Files
template-web-backend-python/helm/APP_NAME/templates/addonclaim.yaml
ilopez 5a215ed293
Some checks failed
__APP_NAME__ — build & deploy / Calidad + build + push (push) Failing after 1m19s
__APP_NAME__ — build & deploy / Helm upgrade --install (push) Has been skipped
feat: AddonClaim + InitContainer wait-for-secret en chart helm
Cierra GOLDEN-PATH-ADDONCLAIM-MISSING (P0 hands-off pipeline).

Cambios:
- helm/APP_NAME/templates/addonclaim.yaml (NEW): hook pre-install/pre-upgrade
  weight -10, SIN delete-policy (sobrevive upgrades, evita disparar finalizer
  cleanup-logical). Gated por .Values.database.enabled (default true).
- helm/APP_NAME/templates/role-db-secret-reader.yaml (NEW): Role + RoleBinding
  weight -7 que permite al SA leer el Secret <release>-db-creds. Lo consume
  el InitContainer wait-for-secret del Job Alembic.
- helm/APP_NAME/templates/job-alembic-upgrade.yaml: gated por
  database.enabled, anade InitContainer wait-for-secret (48x5s=240s) que
  espera a que addon-provisioner publique el Secret tras reconciliar el
  AddonClaim. Absorbe la latencia del @kopf.timer (RECONCILE_INTERVAL 300s
  + initial_delay 60s) sin tocar el operator.
- helm/APP_NAME/values.yaml: bloque database completo (enabled, addonType,
  databaseName, user.permissions, deletionPolicy Retain). Opt-out con
  database.enabled=false + alembic.enabled=false.
- .gitea/workflows/APP_NAME-build.yaml: helm timeout 5m -> 7m (margen para
  reconcile addon-provisioner + StatefulSet ready + DDL Job + Alembic).
- claim-mariadb.yaml (DELETED): obsoleto - estaba en la raiz del template
  y nunca se renderizaba por helm. Reemplazado por addonclaim.yaml dentro
  del chart helm.
- README.md: documenta nueva tabla de hook weights, opt-out database, y
  trade-off del orphan AddonClaim post-uninstall (cleanup explicito).

Decision arquitectural: Opcion D modificada (Opus 4.6 consult).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-25 07:56:42 -05:00

40 lines
2.1 KiB
YAML

{{- if .Values.database.enabled }}
# AddonClaim — declara la intencion de la app de tener una BD (default MariaDB).
# Lo materializa addon-provisioner (CRD idp.coralware.cloud/v1alpha1):
# - reconcilia este claim cada RECONCILE_INTERVAL (default 300s) por TenantProfile.
# - crea BD logica + user + grant via Job DDL efimero en el cluster tenant.
# - publica el Secret `{{ .Values.database.secretName }}` en este ns (`apps`)
# con DATABASE_URL / DATABASE_HOST / DATABASE_PORT / DATABASE_USER /
# DATABASE_PASSWORD / DATABASE_NAME (contrato §2.3 del OpenSpec).
#
# Ordering con los hooks del chart (clave para que Alembic encuentre el Secret):
# weight -10 (este AddonClaim)
# -> weight -5 (ServiceAccount)
# -> weight 0 (Job Alembic — espera al Secret via InitContainer wait-for-secret)
#
# delete-policy: NO se declara intencionalmente.
# - Asi el AddonClaim sobrevive entre `helm upgrade` (re-apply idempotente).
# - Evita disparar el finalizer `cleanup-logical` en cada upgrade (que dropearia
# el user y regeneraria el password, causando ventana de downtime).
# - Trade-off documentado: `helm uninstall` deja el AddonClaim orfano y MariaDB
# sigue aprovisionada. Es coherente con `deletionPolicy: Retain` (default):
# borrar BD productiva debe ser decision explicita, no side-effect del uninstall.
# Cleanup explicito: `kubectl delete addonclaim {{ .Release.Name }}-db -n apps`.
apiVersion: idp.coralware.cloud/v1alpha1
kind: AddonClaim
metadata:
name: {{ .Release.Name }}-db
labels:
{{- include "app.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-10"
spec:
addonType: {{ .Values.database.addonType | default "mariadb" | quote }}
databaseName: {{ .Values.database.databaseName | default (printf "%s_db" (.Release.Name | replace "-" "_")) | quote }}
user:
permissions: {{ .Values.database.user.permissions | default "rw" | quote }}
secretName: {{ .Values.database.secretName | quote }}
deletionPolicy: {{ .Values.database.deletionPolicy | default "Retain" | quote }}
{{- end }}