open-zaak
diff --git a/‎charts/open-notificaties/Chart.yaml
+1-1 b/‎charts/open-notificaties/Chart.yaml
+1-1
diff --git a/‎charts/open-notificaties/README.md
+15 b/‎charts/open-notificaties/README.md
+15
diff --git a/‎charts/open-notificaties/templates/_helpers.tpl
+32 b/‎charts/open-notificaties/templates/_helpers.tpl
+32
diff --git a/‎charts/open-notificaties/templates/configmap.yaml
+10-1 b/‎charts/open-notificaties/templates/configmap.yaml
+10-1
diff --git a/‎charts/open-notificaties/templates/deployment.yaml
+82-4 b/‎charts/open-notificaties/templates/deployment.yaml
+82-4
diff --git a/‎charts/open-notificaties/templates/ingress.yaml
+53 b/‎charts/open-notificaties/templates/ingress.yaml
+53
diff --git a/‎charts/open-notificaties/templates/secret.yaml
+8 b/‎charts/open-notificaties/templates/secret.yaml
+8
diff --git a/‎charts/open-notificaties/templates/service.yaml
+18 b/‎charts/open-notificaties/templates/service.yaml
+18
@@ -3,7 +3,7 @@ name: open-notificaties
 description: API voor het routeren van notificaties
 
 type: application
-version: 0.5.0
+version: 0.6.0
 appVersion: "1.2.3"
 
 dependencies:
 
@@ -46,17 +46,20 @@ table below describes the supported versions
 | `image.repository` | The repository of the Docker image | `openzaak/open-notificaties` |
 | `image.tag` | The tag of the Docker image | `""` (uses `.Chart.AppVersion` by default) |
 | `replicaCount` | The number of replicas | `1` |
+| `podLabels` | Additional labels to be set on the open-notification API pods | `{}` |
 | `ingress.enabled` | Expose the application through an ingress | `false` |
 | `ingress.annotations` | Additional annotations on the API ingress | `{}` |
 | `ingress.hosts` | Ingress hosts | `"{open-notificaties.gemeente.nl}"` |
 | `ingress.tls` | Ingress TLS settings | `"[]"` |
+| `existingSecret` | Refer to an existing secret to avoid managing secrets through Helm. See templates/secret.yaml for required contents of your existing secret. This secret is also used for the Worker and Flower components. | `null` |
 | `settings.allowedHosts` | A comma-separated list of hosts allowed by the application | `"open-notificaties.gemeente.nl"` |
 | `settings.secretKey` | The secret key of the application | `"SOME-RANDOM-SECRET"` |
 | `settings.database.host` | The hostname of PostgreSQL | `"open-notificaties-postgresql"` |
 | `settings.database.port` | The port of PostgreSQL | `5432` |
 | `settings.database.username` | The username of PostgreSQL | `"postgres"` |
 | `settings.database.password` | The password of PostgreSQL | `"SUPER-SECRET"` |
 | `settings.database.name` | The database name of PostgreSQL | `"open-notificaties"` |
+| `settings.database.sslmode` | The SSL-mode used by the postgres client. See [docs](https://www.postgresql.org/docs/current/libpq-ssl.html) for more info | `"prefer"` |
 | `settings.cache.default` | The Redis cache for the default cache | `"open-notificaties-redis-master:6379/0"` |
 | `settings.cache.axes` | The Redis cache for the axes cache | `"open-notificaties-redis-master:6379/0"` |
 | `settings.email.host` | The hostname of the SMTP server | `"localhost"` |
@@ -69,11 +72,23 @@ table below describes the supported versions
 | `settings.celery.resultBackend` | The URL to the Celery result backend | `"redis://open-notificaties-redis-master:6379/1"` |
 | `settings.isHttps` | Used to construct absolute URLs and controls a variety of security settings | `true` |
 | `settings.debug` | Only set this to True on a local development environment. Various other security settings are derived from this setting | `false` |
+| `settings.flower.urlPrefix` | If enabled, deploy Flower on a non-root URL | `""` |
+| `settings.flower.basicAuth` | Secure Flower with [Basic Authentication](https://flower.readthedocs.io/en/latest/config.html#basic-auth). This is a comma-separated list of `username:password`. You should configure this when `flower.ingress.enabled` is set to true. | `""` |
+| `worker.podLabels` | Additional labels to be set on the open-notification worker pods | `{}` |
 | `postgresql.persistence.enabled` | Enable PostgreSQL persistency | `false` |
 | `postgresql.persistence.size` | Configure PostgreSQL size | `"1Gi"` |
 | `postgresql.persistence.existingClaim` | Use an existing persistent volume claim | `null` |
 | `postgresql.postgresqlDatabase` | The PostgreSQL database name | `"open-notificaties"` |
 | `postgresql.postgresqlPassword` | The PostgreSQL administrative password | `"SUPER-SECRET"` |
+| `flower.enabled` | Whether or not to deploy the [Flower](https://flower.readthedocs.io/en/latest/) component, which is a monitoring tool for Celery  | `false` |
+| `flower.replicaCount` | The number of replicas for Celery Flower | `1` | 
+| `flower.podLabels` | Additional labels to be set for Celery Flower | `{}` | 
+| `flower.extraEnvVars` | Configure Flower through additional environment variables. For a full list of possibilities, see [Flower config docs](https://flower.readthedocs.io/en/latest/config.html)  | `{}` | 
+| `flower.extraEnvVarsSecret` | Configure Flower through additional environment variables. This property should contain secrets like basic-auth. For a full list of possibilities, see [Flower config docs](https://flower.readthedocs.io/en/latest/config.html) | `{}` |
+| `flower.ingress.enabled` | Use a dedicated Ingress for Flower, which can act as a Management Ingress. When `Values.ingress.enabled` is set to true and this parameter to false, then Flower will be exposed on the main Ingress. | `false` | 
+| `flower.ingress.annotations` | Additional annotations on the Flower Ingress | `{}` |
+| `flower.ingress.hosts` | Flower Ingress hosts | `"{open-notificaties-flower.gemeente.nl}"` |
+| `flower.ingress.tls` | Flower Ingress TLS settings | `"[]"` |
 | `redis.usePassword` | Use a Redis password | `false` |
 | `redis.cluster.enabled` | Enable Redis cluster | `false` |
 | `redis.persistence.existingClaim` | Use existing persistent volume claim for Redis | `""` |
 
@@ -99,3 +99,35 @@ Worker selector labels
 app.kubernetes.io/name: {{ include "open-notificaties.workerName" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
+
+{{/*
+Create a name for Flower
+We truncate at 56 chars in order to provide space for the "-flower" suffix
+*/}}
+{{- define "open-notificaties.flowerName" -}}
+{{ include "open-notificaties.name" . | trunc 56 | trimSuffix "-" }}-flower
+{{- end }}
+
+{{/*
+Create a default fully qualified name for Flower.
+We truncate at 56 chars in order to provide space for the "-flower" suffix
+*/}}
+{{- define "open-notificaties.flowerFullname" -}}
+{{ include "open-notificaties.fullname" . | trunc 56 | trimSuffix "-" }}-flower
+{{- end }}
+
+{{/*
+Flower labels
+*/}}
+{{- define "open-notificaties.flowerLabels" -}}
+{{ include "open-notificaties.commonLabels" . }}
+{{ include "open-notificaties.flowerSelectorLabels" . }}
+{{- end }}
+
+{{/*
+Flower selector labels
+*/}}
+{{- define "open-notificaties.flowerSelectorLabels" -}}
+app.kubernetes.io/name: {{ include "open-notificaties.flowerName" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
@@ -12,6 +12,7 @@ data:
   DB_HOST: {{ .Values.settings.database.host | toString | quote }}
   DB_PORT: {{ .Values.settings.database.port | toString | quote }}
   DB_USER: {{ .Values.settings.database.username | toString | quote }}
+  PGSSLMODE: {{ .Values.settings.database.sslmode | toString | quote }}
   DEBUG: {{ if .Values.settings.debug }}"True"{{ else }}"False"{{ end }}
   EMAIL_HOST: {{ .Values.settings.email.host | toString | quote }}
   {{- if .Values.settings.email.username }}
@@ -21,4 +22,12 @@ data:
   EMAIL_USE_TLS: "True"
   {{- end }}
   IS_HTTPS: {{ if .Values.settings.isHttps }}"True"{{ else }}"False"{{ end }}
-  RABBITMQ_HOST: {{ .Values.settings.messageBroker.host }}
+  RABBITMQ_HOST: {{ .Values.settings.messageBroker.host }}
+  {{- if .Values.settings.flower.urlPrefix }}
+  FLOWER_URL_PREFIX: {{ .Values.settings.flower.urlPrefix }}
+  {{- end }}
+  {{- if .Values.flower.enabled }}
+  {{- range $index, $index_value := .Values.flower.extraEnvVars }}
+  {{ $index }}: {{ $index_value | toString | quote }}
+  {{- end }}
+  {{- end }}
@@ -21,6 +21,9 @@ spec:
         {{- end }}
       labels:
         {{- include "open-notificaties.selectorLabels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+            {{- toYaml . | nindent 8 }}
+        {{- end }}
     spec:
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
@@ -37,7 +40,7 @@ spec:
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           envFrom:
             - secretRef:
-                name: {{ include "open-notificaties.fullname" . }}
+                name: {{ .Values.existingSecret | default (include "open-notificaties.fullname" .) }}
             - configMapRef:
                 name: {{ include "open-notificaties.fullname" . }}
           ports:
@@ -98,6 +101,9 @@ spec:
         {{- end }}
       labels:
     {{- include "open-notificaties.workerSelectorLabels" . | nindent 8 }}
+    {{- with .Values.worker.podLabels }}
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
     spec:
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
@@ -114,7 +120,7 @@ spec:
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           envFrom:
             - secretRef:
-                name: {{ include "open-notificaties.fullname" . }}
+                name: {{ .Values.existingSecret | default (include "open-notificaties.fullname" .) }}
             - configMapRef:
                 name: {{ include "open-notificaties.fullname" . }}
           resources:
@@ -133,5 +139,77 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-
-
+---
+{{- if .Values.flower.enabled -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "open-notificaties.flowerFullname" . }}
+  labels:
+  {{- include "open-notificaties.flowerLabels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.flower.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "open-notificaties.flowerSelectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+        {{- with .Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      labels:
+    {{- include "open-notificaties.flowerSelectorLabels" . | nindent 8 }}
+    {{- with .Values.flower.podLabels }}
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "open-notificaties.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}-flower
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          envFrom:
+            - secretRef:
+                name: {{ .Values.existingSecret | default (include "open-notificaties.fullname" .) }}
+            - configMapRef:
+                name: {{ include "open-notificaties.fullname" . }}
+          ports:
+            - name: http
+              containerPort: 5555
+              protocol: TCP
+          livenessProbe:
+            tcpSocket:
+              port: 5555
+            {{- toYaml .Values.flower.livenessProbe | nindent 12 }}
+          readinessProbe:
+            tcpSocket:
+              port: 5555
+            {{- toYaml .Values.flower.readinessProbe | nindent 12 }}
+          resources:
+            {{- toYaml .Values.flower.resources | nindent 12 }}
+          command:
+            - /celery_flower.sh
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}
@@ -1,6 +1,11 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "open-notificaties.fullname" . -}}
 {{- $svcPort := .Values.service.port -}}
+{{- $flowerEnabled := .Values.flower.enabled }}
+{{- $flowerIngressEnabled := .Values.flower.ingress.enabled }}
+{{- $flowerFullName := include "open-notificaties.flowerFullname" . -}}
+{{- $flowerSvcPort := .Values.flower.service.port -}}
+{{- $flowerUrlPrefix := .Values.settings.flower.urlPrefix -}}
 {{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
 apiVersion: networking.k8s.io/v1beta1
 {{- else -}}
@@ -35,5 +40,53 @@ spec:
             backend:
               serviceName: {{ $fullName }}
               servicePort: {{ $svcPort }}
+          {{- if and ($flowerEnabled) (not $flowerIngressEnabled) }}
+          - path: /{{ $flowerUrlPrefix }}
+            backend:
+              serviceName: {{ $flowerFullName }}
+              servicePort: {{ $flowerSvcPort }}
+          {{- end }}
+    {{- end }}
+  {{- end }}
+
+---
+{{- if .Values.flower.ingress.enabled -}}
+{{- $fullName := include "open-notificaties.flowerFullname" . -}}
+{{- $svcPort := .Values.flower.service.port -}}
+{{- $flowerUrlPrefix := .Values.settings.flower.urlPrefix -}}
+{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{- include "open-notificaties.labels" . | nindent 4 }}
+  {{- with .Values.flower.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.flower.ingress.tls }}
+  tls:
+    {{- range .Values.flower.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.flower.ingress.hosts }}
+    - host: {{ . | quote }}
+      http:
+        paths:
+          - path: /{{ $flowerUrlPrefix }}
+            backend:
+              serviceName: {{ $fullName }}
+              servicePort: {{ $svcPort }}
     {{- end }}
   {{- end }}
@@ -1,3 +1,4 @@
+{{- if not .Values.existingSecret }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -18,3 +19,10 @@ data:
   {{- if .Values.settings.sentry.dsn }}
   SENTRY_DSN: {{ .Values.settings.sentry.dsn | toString | b64enc | quote }}
   {{- end }}
+  {{- if .Values.flower.enabled }}
+  FLOWER_BASIC_AUTH: {{ .Values.settings.flower.basicAuth | toString | b64enc | quote }}
+  {{- range $index, $index_value := .Values.flower.extraEnvVarsSecret }}
+  {{ $index }}: {{ $index_value | toString | b64enc | quote }}
+  {{- end }}
+  {{- end }}
+{{- end }}
@@ -13,3 +13,21 @@ spec:
       name: http
   selector:
     {{- include "open-notificaties.selectorLabels" . | nindent 4 }}
+---
+{{- if .Values.flower.enabled -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "open-notificaties.flowerFullname" . }}
+  labels:
+    {{- include "open-notificaties.flowerLabels" . | nindent 4 }}
+spec:
+  type: {{ .Values.flower.service.type }}
+  ports:
+    - port: {{ .Values.flower.service.port }}
+      targetPort: 5555
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "open-notificaties.flowerSelectorLabels" . | nindent 4 }}
+{{- end }}