diff --git a/loomio/db-init-job.yaml b/loomio/db-init-job.yaml index 020d9f6..60dc44f 100644 --- a/loomio/db-init-job.yaml +++ b/loomio/db-init-job.yaml @@ -8,57 +8,48 @@ spec: restartPolicy: OnFailure containers: - name: db-init - image: postgres:15-alpine + image: {{ .image }} + command: + - /bin/bash + - -c + - | + set -e + echo "Initializing Loomio database..." + # Patch schema.rb to use IF NOT EXISTS for pghero schema + sed -i 's/create_schema "pghero"/execute "CREATE SCHEMA IF NOT EXISTS pghero"/g' db/schema.rb + bundle exec rake db:schema:load db:seed + echo "Database initialization complete" env: - - name: PGHOST - value: "{{ .db.host }}" - - name: PGPORT - value: "{{ .db.port }}" - - name: PGUSER - value: postgres - - name: PGPASSWORD - valueFrom: - secretKeyRef: - name: postgres-secrets - key: postgres.password - - name: LOOMIO_DB_NAME - value: "{{ .db.name }}" - - name: LOOMIO_DB_USER - value: "{{ .db.user }}" - - name: LOOMIO_DB_PASSWORD + - name: RAILS_ENV + value: production + - name: DATABASE_URL valueFrom: secretKeyRef: name: loomio-secrets - key: dbPassword - command: - - sh - - -c - - | - echo "Creating database and user for Loomio..." - - # Check if database exists, create if not - psql -tc "SELECT 1 FROM pg_database WHERE datname = '$LOOMIO_DB_NAME'" | grep -q 1 || \ - psql -c "CREATE DATABASE \"$LOOMIO_DB_NAME\"" - - # Check if user exists, create or update password - psql -tc "SELECT 1 FROM pg_user WHERE usename = '$LOOMIO_DB_USER'" | grep -q 1 && \ - psql -c "ALTER USER \"$LOOMIO_DB_USER\" WITH PASSWORD '$LOOMIO_DB_PASSWORD'" || \ - psql -c "CREATE USER \"$LOOMIO_DB_USER\" WITH PASSWORD '$LOOMIO_DB_PASSWORD'" - - # Grant all privileges - psql -c "GRANT ALL PRIVILEGES ON DATABASE \"$LOOMIO_DB_NAME\" TO \"$LOOMIO_DB_USER\"" - - # Connect to the database and grant schema permissions - psql -d "$LOOMIO_DB_NAME" -c "GRANT ALL ON SCHEMA public TO \"$LOOMIO_DB_USER\"" - - echo "Database initialization complete!" + key: dbUrl + - name: REDIS_URL + value: {{ .redisUrl }} + - name: DEVISE_SECRET + valueFrom: + secretKeyRef: + name: loomio-secrets + key: deviseSecret + - name: SECRET_COOKIE_TOKEN + valueFrom: + secretKeyRef: + name: loomio-secrets + key: secretCookieToken securityContext: - runAsNonRoot: true - runAsUser: 999 # postgres user - runAsGroup: 999 + runAsNonRoot: false + runAsUser: 0 allowPrivilegeEscalation: false capabilities: drop: [ALL] - readOnlyRootFilesystem: true + readOnlyRootFilesystem: false seccompProfile: - type: RuntimeDefault \ No newline at end of file + type: RuntimeDefault + securityContext: + runAsNonRoot: false + runAsUser: 0 + seccompProfile: + type: RuntimeDefault diff --git a/loomio/deployment-worker.yaml b/loomio/deployment-worker.yaml index cdd67b7..29b1720 100644 --- a/loomio/deployment-worker.yaml +++ b/loomio/deployment-worker.yaml @@ -66,6 +66,8 @@ spec: value: "{{ .smtp.tls }}" - name: REPLY_HOSTNAME value: {{ .smtp.from }} + - name: BUNDLE_APP_CONFIG + value: /loomio/tmp/.bundle volumeMounts: - name: uploads mountPath: /loomio/public/system @@ -73,6 +75,8 @@ spec: mountPath: /loomio/storage - name: tmp mountPath: /loomio/tmp + - name: log + mountPath: /loomio/log resources: requests: memory: 256Mi @@ -81,9 +85,8 @@ spec: memory: 1Gi cpu: 500m securityContext: - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000 + runAsNonRoot: false + runAsUser: 0 allowPrivilegeEscalation: false capabilities: drop: [ALL] @@ -98,4 +101,6 @@ spec: persistentVolumeClaim: claimName: loomio-storage - name: tmp + emptyDir: {} + - name: log emptyDir: {} \ No newline at end of file diff --git a/loomio/deployment.yaml b/loomio/deployment.yaml index 8c54136..d5f8620 100644 --- a/loomio/deployment.yaml +++ b/loomio/deployment.yaml @@ -15,6 +15,13 @@ spec: containers: - name: loomio image: {{ .image }} + command: + - /bin/bash + - -c + - | + set -e + bundle exec rake db:schema:load db:seed + bundle exec thrust puma -C config/puma.rb ports: - containerPort: 3000 name: http @@ -73,10 +80,12 @@ spec: secretKeyRef: name: loomio-secrets key: smtpPassword - - name: SMTP_USE_SSL - value: "{{ .smtp.tls }}" - name: REPLY_HOSTNAME value: {{ .smtp.from }} + - name: CHANNELS_URI + value: wss://{{ .domain }} + - name: BUNDLE_APP_CONFIG + value: /loomio/tmp/.bundle volumeMounts: - name: uploads mountPath: /loomio/public/system @@ -84,6 +93,8 @@ spec: mountPath: /loomio/storage - name: tmp mountPath: /loomio/tmp + - name: log + mountPath: /loomio/log resources: requests: memory: 512Mi @@ -92,21 +103,18 @@ spec: memory: 2Gi cpu: 1000m livenessProbe: - httpGet: - path: /health + tcpSocket: port: 3000 initialDelaySeconds: 60 periodSeconds: 30 readinessProbe: - httpGet: - path: /health + tcpSocket: port: 3000 initialDelaySeconds: 30 periodSeconds: 10 securityContext: - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000 + runAsNonRoot: false + runAsUser: 0 allowPrivilegeEscalation: false capabilities: drop: [ALL] @@ -121,4 +129,6 @@ spec: persistentVolumeClaim: claimName: loomio-storage - name: tmp + emptyDir: {} + - name: log emptyDir: {} \ No newline at end of file diff --git a/loomio/manifest.yaml b/loomio/manifest.yaml index 3b7013e..37a4777 100644 --- a/loomio/manifest.yaml +++ b/loomio/manifest.yaml @@ -10,8 +10,8 @@ requires: defaultConfig: namespace: loomio externalDnsDomain: "{{ .cloud.domain }}" - image: loomio/loomio:v3.0.11 - workerImage: loomio/loomio:v3.0.11 + image: loomio/loomio:latest + workerImage: loomio/loomio:latest appName: Loomio domain: "loomio.{{ .cloud.domain }}" tlsSecretName: wildcard-wild-cloud-tls @@ -52,5 +52,6 @@ defaultSecrets: - key: secretCookieToken default: "{{ random.AlphaNum 32 }}" - key: smtpPassword + default: "{{ .secrets.smtp.password }}" requiredSecrets: - postgres.password diff --git a/loomio/pvc-storage.yaml b/loomio/pvc-storage.yaml index d34c554..0248326 100644 --- a/loomio/pvc-storage.yaml +++ b/loomio/pvc-storage.yaml @@ -4,7 +4,7 @@ metadata: name: loomio-storage spec: accessModes: - - ReadWriteOnce + - ReadWriteMany resources: requests: storage: {{ .storage.files }} diff --git a/loomio/pvc-uploads.yaml b/loomio/pvc-uploads.yaml index 33e3e6d..57dc8a7 100644 --- a/loomio/pvc-uploads.yaml +++ b/loomio/pvc-uploads.yaml @@ -4,7 +4,7 @@ metadata: name: loomio-uploads spec: accessModes: - - ReadWriteOnce + - ReadWriteMany resources: requests: storage: {{ .storage.uploads }}