881 lines
36 KiB
JavaScript
Executable File
881 lines
36 KiB
JavaScript
Executable File
#!/usr/bin/env bun
|
|
import { readFileSync } from "node:fs";
|
|
import { createHash } from "node:crypto";
|
|
import { resolve } from "node:path";
|
|
|
|
function required(value, path) {
|
|
if (typeof value !== "string" || value.length === 0) throw new Error(`${path} must be a non-empty string`);
|
|
return value;
|
|
}
|
|
|
|
function record(value, path) {
|
|
if (typeof value !== "object" || value === null || Array.isArray(value)) throw new Error(`${path} must be an object`);
|
|
return value;
|
|
}
|
|
|
|
function positiveInteger(value, path) {
|
|
if (!Number.isInteger(value) || value < 1) throw new Error(`${path} must be a positive integer`);
|
|
return value;
|
|
}
|
|
|
|
function readEnvFile(path) {
|
|
const values = {};
|
|
const text = readFileSync(path, "utf8");
|
|
for (const [index, rawLine] of text.split(/\r?\n/u).entries()) {
|
|
const line = rawLine.trim();
|
|
if (line.length === 0 || line.startsWith("#")) continue;
|
|
const eq = line.indexOf("=");
|
|
if (eq <= 0) throw new Error(`${path}:${index + 1} must be KEY=value`);
|
|
values[line.slice(0, eq)] = line.slice(eq + 1);
|
|
}
|
|
return values;
|
|
}
|
|
|
|
function readLinePairCredential(path, usernameLine, passwordLine) {
|
|
const lines = readFileSync(path, "utf8").split(/\r?\n/u);
|
|
const username = (lines[usernameLine - 1] || "").trim();
|
|
const password = (lines[passwordLine - 1] || "").trim();
|
|
if (!username) throw new Error(`missing username line ${usernameLine} in ${path}`);
|
|
if (!password) throw new Error(`missing password line ${passwordLine} in ${path}`);
|
|
return { username, password };
|
|
}
|
|
|
|
function sha(value) {
|
|
return createHash("sha256").update(value).digest("hex").slice(0, 16);
|
|
}
|
|
|
|
function yamlScalar(value) {
|
|
return JSON.stringify(String(value));
|
|
}
|
|
|
|
function indent(text, spaces) {
|
|
const pad = " ".repeat(spaces);
|
|
return text.split("\n").map((line) => line.length > 0 ? `${pad}${line}` : line).join("\n");
|
|
}
|
|
|
|
function labels(config) {
|
|
const name = required(record(config.metadata, "metadata").name, "metadata.name");
|
|
return [
|
|
"app.kubernetes.io/part-of: unidesk",
|
|
`unidesk.ai/deployment: ${name}`,
|
|
`unidesk.ai/target: ${required(record(config.target, "target").id, "target.id")}`,
|
|
].join("\n");
|
|
}
|
|
|
|
function envFromSecret(secretName, keyName, envName) {
|
|
return [
|
|
`- name: ${envName}`,
|
|
" valueFrom:",
|
|
" secretKeyRef:",
|
|
` name: ${secretName}`,
|
|
` key: ${keyName}`,
|
|
].join("\n");
|
|
}
|
|
|
|
function envFromConfig(configName, keyName, envName) {
|
|
return [
|
|
`- name: ${envName}`,
|
|
" valueFrom:",
|
|
" configMapKeyRef:",
|
|
` name: ${configName}`,
|
|
` key: ${keyName}`,
|
|
].join("\n");
|
|
}
|
|
|
|
function optionalRecord(value, path) {
|
|
if (value === undefined || value === null) return null;
|
|
return record(value, path);
|
|
}
|
|
|
|
function optionalString(value, fallback) {
|
|
return typeof value === "string" && value.length > 0 ? value : fallback;
|
|
}
|
|
|
|
function removeUrlSearchParam(value, paramName) {
|
|
if (typeof value !== "string" || value.length === 0) return value;
|
|
try {
|
|
const url = new URL(value);
|
|
url.searchParams.delete(paramName);
|
|
return url.toString();
|
|
} catch {
|
|
return value
|
|
.replace(new RegExp(`([?&])${paramName}=true(&|$)`, "g"), (_match, prefix, suffix) => (prefix === "?" && suffix ? "?" : ""))
|
|
.replace(/[?&]$/, "");
|
|
}
|
|
}
|
|
|
|
function resourceBlock(resources) {
|
|
const requests = record(record(resources, "resources").requests, "resources.requests");
|
|
const limits = record(resources.limits, "resources.limits");
|
|
return [
|
|
"resources:",
|
|
" requests:",
|
|
` cpu: ${yamlScalar(required(requests.cpu, "resources.requests.cpu"))}`,
|
|
` memory: ${yamlScalar(required(requests.memory, "resources.requests.memory"))}`,
|
|
" limits:",
|
|
...(limits.cpu ? [` cpu: ${yamlScalar(limits.cpu)}`] : []),
|
|
` memory: ${yamlScalar(required(limits.memory, "resources.limits.memory"))}`,
|
|
].join("\n");
|
|
}
|
|
|
|
const configPath = process.argv[2] ?? "config/unidesk-host-k8s.yaml";
|
|
const config = Bun.YAML.parse(readFileSync(configPath, "utf8"));
|
|
const target = record(config.target, "target");
|
|
const runtime = record(config.runtime, "runtime");
|
|
const delivery = config.delivery === undefined ? null : record(config.delivery, "delivery");
|
|
const images = record(config.images, "images");
|
|
const database = record(config.database, "database");
|
|
const services = record(config.services, "services");
|
|
const backend = record(services.backendCore, "services.backendCore");
|
|
const frontend = record(services.frontend, "services.frontend");
|
|
const decisionCenter = optionalRecord(services.decisionCenter, "services.decisionCenter");
|
|
const todoNote = optionalRecord(services.todoNote, "services.todoNote");
|
|
const runtimeConfig = record(config.runtimeConfig, "runtimeConfig");
|
|
const runtimeAuth = record(config.runtimeAuth, "runtimeAuth");
|
|
const runtimeAuthSourceRef = record(runtimeAuth.sourceRef, "runtimeAuth.sourceRef");
|
|
const runtimeSecrets = record(config.runtimeSecrets, "runtimeSecrets");
|
|
const secretTarget = record(runtimeSecrets.target, "runtimeSecrets.target");
|
|
const secretKeys = record(secretTarget.keys, "runtimeSecrets.target.keys");
|
|
const namespace = required(target.namespace, "target.namespace");
|
|
const secretName = required(secretTarget.name, "runtimeSecrets.target.name");
|
|
const authSourcePath = resolve(required(runtimeAuthSourceRef.path, "runtimeAuth.sourceRef.path"));
|
|
if (required(runtimeAuthSourceRef.format, "runtimeAuth.sourceRef.format") !== "linePair") throw new Error("runtimeAuth.sourceRef.format must be linePair");
|
|
const authCredential = readLinePairCredential(
|
|
authSourcePath,
|
|
positiveInteger(runtimeAuthSourceRef.usernameLine, "runtimeAuth.sourceRef.usernameLine"),
|
|
positiveInteger(runtimeAuthSourceRef.passwordLine, "runtimeAuth.sourceRef.passwordLine"),
|
|
);
|
|
const sourcePath = resolve(required(record(runtimeSecrets.sourceRef, "runtimeSecrets.sourceRef").path, "runtimeSecrets.sourceRef.path"));
|
|
const secrets = readEnvFile(sourcePath);
|
|
secrets[secretKeys.authPassword] = authCredential.password;
|
|
const requiredSecretKeys = Object.values(secretKeys);
|
|
for (const key of requiredSecretKeys) {
|
|
if (typeof secrets[key] !== "string" || secrets[key].length === 0) throw new Error(`missing ${key} in ${sourcePath}`);
|
|
}
|
|
const secretFingerprint = sha(requiredSecretKeys.map((key) => `${key}=${secrets[key]}`).join("\n"));
|
|
const runtimeConfigName = "unidesk-runtime-config";
|
|
const deliveryServiceRef = delivery === null ? null : required(delivery.serviceRef, "delivery.serviceRef");
|
|
if (delivery !== null && delivery.enabled !== true && delivery.enabled !== false) {
|
|
throw new Error("delivery.enabled must be boolean");
|
|
}
|
|
const databaseMode = database.mode === undefined ? "k8s-postgres" : required(database.mode, "database.mode");
|
|
if (databaseMode !== "k8s-postgres" && databaseMode !== "host-native") throw new Error("database.mode must be k8s-postgres or host-native");
|
|
const dbService = required(database.serviceName, "database.serviceName");
|
|
const dbHost = databaseMode === "host-native" ? required(database.host, "database.host") : `${dbService}.${namespace}.svc.cluster.local`;
|
|
const dbPort = required(String(database.port), "database.port");
|
|
const dbName = secrets[secretKeys.postgresDb];
|
|
if (secrets[secretKeys.databaseUrl] !== `postgres://${secrets[secretKeys.postgresUser]}:${secrets[secretKeys.postgresPassword]}@${dbHost}:${dbPort}/${dbName}`) {
|
|
throw new Error(`DATABASE_URL in ${sourcePath} must target ${dbHost}:${dbPort}/${dbName}`);
|
|
}
|
|
|
|
function readServiceDatabase(service, servicePath) {
|
|
if (service === null) return null;
|
|
const database = record(service.database, `${servicePath}.database`);
|
|
const sourceRef = record(database.sourceRef, `${servicePath}.database.sourceRef`);
|
|
const sourcePath = resolve(required(sourceRef.path, `${servicePath}.database.sourceRef.path`));
|
|
const sourceKey = required(sourceRef.key, `${servicePath}.database.sourceRef.key`);
|
|
const sourceValues = readEnvFile(sourcePath);
|
|
const value = sourceValues[sourceKey];
|
|
if (typeof value !== "string" || value.length === 0) throw new Error(`missing ${sourceKey} in ${sourcePath}`);
|
|
return {
|
|
sourcePath,
|
|
sourceRefPath: required(sourceRef.path, `${servicePath}.database.sourceRef.path`),
|
|
sourceKey,
|
|
secretName: required(database.secretName, `${servicePath}.database.secretName`),
|
|
secretKey: required(database.secretKey, `${servicePath}.database.secretKey`),
|
|
value: removeUrlSearchParam(value, "uselibpqcompat"),
|
|
fingerprint: sha(`${sourceKey}=${removeUrlSearchParam(value, "uselibpqcompat")}`),
|
|
};
|
|
}
|
|
|
|
function readFileSource(sourceRef, path) {
|
|
const sourcePath = resolve(required(sourceRef.path, `${path}.path`));
|
|
const value = readFileSync(sourcePath, "utf8");
|
|
if (value.length === 0) throw new Error(`missing file content in ${sourcePath}`);
|
|
return {
|
|
sourcePath,
|
|
sourceRefPath: required(sourceRef.path, `${path}.path`),
|
|
value,
|
|
fingerprint: sha(value),
|
|
};
|
|
}
|
|
|
|
function readServiceStorage(service, servicePath) {
|
|
if (service === null) return null;
|
|
const storage = optionalRecord(service.storage, `${servicePath}.storage`);
|
|
if (storage === null) return null;
|
|
const primary = required(storage.primary, `${servicePath}.storage.primary`);
|
|
if (primary !== "postgres" && primary !== "github-repo") throw new Error(`${servicePath}.storage.primary must be postgres or github-repo`);
|
|
const github = primary === "github-repo" ? record(storage.github, `${servicePath}.storage.github`) : null;
|
|
if (github === null) return { primary };
|
|
const ssh = record(github.ssh, `${servicePath}.storage.github.ssh`);
|
|
const privateKey = record(ssh.privateKey, `${servicePath}.storage.github.ssh.privateKey`);
|
|
const knownHosts = record(ssh.knownHosts, `${servicePath}.storage.github.ssh.knownHosts`);
|
|
const privateKeySource = readFileSource(record(privateKey.sourceRef, `${servicePath}.storage.github.ssh.privateKey.sourceRef`), `${servicePath}.storage.github.ssh.privateKey.sourceRef`);
|
|
const knownHostsSource = readFileSource(record(knownHosts.sourceRef, `${servicePath}.storage.github.ssh.knownHosts.sourceRef`), `${servicePath}.storage.github.ssh.knownHosts.sourceRef`);
|
|
return {
|
|
primary,
|
|
github: {
|
|
repo: required(github.repo, `${servicePath}.storage.github.repo`),
|
|
sshUrl: required(github.sshUrl, `${servicePath}.storage.github.sshUrl`),
|
|
branch: required(github.branch, `${servicePath}.storage.github.branch`),
|
|
basePath: required(github.basePath, `${servicePath}.storage.github.basePath`),
|
|
worktreePath: required(github.worktreePath, `${servicePath}.storage.github.worktreePath`),
|
|
commitMessagePrefix: required(github.commitMessagePrefix, `${servicePath}.storage.github.commitMessagePrefix`),
|
|
author: {
|
|
name: required(record(github.author, `${servicePath}.storage.github.author`).name, `${servicePath}.storage.github.author.name`),
|
|
email: required(record(github.author, `${servicePath}.storage.github.author`).email, `${servicePath}.storage.github.author.email`),
|
|
},
|
|
ssh: {
|
|
secretName: required(ssh.secretName, `${servicePath}.storage.github.ssh.secretName`),
|
|
mountPath: required(ssh.mountPath, `${servicePath}.storage.github.ssh.mountPath`),
|
|
privateKeyKey: required(privateKey.secretKey, `${servicePath}.storage.github.ssh.privateKey.secretKey`),
|
|
knownHostsKey: required(knownHosts.secretKey, `${servicePath}.storage.github.ssh.knownHosts.secretKey`),
|
|
privateKeySource,
|
|
knownHostsSource,
|
|
fingerprint: sha(`${privateKeySource.fingerprint}\n${knownHostsSource.fingerprint}`),
|
|
},
|
|
},
|
|
};
|
|
}
|
|
|
|
function managedMicroservice(service, servicePath, id, name, description) {
|
|
return {
|
|
id,
|
|
name,
|
|
providerId: required(target.id, "target.id"),
|
|
description,
|
|
repository: {
|
|
url: required(record(service.repository, `${servicePath}.repository`).url, `${servicePath}.repository.url`),
|
|
commitId: required(runtime.commit, "runtime.commit"),
|
|
dockerfile: required(record(service.repository, `${servicePath}.repository`).dockerfile, `${servicePath}.repository.dockerfile`),
|
|
composeFile: required(runtime.deployRef, "runtime.deployRef"),
|
|
composeService: required(service.deploymentName, `${servicePath}.deploymentName`),
|
|
containerName: required(service.containerName, `${servicePath}.containerName`),
|
|
},
|
|
backend: {
|
|
nodeBaseUrl: `http://${required(service.serviceName, `${servicePath}.serviceName`)}.${namespace}.svc.cluster.local:${required(String(service.containerPort), `${servicePath}.containerPort`)}`,
|
|
nodeBindHost: `${required(service.serviceName, `${servicePath}.serviceName`)}.${namespace}.svc.cluster.local`,
|
|
nodePort: positiveInteger(service.containerPort, `${servicePath}.containerPort`),
|
|
proxyMode: "cluster-service-http",
|
|
frontendOnly: true,
|
|
public: false,
|
|
allowedMethods: ["GET", "HEAD", "POST", "PUT", "DELETE"],
|
|
allowedPathPrefixes: ["/health", "/live", "/logs", "/api/"],
|
|
healthPath: required(service.healthPath, `${servicePath}.healthPath`),
|
|
timeoutMs: 30000,
|
|
},
|
|
development: {
|
|
providerId: required(target.id, "target.id"),
|
|
sshPassthrough: true,
|
|
worktreePath: required(record(service.repository, `${servicePath}.repository`).worktreePath, `${servicePath}.repository.worktreePath`),
|
|
},
|
|
frontend: {
|
|
route: required(record(service.frontend, `${servicePath}.frontend`).route, `${servicePath}.frontend.route`),
|
|
integrated: record(service.frontend, `${servicePath}.frontend`).integrated !== false,
|
|
},
|
|
deployment: {
|
|
mode: "internal-sidecar",
|
|
namespace,
|
|
expectedNodeIds: [required(target.id, "target.id")],
|
|
activeNodeId: required(target.id, "target.id"),
|
|
},
|
|
};
|
|
}
|
|
|
|
const decisionCenterDatabase = readServiceDatabase(decisionCenter, "services.decisionCenter");
|
|
const decisionCenterStorage = readServiceStorage(decisionCenter, "services.decisionCenter");
|
|
const todoNoteDatabase = readServiceDatabase(todoNote, "services.todoNote");
|
|
const todoNoteStorage = readServiceStorage(todoNote, "services.todoNote");
|
|
const configuredMicroservices = JSON.parse(required(runtimeConfig.microservicesJson, "runtimeConfig.microservicesJson"));
|
|
if (!Array.isArray(configuredMicroservices)) throw new Error("runtimeConfig.microservicesJson must encode an array");
|
|
const managedMicroservices = [
|
|
...(decisionCenter === null ? [] : [managedMicroservice(decisionCenter, "services.decisionCenter", "decision-center", "Decision Center", "NC01 YAML-first Decision Center for decisions, requirements, meetings, and work diaries.")]),
|
|
...(todoNote === null ? [] : [managedMicroservice(todoNote, "services.todoNote", "todo-note", "Todo Note", "NC01 YAML-first Todo Note backed by the shared decision-center-data GitHub repository.")]),
|
|
];
|
|
const managedIds = new Set(managedMicroservices.map((service) => service.id));
|
|
const effectiveMicroservicesJson = JSON.stringify([
|
|
...configuredMicroservices.filter((service) => typeof service !== "object" || service === null || !managedIds.has(service.id)),
|
|
...managedMicroservices,
|
|
]);
|
|
const runtimeConfigFingerprint = sha(JSON.stringify({ ...runtimeConfig, microservicesJson: effectiveMicroservicesJson }));
|
|
|
|
const docs = [];
|
|
docs.push(`apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: ${namespace}
|
|
labels:
|
|
${indent(labels(config), 4)}`);
|
|
docs.push(`apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: ${secretName}
|
|
namespace: ${namespace}
|
|
labels:
|
|
${indent(labels(config), 4)}
|
|
annotations:
|
|
unidesk.ai/source-ref: ${yamlScalar(required(record(runtimeSecrets.sourceRef, "runtimeSecrets.sourceRef").path, "runtimeSecrets.sourceRef.path"))}
|
|
unidesk.ai/fingerprint: ${yamlScalar(secretFingerprint)}
|
|
type: Opaque
|
|
stringData:
|
|
${indent(requiredSecretKeys.map((key) => `${key}: ${yamlScalar(secrets[key])}`).join("\n"), 2)}`);
|
|
docs.push(`apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: ${runtimeConfigName}
|
|
namespace: ${namespace}
|
|
labels:
|
|
${indent(labels(config), 4)}
|
|
data:
|
|
UNIDESK_ENV: ${yamlScalar(required(runtime.environment, "runtime.environment"))}
|
|
UNIDESK_NAMESPACE: ${yamlScalar(namespace)}
|
|
UNIDESK_DEPLOY_REF: ${yamlScalar(required(runtime.deployRef, "runtime.deployRef"))}
|
|
UNIDESK_DEPLOY_REPO: ${yamlScalar(required(runtime.repository, "runtime.repository"))}
|
|
UNIDESK_DEPLOY_COMMIT: ${yamlScalar(required(runtime.commit, "runtime.commit"))}
|
|
UNIDESK_DEPLOY_REQUESTED_COMMIT: ${yamlScalar(required(runtime.commit, "runtime.commit"))}
|
|
UNIDESK_DATABASE_NAME: ${yamlScalar(dbName)}
|
|
UNIDESK_DATABASE_MODE: ${yamlScalar(databaseMode)}
|
|
UNIDESK_DATABASE_HOST: ${yamlScalar(dbHost)}
|
|
UNIDESK_DATABASE_PORT: ${yamlScalar(dbPort)}
|
|
DATABASE_VOLUME_NAME: ${yamlScalar(required(database.pvcName, "database.pvcName"))}
|
|
DATABASE_VOLUME_SIZE: ${yamlScalar(required(database.storageSize, "database.storageSize"))}
|
|
HEARTBEAT_TIMEOUT_MS: ${yamlScalar(required(runtimeConfig.heartBeatTimeoutMs, "runtimeConfig.heartBeatTimeoutMs"))}
|
|
TASK_PENDING_TIMEOUT_MS: ${yamlScalar(required(runtimeConfig.taskPendingTimeoutMs, "runtimeConfig.taskPendingTimeoutMs"))}
|
|
DATABASE_POOL_MAX: ${yamlScalar(required(runtimeConfig.databasePoolMax, "runtimeConfig.databasePoolMax"))}
|
|
SESSION_TTL_SECONDS: ${yamlScalar(required(runtimeConfig.sessionTtlSeconds, "runtimeConfig.sessionTtlSeconds"))}
|
|
AUTH_USERNAME: ${yamlScalar(authCredential.username)}
|
|
UNIDESK_SSH_CLIENT_ROUTE_ALLOWLIST: ${yamlScalar(required(runtimeConfig.sshClientRouteAllowlist, "runtimeConfig.sshClientRouteAllowlist"))}
|
|
MICROSERVICES_JSON: ${yamlScalar(effectiveMicroservicesJson)}
|
|
NO_PROXY: ${yamlScalar(required(runtime.noProxy, "runtime.noProxy"))}
|
|
no_proxy: ${yamlScalar(required(runtime.noProxy, "runtime.noProxy"))}`);
|
|
const serviceDatabaseSecrets = new Map();
|
|
for (const databaseSecret of [decisionCenterDatabase, todoNoteDatabase].filter(Boolean)) {
|
|
const existing = serviceDatabaseSecrets.get(databaseSecret.secretName);
|
|
if (existing !== undefined && (existing.secretKey !== databaseSecret.secretKey || existing.value !== databaseSecret.value)) {
|
|
throw new Error(`conflicting managed service database Secret: ${databaseSecret.secretName}`);
|
|
}
|
|
serviceDatabaseSecrets.set(databaseSecret.secretName, databaseSecret);
|
|
}
|
|
for (const databaseSecret of serviceDatabaseSecrets.values()) {
|
|
docs.push(`apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: ${databaseSecret.secretName}
|
|
namespace: ${namespace}
|
|
labels:
|
|
${indent(labels(config), 4)}
|
|
annotations:
|
|
unidesk.ai/source-ref: ${yamlScalar(databaseSecret.sourceRefPath)}
|
|
unidesk.ai/fingerprint: ${yamlScalar(databaseSecret.fingerprint)}
|
|
type: Opaque
|
|
stringData:
|
|
${databaseSecret.secretKey}: ${yamlScalar(databaseSecret.value)}`);
|
|
}
|
|
const serviceGitSecrets = new Map();
|
|
for (const storage of [decisionCenterStorage, todoNoteStorage]) {
|
|
if (storage?.github === undefined) continue;
|
|
const gitSecret = storage.github.ssh;
|
|
const existing = serviceGitSecrets.get(gitSecret.secretName);
|
|
if (existing !== undefined && (
|
|
existing.privateKeyKey !== gitSecret.privateKeyKey
|
|
|| existing.knownHostsKey !== gitSecret.knownHostsKey
|
|
|| existing.privateKeySource.value !== gitSecret.privateKeySource.value
|
|
|| existing.knownHostsSource.value !== gitSecret.knownHostsSource.value
|
|
)) {
|
|
throw new Error(`conflicting managed service Git SSH Secret: ${gitSecret.secretName}`);
|
|
}
|
|
serviceGitSecrets.set(gitSecret.secretName, gitSecret);
|
|
}
|
|
for (const gitSecret of serviceGitSecrets.values()) {
|
|
docs.push(`apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: ${gitSecret.secretName}
|
|
namespace: ${namespace}
|
|
labels:
|
|
${indent(labels(config), 4)}
|
|
annotations:
|
|
unidesk.ai/private-key-source-ref: ${yamlScalar(gitSecret.privateKeySource.sourceRefPath)}
|
|
unidesk.ai/known-hosts-source-ref: ${yamlScalar(gitSecret.knownHostsSource.sourceRefPath)}
|
|
unidesk.ai/fingerprint: ${yamlScalar(gitSecret.fingerprint)}
|
|
type: Opaque
|
|
stringData:
|
|
${gitSecret.privateKeyKey}: ${yamlScalar(gitSecret.privateKeySource.value)}
|
|
${gitSecret.knownHostsKey}: ${yamlScalar(gitSecret.knownHostsSource.value)}`);
|
|
}
|
|
if (databaseMode === "k8s-postgres") {
|
|
docs.push(`apiVersion: v1
|
|
kind: PersistentVolumeClaim
|
|
metadata:
|
|
name: ${required(database.pvcName, "database.pvcName")}
|
|
namespace: ${namespace}
|
|
labels:
|
|
${indent(labels(config), 4)}
|
|
spec:
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
storageClassName: ${required(database.storageClassName, "database.storageClassName")}
|
|
resources:
|
|
requests:
|
|
storage: ${required(database.storageSize, "database.storageSize")}`);
|
|
docs.push(`apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: unidesk-db-init
|
|
namespace: ${namespace}
|
|
labels:
|
|
${indent(labels(config), 4)}
|
|
data:
|
|
001_unidesk_init.sql: |
|
|
${indent(readFileSync("src/components/database/init/001_unidesk_init.sql", "utf8"), 4)}`);
|
|
docs.push(`apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: ${dbService}
|
|
namespace: ${namespace}
|
|
labels:
|
|
${indent(labels(config), 4)}
|
|
spec:
|
|
type: ClusterIP
|
|
selector:
|
|
app.kubernetes.io/name: database
|
|
ports:
|
|
- name: pg
|
|
port: ${database.port}
|
|
targetPort: pg`);
|
|
docs.push(`apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: database
|
|
namespace: ${namespace}
|
|
labels:
|
|
${indent(labels(config), 4)}
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: database
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: database
|
|
app.kubernetes.io/part-of: unidesk
|
|
annotations:
|
|
unidesk.ai/secret-fingerprint: ${yamlScalar(secretFingerprint)}
|
|
unidesk.ai/runtime-config-fingerprint: ${yamlScalar(runtimeConfigFingerprint)}
|
|
spec:
|
|
securityContext:
|
|
fsGroup: 70
|
|
containers:
|
|
- name: postgres
|
|
image: ${required(images.postgres, "images.postgres")}
|
|
imagePullPolicy: IfNotPresent
|
|
ports:
|
|
- name: pg
|
|
containerPort: ${database.port}
|
|
env:
|
|
${indent(envFromSecret(secretName, secretKeys.postgresUser, "POSTGRES_USER"), 12)}
|
|
${indent(envFromSecret(secretName, secretKeys.postgresPassword, "POSTGRES_PASSWORD"), 12)}
|
|
${indent(envFromSecret(secretName, secretKeys.postgresDb, "POSTGRES_DB"), 12)}
|
|
volumeMounts:
|
|
- name: data
|
|
mountPath: /var/lib/postgresql/data
|
|
- name: init
|
|
mountPath: /docker-entrypoint-initdb.d
|
|
readOnly: true
|
|
readinessProbe:
|
|
exec:
|
|
command: ["sh", "-ec", "pg_isready -U \\"$POSTGRES_USER\\" -d \\"$POSTGRES_DB\\""]
|
|
periodSeconds: 5
|
|
timeoutSeconds: 3
|
|
failureThreshold: 18
|
|
startupProbe:
|
|
exec:
|
|
command: ["sh", "-ec", "pg_isready -U \\"$POSTGRES_USER\\" -d \\"$POSTGRES_DB\\""]
|
|
periodSeconds: 5
|
|
timeoutSeconds: 3
|
|
failureThreshold: 60
|
|
${indent(resourceBlock(database.resources), 10)}
|
|
volumes:
|
|
- name: data
|
|
persistentVolumeClaim:
|
|
claimName: ${required(database.pvcName, "database.pvcName")}
|
|
- name: init
|
|
configMap:
|
|
name: unidesk-db-init`);
|
|
}
|
|
docs.push(`apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: ${required(backend.serviceName, "services.backendCore.serviceName")}
|
|
namespace: ${namespace}
|
|
labels:
|
|
${indent(labels(config), 4)}
|
|
spec:
|
|
type: ClusterIP
|
|
selector:
|
|
app.kubernetes.io/name: backend-core
|
|
ports:
|
|
- name: http
|
|
port: ${backend.containerPort}
|
|
targetPort: http
|
|
- name: provider
|
|
port: ${backend.providerPort}
|
|
targetPort: provider
|
|
- name: provider-data
|
|
port: ${backend.providerDataPort}
|
|
targetPort: provider-data`);
|
|
docs.push(`apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: ${required(backend.providerPublicServiceName, "services.backendCore.providerPublicServiceName")}
|
|
namespace: ${namespace}
|
|
labels:
|
|
${indent(labels(config), 4)}
|
|
spec:
|
|
type: LoadBalancer
|
|
selector:
|
|
app.kubernetes.io/name: backend-core
|
|
ports:
|
|
- name: provider
|
|
port: ${backend.providerPublicPort}
|
|
targetPort: provider
|
|
- name: provider-data
|
|
port: ${backend.providerDataPublicPort}
|
|
targetPort: provider-data`);
|
|
docs.push(`apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: ${required(backend.deploymentName, "services.backendCore.deploymentName")}
|
|
namespace: ${namespace}
|
|
labels:
|
|
${indent(labels(config), 4)}
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: backend-core
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: backend-core
|
|
app.kubernetes.io/part-of: unidesk
|
|
annotations:
|
|
unidesk.ai/secret-fingerprint: ${yamlScalar(secretFingerprint)}
|
|
unidesk.ai/runtime-config-fingerprint: ${yamlScalar(runtimeConfigFingerprint)}
|
|
spec:
|
|
initContainers:
|
|
- name: wait-database
|
|
image: ${required(images.postgres, "images.postgres")}
|
|
imagePullPolicy: IfNotPresent
|
|
env:
|
|
- name: PGHOST
|
|
value: ${yamlScalar(dbHost)}
|
|
- name: PGPORT
|
|
value: ${yamlScalar(dbPort)}
|
|
${indent(envFromSecret(secretName, secretKeys.postgresUser, "PGUSER"), 12)}
|
|
${indent(envFromSecret(secretName, secretKeys.postgresPassword, "PGPASSWORD"), 12)}
|
|
${indent(envFromSecret(secretName, secretKeys.postgresDb, "PGDATABASE"), 12)}
|
|
command: ["sh", "-ec", "until pg_isready -h \\"$PGHOST\\" -p \\"$PGPORT\\" -U \\"$PGUSER\\" -d \\"$PGDATABASE\\" >/dev/null 2>&1; do sleep 2; done"]
|
|
containers:
|
|
- name: backend-core
|
|
image: ${required(images.backendCore, "images.backendCore")}
|
|
imagePullPolicy: IfNotPresent
|
|
ports:
|
|
- name: http
|
|
containerPort: ${backend.containerPort}
|
|
- name: provider
|
|
containerPort: ${backend.providerPort}
|
|
- name: provider-data
|
|
containerPort: ${backend.providerDataPort}
|
|
envFrom:
|
|
- configMapRef:
|
|
name: ${runtimeConfigName}
|
|
env:
|
|
- name: PORT
|
|
value: ${yamlScalar(backend.containerPort)}
|
|
- name: PROVIDER_PORT
|
|
value: ${yamlScalar(backend.providerPort)}
|
|
- name: PROVIDER_DATA_PORT
|
|
value: ${yamlScalar(backend.providerDataPort)}
|
|
${indent(envFromSecret(secretName, secretKeys.databaseUrl, "DATABASE_URL"), 12)}
|
|
${indent(envFromSecret(secretName, secretKeys.providerToken, "PROVIDER_TOKEN"), 12)}
|
|
- name: LOG_FILE
|
|
value: ${yamlScalar(required(backend.logFile, "services.backendCore.logFile"))}
|
|
volumeMounts:
|
|
- name: logs
|
|
mountPath: /var/log/unidesk
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /health
|
|
port: http
|
|
periodSeconds: 5
|
|
timeoutSeconds: 3
|
|
failureThreshold: 20
|
|
startupProbe:
|
|
httpGet:
|
|
path: /health
|
|
port: http
|
|
periodSeconds: 5
|
|
timeoutSeconds: 3
|
|
failureThreshold: 60
|
|
${indent(resourceBlock(backend.resources), 10)}
|
|
volumes:
|
|
- name: logs
|
|
emptyDir: {}`);
|
|
function managedStorageEnv(envPrefix, storage) {
|
|
const lines = [
|
|
`- name: ${envPrefix}_STORAGE_PRIMARY`,
|
|
` value: ${yamlScalar(storage?.primary ?? "postgres")}`,
|
|
];
|
|
if (storage?.github === undefined) return lines.join("\n");
|
|
lines.push(
|
|
`- name: ${envPrefix}_GIT_REPO`,
|
|
` value: ${yamlScalar(storage.github.repo)}`,
|
|
`- name: ${envPrefix}_GIT_REPO_SSH_URL`,
|
|
` value: ${yamlScalar(storage.github.sshUrl)}`,
|
|
`- name: ${envPrefix}_GIT_BRANCH`,
|
|
` value: ${yamlScalar(storage.github.branch)}`,
|
|
`- name: ${envPrefix}_GIT_BASE_PATH`,
|
|
` value: ${yamlScalar(storage.github.basePath)}`,
|
|
`- name: ${envPrefix}_GIT_WORKTREE`,
|
|
` value: ${yamlScalar(storage.github.worktreePath)}`,
|
|
`- name: ${envPrefix}_GIT_AUTHOR_NAME`,
|
|
` value: ${yamlScalar(storage.github.author.name)}`,
|
|
`- name: ${envPrefix}_GIT_AUTHOR_EMAIL`,
|
|
` value: ${yamlScalar(storage.github.author.email)}`,
|
|
`- name: ${envPrefix}_GIT_COMMIT_PREFIX`,
|
|
` value: ${yamlScalar(storage.github.commitMessagePrefix)}`,
|
|
"- name: GIT_SSH_COMMAND",
|
|
` value: ${yamlScalar(`ssh -i ${storage.github.ssh.mountPath}/${storage.github.ssh.privateKeyKey} -o UserKnownHostsFile=${storage.github.ssh.mountPath}/${storage.github.ssh.knownHostsKey} -o IdentitiesOnly=yes -o StrictHostKeyChecking=yes`)}`,
|
|
);
|
|
return lines.join("\n");
|
|
}
|
|
|
|
function appendManagedServiceDeployment({ service, servicePath, serviceId, imageKey, envPrefix, databaseConfig, storageConfig }) {
|
|
if (service === null) return;
|
|
if (deliveryServiceRef === servicePath) return;
|
|
if (databaseConfig === null) throw new Error(`${servicePath}.database is required`);
|
|
const github = storageConfig?.github;
|
|
docs.push(`apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: ${required(service.serviceName, `${servicePath}.serviceName`)}
|
|
namespace: ${namespace}
|
|
labels:
|
|
${indent(labels(config), 4)}
|
|
app.kubernetes.io/name: ${serviceId}
|
|
spec:
|
|
type: ClusterIP
|
|
selector:
|
|
app.kubernetes.io/name: ${serviceId}
|
|
ports:
|
|
- name: http
|
|
port: ${positiveInteger(service.containerPort, `${servicePath}.containerPort`)}
|
|
targetPort: http`);
|
|
docs.push(`apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: ${required(service.deploymentName, `${servicePath}.deploymentName`)}
|
|
namespace: ${namespace}
|
|
labels:
|
|
${indent(labels(config), 4)}
|
|
app.kubernetes.io/name: ${serviceId}
|
|
spec:
|
|
replicas: ${positiveInteger(service.replicas, `${servicePath}.replicas`)}
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: ${serviceId}
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: ${serviceId}
|
|
app.kubernetes.io/part-of: unidesk
|
|
annotations:
|
|
unidesk.ai/secret-fingerprint: ${yamlScalar(databaseConfig.fingerprint)}
|
|
unidesk.ai/storage-secret-fingerprint: ${yamlScalar(github?.ssh.fingerprint ?? "")}
|
|
unidesk.ai/runtime-config-fingerprint: ${yamlScalar(runtimeConfigFingerprint)}
|
|
spec:
|
|
initContainers:
|
|
- name: wait-database
|
|
image: ${required(images.postgres, "images.postgres")}
|
|
imagePullPolicy: IfNotPresent
|
|
env:
|
|
- name: DATABASE_URL
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: ${databaseConfig.secretName}
|
|
key: ${databaseConfig.secretKey}
|
|
command: ["sh", "-ec", "db_url=\\"$(printf '%s' \\"$DATABASE_URL\\" | sed 's/[?&]uselibpqcompat=true//g')\\"; until psql \\"$db_url\\" -Atqc 'SELECT 1' >/dev/null 2>&1; do sleep 2; done"]
|
|
containers:
|
|
- name: ${required(service.containerName, `${servicePath}.containerName`)}
|
|
image: ${required(images[imageKey], `images.${imageKey}`)}
|
|
imagePullPolicy: IfNotPresent
|
|
ports:
|
|
- name: http
|
|
containerPort: ${positiveInteger(service.containerPort, `${servicePath}.containerPort`)}
|
|
env:
|
|
- name: HOST
|
|
value: "0.0.0.0"
|
|
- name: PORT
|
|
value: ${yamlScalar(service.containerPort)}
|
|
- name: DATABASE_URL
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: ${databaseConfig.secretName}
|
|
key: ${databaseConfig.secretKey}
|
|
- name: DATABASE_POOL_MAX
|
|
value: ${yamlScalar(required(runtimeConfig.databasePoolMax, "runtimeConfig.databasePoolMax"))}
|
|
- name: UNIDESK_DEPLOY_SERVICE_ID
|
|
value: ${yamlScalar(serviceId)}
|
|
- name: UNIDESK_DEPLOY_REPO
|
|
value: ${yamlScalar(required(record(service.repository, `${servicePath}.repository`).url, `${servicePath}.repository.url`))}
|
|
- name: UNIDESK_DEPLOY_COMMIT
|
|
value: ${yamlScalar(required(runtime.commit, "runtime.commit"))}
|
|
- name: UNIDESK_DEPLOY_REQUESTED_COMMIT
|
|
value: ${yamlScalar(required(runtime.commit, "runtime.commit"))}
|
|
- name: LOG_FILE
|
|
value: ${yamlScalar(required(service.logFile, `${servicePath}.logFile`))}
|
|
${indent(managedStorageEnv(envPrefix, storageConfig), 12)}
|
|
volumeMounts:
|
|
- name: logs
|
|
mountPath: /var/log/unidesk
|
|
${github === undefined ? "" : indent(`- name: github-ssh
|
|
mountPath: ${yamlScalar(github.ssh.mountPath)}
|
|
readOnly: true`, 12)}
|
|
readinessProbe:
|
|
httpGet:
|
|
path: ${required(service.healthPath, `${servicePath}.healthPath`)}
|
|
port: http
|
|
periodSeconds: 5
|
|
timeoutSeconds: 3
|
|
failureThreshold: 18
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /live
|
|
port: http
|
|
periodSeconds: 10
|
|
timeoutSeconds: 3
|
|
failureThreshold: 6
|
|
startupProbe:
|
|
httpGet:
|
|
path: /live
|
|
port: http
|
|
periodSeconds: 5
|
|
timeoutSeconds: 3
|
|
failureThreshold: 30
|
|
${indent(resourceBlock(service.resources), 10)}
|
|
volumes:
|
|
- name: logs
|
|
emptyDir: {}
|
|
${github === undefined ? "" : indent(`- name: github-ssh
|
|
secret:
|
|
secretName: ${github.ssh.secretName}
|
|
defaultMode: 0400`, 8)}`);
|
|
}
|
|
|
|
appendManagedServiceDeployment({
|
|
service: decisionCenter,
|
|
servicePath: "services.decisionCenter",
|
|
serviceId: "decision-center",
|
|
imageKey: "decisionCenter",
|
|
envPrefix: "DECISION_CENTER",
|
|
databaseConfig: decisionCenterDatabase,
|
|
storageConfig: decisionCenterStorage,
|
|
});
|
|
appendManagedServiceDeployment({
|
|
service: todoNote,
|
|
servicePath: "services.todoNote",
|
|
serviceId: "todo-note",
|
|
imageKey: "todoNote",
|
|
envPrefix: "TODO_NOTE",
|
|
databaseConfig: todoNoteDatabase,
|
|
storageConfig: todoNoteStorage,
|
|
});
|
|
docs.push(`apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: ${required(frontend.serviceName, "services.frontend.serviceName")}
|
|
namespace: ${namespace}
|
|
labels:
|
|
${indent(labels(config), 4)}
|
|
spec:
|
|
type: LoadBalancer
|
|
selector:
|
|
app.kubernetes.io/name: frontend
|
|
ports:
|
|
- name: http
|
|
port: ${frontend.publicPort}
|
|
targetPort: http`);
|
|
docs.push(`apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: ${required(frontend.deploymentName, "services.frontend.deploymentName")}
|
|
namespace: ${namespace}
|
|
labels:
|
|
${indent(labels(config), 4)}
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: frontend
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: frontend
|
|
app.kubernetes.io/part-of: unidesk
|
|
annotations:
|
|
unidesk.ai/secret-fingerprint: ${yamlScalar(secretFingerprint)}
|
|
unidesk.ai/runtime-config-fingerprint: ${yamlScalar(runtimeConfigFingerprint)}
|
|
spec:
|
|
containers:
|
|
- name: frontend
|
|
image: ${required(images.frontend, "images.frontend")}
|
|
imagePullPolicy: IfNotPresent
|
|
ports:
|
|
- name: http
|
|
containerPort: ${frontend.containerPort}
|
|
envFrom:
|
|
- configMapRef:
|
|
name: ${runtimeConfigName}
|
|
env:
|
|
- name: PORT
|
|
value: ${yamlScalar(frontend.containerPort)}
|
|
- name: CORE_INTERNAL_URL
|
|
value: ${yamlScalar(`http://${backend.serviceName}.${namespace}.svc.cluster.local:${backend.containerPort}`)}
|
|
- name: FRONTEND_PUBLIC_URL
|
|
value: ${yamlScalar(`http://${runtime.publicHost}:${frontend.publicPort}`)}
|
|
- name: PROVIDER_INGRESS_PUBLIC_URL
|
|
value: ${yamlScalar(`ws://${runtime.publicHost}:${backend.providerPort}/ws/provider`)}
|
|
${indent(envFromConfig(runtimeConfigName, "AUTH_USERNAME", "AUTH_USERNAME"), 12)}
|
|
${indent(envFromSecret(secretName, secretKeys.authPassword, "AUTH_PASSWORD"), 12)}
|
|
${indent(envFromSecret(secretName, secretKeys.providerToken, "PROVIDER_TOKEN"), 12)}
|
|
${indent(envFromSecret(secretName, secretKeys.sshClientToken, "UNIDESK_SSH_CLIENT_TOKEN"), 12)}
|
|
${indent(envFromSecret(secretName, secretKeys.sessionSecret, "SESSION_SECRET"), 12)}
|
|
- name: LOG_FILE
|
|
value: ${yamlScalar(required(frontend.logFile, "services.frontend.logFile"))}
|
|
volumeMounts:
|
|
- name: logs
|
|
mountPath: /var/log/unidesk
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /health
|
|
port: http
|
|
periodSeconds: 5
|
|
timeoutSeconds: 3
|
|
failureThreshold: 20
|
|
startupProbe:
|
|
httpGet:
|
|
path: /health
|
|
port: http
|
|
periodSeconds: 5
|
|
timeoutSeconds: 3
|
|
failureThreshold: 60
|
|
${indent(resourceBlock(frontend.resources), 10)}
|
|
volumes:
|
|
- name: logs
|
|
emptyDir: {}`);
|
|
|
|
process.stdout.write(`${docs.join("\n---\n")}\n`);
|