Merge pull request #141 from Ontotext-AD/license-configurations

GDB-11095: Added new license configurations
Ontotext-AD · Oct 23, 2024 · cb631b6 · cb631b6
2 parents ec4b58c + c72156d
commit cb631b6
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,9 +2,19 @@
 
 ## Version 11.3.0
 
+### New
+
+- Added new configuration properties for the license
+  - Added `license.mountPath` to configure where the license volume is mounted
+  - Added `license.optional` to configure the license volume as optional if needed
+  - Added `license.readOnly` to configure the read/write mode of the license volume mount
+
 ### Updated
 
 - Removed any pre-install, pre-upgrade, pre-rollback Helm hooks annotations to allow seamless ArgoCD deployments.
+- Changed the license directory to `/opt/graphdb/home/conf/license/` with `license.mountPath` in order to avoid using a `subPath` volume
+  mount. This allows kubelet to update the license when the Secret has been updated.
+- Changed the license volume mount as read-only by default with `license.readOnly`
 
 ## Version 11.2.2
 

diff --git a/README.md b/README.md
@@ -439,6 +439,9 @@ IMPORTANT: This is generated by helm-docs, do not attempt modifying it on hand a
 | labels | object | `{}` |  |
 | license.existingSecret | string | `""` |  |
 | license.licenseFilename | string | `"graphdb.license"` |  |
+| license.mountPath | string | `"/opt/graphdb/home/conf/license/"` |  |
+| license.optional | bool | `false` |  |
+| license.readOnly | bool | `true` |  |
 | livenessProbe.httpGet.path | string | `"/protocol"` |  |
 | livenessProbe.httpGet.port | string | `"http"` |  |
 | livenessProbe.initialDelaySeconds | int | `60` |  |

diff --git a/templates/graphdb/configmap-properties.yaml b/templates/graphdb/configmap-properties.yaml
@@ -15,6 +15,7 @@ data:
     # See https://graphdb.ontotext.com/documentation/ for supported properties
     graphdb.connector.port={{ .Values.containerPorts.http }}
     graphdb.append.request.id.headers=true
+    graphdb.license.file={{ .Values.license.mountPath | trimSuffix "/" }}/{{ .Values.license.licenseFilename }}
     graphdb.workbench.importDirectory=/opt/graphdb/home/graphdb-import
     graphdb.ontop.jdbc.path=/opt/graphdb/home/jdbc-driver
     graphdb.extra.plugins=/opt/graphdb/home/extra-plugins

diff --git a/templates/graphdb/statefulset.yaml b/templates/graphdb/statefulset.yaml
@@ -115,6 +115,7 @@ spec:
         - name: graphdb-license
           secret:
             secretName: {{ tpl .Values.license.existingSecret . }}
+            optional: {{ .Values.license.optional }}
         {{- end }}
         {{- if or .Values.security.enabled .Values.configuration.initialSettings.existingConfigmap }}
         - name: graphdb-initial-settings-config
@@ -346,8 +347,8 @@ spec:
               mountPath: /tmp
             {{- if .Values.license.existingSecret }}
             - name: graphdb-license
-              mountPath: /opt/graphdb/home/conf/graphdb.license
-              subPath: {{ .Values.license.licenseFilename }}
+              mountPath: {{ .Values.license.mountPath }}
+              readOnly: {{ .Values.license.readOnly }}
             {{- end }}
             {{- if .Values.configuration.logback.existingConfigmap }}
             - name: graphdb-logback-config

diff --git a/values.yaml b/values.yaml
@@ -129,6 +129,17 @@ license:
   # File name of the GraphDB license file in the existing license secret.
   # The default is graphdb.license, but it can be changed to map to a different secret key.
   licenseFilename: graphdb.license
+  # Directory where the license file will be mounted.
+  # Can be used to place the license outside the persistence directory if needed.
+  # Note: We use the license/ sub-folder instead of subPath volume mount so kubelet can replace the mounted license at runtime when the
+  # Secret is updated with a new GraphDB license. This avoids having to restart the GraphDB pods.
+  mountPath: /opt/graphdb/home/conf/license/
+  # Defines the secret volume as optional or not.
+  # Note: Useful if the GraphDB license has not yet been provisioned but will be, for example by an external system or an operator such as
+  # External Secret Operator.
+  optional: false
+  # Marks the secret mount as read-only to prevent any modifications to the license file.
+  readOnly: true
 
 # GraphDB runtime configuration settings.
 # For reference, see https://graphdb.ontotext.com/documentation/10.7/directories-and-config-properties.html