selector for pod scheduling. |
 | podAnnotations | object | `{}` | Annotations to add to all pods. |
@@ -116,7 +222,7 @@ helm uninstall udash
 | secrets.auth.stringdata.audience | string | `"https://udash.example/api"` | OAuth2 audience. |
 | secrets.auth.stringdata.clientid | string | `"xxx.example"` | OAuth2 client ID. |
 | secrets.auth.stringdata.issuer | string | `"https://oauth.example"` | OAuth2 issuer URL. |
-| secrets.auth.stringdata.mode | string | `"oauth"` | Authentication mode. Supported values: `oauth`. |
+| secrets.auth.stringdata.mode | string | `"none"` | Authentication mode. Supported values: `oauth`, `none`. |
 | secrets.database.annotations | object | `{}` | Annotations to add to the database Secret. |
 | secrets.database.stringdata.uri | string | `"postgres://postgres:5432/udash?sslmode=disable"` | PostgreSQL connection URI used by the udash-server. |
 | secrets.name | string | `""` | The name of the Secret used to store credentials. If not set, a name is generated using the fullname template. |

charts/udash/README.md.gotmpl

@@ -25,7 +25,24 @@ An optional **Ingress** routes:
 
 - Kubernetes 1.19+
 - Helm 3.x
-- A running **PostgreSQL** instance accessible from the cluster
+- **[CloudNative-PG operator](https://cloudnative-pg.io/)** (when `cnpg.enabled: true`, which is the default)
+
+Install the CNPG operator before installing this chart, and use `--wait` to ensure the operator
+pod is fully ready (including its admission webhook) before proceeding:
+
+```console
+helm repo add cnpg https://cloudnative-pg.github.io/charts
+helm upgrade --install cnpg \
+  --namespace cnpg-system \
+  --create-namespace \
+  cnpg/cloudnative-pg \
+  --wait
+```
+
+Without `--wait`, the operator pod may not be ready when the chart creates the `Cluster` resource,
+causing: `failed calling webhook "mcluster.cnpg.io": no endpoints available for service "cnpg-webhook-service"`.
+
+If you prefer to bring your own PostgreSQL instance, set `cnpg.enabled=false` and supply the connection URI via `secrets.database.stringdata.uri`.
 
 ## Get Repository Info
 
@@ -42,12 +59,21 @@ helm install udash updatecli/udash
 
 ## Installing the Chart
 
-### Read-only mode (default)
+### Default (CloudNative-PG managed PostgreSQL)
+
+By default the chart provisions a CNPG `Cluster` and injects credentials automatically. Just install the CNPG operator first (see Prerequisites), then:
+
+```console
+helm install udash updatecli/udash
+```
+
+### Read-only mode with external PostgreSQL
 
-In read-only mode the server runs without authentication (dry-run). No OAuth credentials are required.
+Disable CNPG and supply your own connection URI:
 
 ```console
 helm install udash updatecli/udash \
+  --set cnpg.enabled=false \
   --set secrets.database.stringdata.uri="postgres://user:pass@postgres:5432/udash?sslmode=disable"
 ```
 
@@ -58,21 +84,88 @@ Set `readonly: false` and supply your OAuth2 provider details:
 ```console
 helm install udash updatecli/udash \
   --set readonly=false \
-  --set secrets.database.stringdata.uri="postgres://user:pass@postgres:5432/udash?sslmode=disable" \
   --set secrets.auth.stringdata.clientid="my-client-id" \
   --set secrets.auth.stringdata.audience="https://udash.example/api" \
   --set secrets.auth.stringdata.issuer="https://auth.example"
 ```
 
-### With Ingress
+When using an external PostgreSQL in full mode, also set `cnpg.enabled=false` and `secrets.database.stringdata.uri`.
+
+### With Ingress (same host, default paths)
+
+Routes `udash.example.com/` to the front and `udash.example.com/api` to the server:
 
 ```console
 helm install udash updatecli/udash \
   --set ingress.enabled=true \
-  --set ingress.className=nginx \
+  --set ingress.className=traefik \
   --set "ingress.hosts[0].host=udash.example.com"
 ```
 
+### With Ingress (split domain)
+
+Routes the front and API to different hostnames. Set `front.apiBaseUrl` to the absolute API URL
+so the browser knows where to reach the server:
+
+```yaml
+front:
+  apiBaseUrl: "https://api.udash.example.com/api"
+
+ingress:
+  enabled: true
+  className: traefik
+  hosts:
+    - host: udash.example.com
+  tls:
+    - secretName: udash-tls
+      hosts: [udash.example.com]
+  server:
+    host: api.udash.example.com
+    tls:
+      - secretName: udash-api-tls
+        hosts: [api.udash.example.com]
+```
+
+### With Ingress (split domain and custom sub-paths)
+
+Serves the front at `domain.example/project` and the API at `api.domain.example/myproject`.
+When the external server sub-path differs from `/api`, Traefik requires a `Middleware` resource
+to rewrite the path to the server's internal `/api` prefix. Create the middleware first:
+
+```yaml
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: udash-api-rewrite
+  namespace: default
+spec:
+  replacePathRegex:
+    regex: "^/myproject(.*)"
+    replacement: "/api$1"
+```
+
+Then reference it via `ingress.server.annotations` (the middleware name format is
+`<namespace>-<middlewareName>@kubernetescrd`):
+
+```yaml
+front:
+  appBasePath: "/project"
+  apiBaseUrl: "https://api.domain.example/myproject"
+
+ingress:
+  enabled: true
+  className: traefik
+  hosts:
+    - host: domain.example
+  paths:
+    front: "/project"
+  server:
+    host: api.domain.example
+    path: "/myproject"
+    annotations:
+      traefik.ingress.kubernetes.io/router.middlewares: default-udash-api-rewrite@kubernetescrd
+```
+
 ## Uninstalling the Chart
 
 ```console

charts/udash/templates/_helpers.tpl

@@ -82,3 +82,10 @@ Create the name of the secrets use by udash agents
 {{- define "udash.secretName" -}}
 {{- default (include "udash.fullname" .) .Values.secrets.name }}
 {{- end }}
+
+{{/*
+Create the name of the CloudNative-PG cluster
+*/}}
+{{- define "udash.cnpgClusterName" -}}
+{{- printf "%s-db" (include "udash.fullname" .) }}
+{{- end }}

charts/udash/templates/cnpg-cluster.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.cnpg.enabled }}
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: {{ include "udash.cnpgClusterName" . }}
+  labels:
+    {{- include "udash.labels" . | nindent 4 }}
+spec:
+  instances: {{ .Values.cnpg.instances }}
+  bootstrap:
+    initdb:
+      database: {{ .Values.cnpg.database }}
+      owner: {{ .Values.cnpg.owner }}
+  storage:
+    size: {{ .Values.cnpg.storage.size }}
+{{- end }}

charts/udash/templates/configmap-front.yaml

@@ -15,16 +15,8 @@ data:
     {
         "OAUTH_DOMAIN": "{{ .Values.secrets.auth.stringdata.issuer }}",
         "OAUTH_CLIENTID": "{{ .Values.secrets.auth.stringdata.clientid }}",
-        "OAUTH_AUDIENCE": "{{ .Values.secrets.auth.stringdata.audience }}"
+        "OAUTH_AUDIENCE": "{{ .Values.secrets.auth.stringdata.audience }}",
+        "API_BASE_URL": "{{ .Values.front.apiBaseUrl }}",
+        "APP_BASE_PATH": "{{ .Values.front.appBasePath }}"
     }
-
-  # Config.js is used by the front application to get login information
-  config.js: |
-    const config = (() => {
-      return {
-        "OAUTH_DOMAIN": "{{ .Values.secrets.auth.stringdata.issuer }}",
-        "OAUTH_CLIENTID": "{{ .Values.secrets.auth.stringdata.clientid }}",
-        "OAUTH_AUDIENCE": "{{ .Values.secrets.auth.stringdata.audience }}"
-      };
-    })();
 {{ end }}