Create dedicated database for controller

.github/workflows/ci-deploy.yml

@@ -17,7 +17,7 @@ jobs:
     needs: build
     uses: ./.github/workflows/_deploy.yml
     with:
-      image_tag: ${{ needs.build.outputs.image_tag }}
+      image_tag: '${{ needs.build.outputs.image_tag }}@${{ needs.build.outputs.image_digest }}'
       deployment_name: vela
       environment: ${{ github.ref_name == 'main' && 'prod' || 'dev' }}
     secrets: inherit

chart/templates/_helpers.tpl

@@ -3,16 +3,37 @@ Reusable snippets shared across Vela Helm templates.
 */}}
 
 {{/*
-Renders a Postgres init container that waits for the target database to accept connections.
+Returns the plaintext password for a given DB credential key, preserving it across upgrades
+via lookup of the existing vela-controller-secret. On fresh installs the password is derived
+deterministically from the release name, namespace, and key so that all templates in the same
+render produce the same value.
+
+Usage: {{ include "vela.dbPassword" (list "controller-db-password" .) }}
+*/}}
+{{- define "vela.dbPassword" -}}
+{{- $key := index . 0 -}}
+{{- $ctx := index . 1 -}}
+{{- $existingSecret := lookup "v1" "Secret" $ctx.Release.Namespace "vela-controller-secret" -}}
+{{- if and $existingSecret (index $existingSecret.data $key) -}}
+{{- index $existingSecret.data $key | b64dec -}}
+{{- else -}}
+{{- printf "%s-%s-%s" $ctx.Release.Name $ctx.Release.Namespace $key | sha256sum | trunc 32 -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Renders a Postgres init container that waits for the server to be ready.
+When `database` is provided it also waits until that specific database accepts connections.
 The helper accepts a dictionary with the following optional keys:
   - name               : init container name (default: wait-for-database)
   - image              : container image (default: postgres:17-alpine)
   - imagePullPolicy    : pull policy (default: IfNotPresent)
   - host               : database hostname (default: database)
   - port               : database port (default: 5432)
-  - secretName         : Kubernetes secret with credentials (default: database)
-  - usernameKey        : Secret key used for DB username (default: superuser-username)
-  - passwordKey        : Secret key used for DB password (default: superuser-password)
+  - database           : if set, block until this database accepts connections
+  - secretName         : secret containing credentials for the psql check (default: database)
+  - usernameKey        : key for the DB username in secretName (default: superuser-username)
+  - passwordKey        : key for the DB password in secretName (default: superuser-password)
   - securityContext    : optional security context applied to the init container
 */}}
 {{- define "vela.waitForPostgresInitContainer" -}}
@@ -21,6 +42,7 @@ The helper accepts a dictionary with the following optional keys:
 {{- $imagePullPolicy := default "IfNotPresent" .imagePullPolicy -}}
 {{- $host := default "database" .host -}}
 {{- $port := default "5432" .port -}}
+{{- $database := .database -}}
 {{- $secretName := default "database" .secretName -}}
 {{- $usernameKey := default "superuser-username" .usernameKey -}}
 {{- $passwordKey := default "superuser-password" .passwordKey -}}
@@ -32,6 +54,7 @@ The helper accepts a dictionary with the following optional keys:
       value: {{ $host | quote }}
     - name: DB_PORT
       value: {{ $port | quote }}
+{{- if $database }}
     - name: DB_USER
       valueFrom:
         secretKeyRef:
@@ -42,20 +65,22 @@ The helper accepts a dictionary with the following optional keys:
         secretKeyRef:
           name: {{ $secretName }}
           key: {{ $passwordKey }}
+{{- end }}
   command: ["/bin/sh", "-c"]
   args:
     - |
       echo "Waiting for database..."
-      until pg_isready -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER"; do
+      until pg_isready -h "$DB_HOST" -p "$DB_PORT"; do
         sleep 2
       done
       echo "Database is ready"
+{{- if $database }}
 
-      # Ensure postgres user can connect
-      until psql -h "$DB_HOST" -U "$DB_USER" -d postgres -c '\q' 2>/dev/null; do
-        echo "Waiting for Postgres superuser connection..."
+      until psql -h "$DB_HOST" -U "$DB_USER" -d {{ $database | quote }} -c '\q' 2>/dev/null; do
+        echo "Waiting for Postgres connection to {{ $database }}..."
         sleep 2
       done
+{{- end }}
 {{- with .securityContext }}
   securityContext:
 {{ toYaml . | nindent 4 }}

chart/templates/controller/configmap.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: vela-controller-config
+data:
+  VELA_ROOT_PATH: {{ .Values.controller.env.VELA_ROOT_PATH | quote }}
+  VELA_JWT_SECRET: {{ .Values.controller.env.VELA_JWT_SECRET | quote }}
+  VELA_GATEWAY_NAME: {{ .Values.gateway.name | quote }}
+  VELA_GATEWAY_NAMESPACE: {{ .Values.gateway.namespace | quote }}
+  VELA_PGMETA_CRYPTO_KEY: {{ .Values.controller.env.VELA_PGMETA_CRYPTO_KEY | quote }}
+  VELA_CORS_ORIGINS: {{ .Values.controller.env.VELA_CORS_ORIGINS | quote }}
+  VELA_KEYCLOAK_URL: {{ .Values.controller.env.VELA_KEYCLOAK_URL | quote }}
+  VELA_KEYCLOAK_ADMIN_NAME: {{ .Values.controller.env.VELA_KEYCLOAK_ADMIN_NAME | quote }}
+  VELA_KEYCLOAK_ADMIN_SECRET: {{ .Values.controller.env.VELA_KEYCLOAK_ADMIN_SECRET | quote }}
+  VELA_CLOUDFLARE__API_TOKEN: {{ .Values.controller.env.VELA_CLOUDFLARE_API_TOKEN | quote }}
+  VELA_CLOUDFLARE__ZONE_ID: {{ .Values.controller.env.VELA_CLOUDFLARE_ZONE_ID | quote }}
+  VELA_CLOUDFLARE__BRANCH_REF: {{ .Values.controller.env.VELA_BRANCH_REF | quote }}
+  VELA_CLOUDFLARE__BRANCH_DB_REF: {{ .Values.controller.env.VELA_BRANCH_DB_REF | quote }}
+  VELA_CLOUDFLARE__DOMAIN_SUFFIX: {{ .Values.domainSuffix | default .Values.domain | quote }}
+  VELA_DEPLOYMENT_NAMESPACE_PREFIX: {{ .Values.controller.env.VELA_DEPLOYMENT_NAMESPACE_PREFIX | quote }}
+  VELA_DEPLOYMENT_SERVICE_PORT: {{ .Values.port | quote }}
+  VELA_SERVER_ROOT_URL: "https://{{ .Values.domain }}:{{ .Values.port }}"
+  VELA_ENABLE_DB_EXTERNAL_IPV6_LOADBALANCER: {{ .Values.controller.env.VELA_ENABLE_DB_EXTERNAL_IPV6_LOADBALANCER | quote }}
+  VELA_GRAFANA_URL: {{ .Values.controller.env.VELA_GRAFANA_URL | quote }}
+  VELA_SIMPLYBLOCK_CSI_NAMESPACE: {{ .Values.controller.env.VELA_SIMPLYBLOCK_CSI_NAMESPACE | quote }}

chart/templates/controller/deployment.yaml

@@ -0,0 +1,93 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vela-controller
+  labels:
+    app.kubernetes.io/name: vela-controller
+    app.kubernetes.io/instance: {{ .Release.Name }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: vela-controller
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: vela-controller
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+      serviceAccountName: vela-controller
+      initContainers:
+{{ include "vela.waitForPostgresInitContainer" (dict
+    "secretName" "vela-controller-secret"
+    "usernameKey" "controller-db-username"
+    "passwordKey" "controller-db-password"
+    "database" "controller"
+  ) | nindent 8 }}
+      containers:
+        - name: vela-controller
+          image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }}"
+          imagePullPolicy: Always
+          ports:
+            - name: http
+              containerPort: 8000
+              protocol: TCP
+          envFrom:
+            - configMapRef:
+                name: vela-controller-config
+          env:
+            - name: VELA_GRAFANA_SECURITY_ADMIN_USER
+              valueFrom:
+                secretKeyRef:
+                  name: vela-grafana-secret
+                  key: VELA_GRAFANA_SECURITY_ADMIN_USER
+            - name: VELA_GRAFANA_SECURITY_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: vela-grafana-secret
+                  key: VELA_GRAFANA_SECURITY_ADMIN_PASSWORD
+            - name: CONTROLLER_DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: vela-controller-secret
+                  key: controller-db-password
+            - name: CELERY_DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: vela-controller-secret
+                  key: celery-db-password
+            - name: VELA_DEPLOYMENT_PASSWORD_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: vela-controller-secret
+                  key: deployment-password-secret
+            - name: DB_HOST
+              value: database
+            - name: VELA_POSTGRES_URL
+              value: 'postgresql+asyncpg://vela_controller:$(CONTROLLER_DB_PASSWORD)@$(DB_HOST):5432/controller'
+            - name: VELA_BROKER_URL
+              value: 'sqla+postgresql+psycopg://vela_celery:$(CELERY_DB_PASSWORD)@$(DB_HOST):5432/controller'
+            - name: VELA_RESULT_BACKEND
+              value: 'db+postgresql+psycopg://vela_celery:$(CELERY_DB_PASSWORD)@$(DB_HOST):5432/controller'
+            - name: VELA_GRAFANA_URL
+              value: "https://{{ .Values.domain }}:{{ .Values.port }}/grafana"
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: http
+            periodSeconds: 5
+            timeoutSeconds: 5
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: http
+            initialDelaySeconds: 10
+          {{- with .Values.containerSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}