feat(sn-console): align streamnative-console with sn-platform-slim (#1267)

- Add DB_BASE=sqlite when image tag ends with -all
- Add extraEnv for custom environment variables
- Add dbPasswordSecret: mount secret as files, read
DB_PASSWORD/NEW_PASSWORD in startup script

Made-with: Cursor

<!--
### Contribution Checklist
  
- Name the pull request in the form "[charts/<chart-name>] Title of the
pull request".
Skip *[charts/<chart-name>]* if the PR doesn't change a specific chart.
E.g. `[docs] Fix typo in README`.

- Fill out the template below to describe the changes contributed by the
pull request. That will give reviewers the context they need to do the
review.
  
- Each pull request should address only one issue, not mix up code from
multiple issues.
  
  - Each commit in the pull request has a meaningful commit message

- Once all items of the checklist are addressed, remove the above text
and this checklist, leaving only the filled out template below.

**(The sections below can be removed for hotfixes of typos)**
-->

*(If this PR fixes a github issue, please add `Fixes #<xyz>`.)*

Fixes #<xyz>

*(or if this PR is one task of a github issue, please add `Master Issue:
#<xyz>` to link to the master issue.)*

Master Issue: #<xyz>

### Motivation

*Explain here the context, and why you're making that change. What is
the problem you're trying to solve.*

### Modifications

*Describe the modifications you've done.*

### Verifying this change

- [ ] Make sure that the change passes the CI checks.

*(Please pick either of the following options)*

This change is a trivial rework / code cleanup without any test
coverage.

*(or)*

This change is already covered by existing tests, such as *(please
describe tests)*.

*(or)*

This change added tests and can be verified as follows:

*(example:)*
- *Added integration tests for end-to-end deployment with large payloads
(10MB)*
  - *Extended integration test for recovery after broker failure*

### Documentation

Check the box below.

Need to update docs? 

- [ ] `doc-required` 
  
  (If you need help on updating docs, create a doc issue)
  
- [ ] `no-need-doc` 
  
  (Please explain why)
  
- [ ] `doc` 
  
  (If this PR contains doc changes)

Author: tuteng

charts/sn-console/templates/console/streamnative-console-statefulset.yaml

@@ -76,6 +76,41 @@ spec:
             periodSeconds: {{ .Values.probe.startup.periodSeconds }}
             failureThreshold: {{ .Values.probe.startup.failureThreshold }}
           {{- end }}
+          workingDir: "/pulsar-manager/console"
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              if [ -f "/pulsar-manager/secrets/google-oauth2/GOOGLE_CLIENT_ID" ]; then
+                export GOOGLE_CLIENT_ID=$(cat /pulsar-manager/secrets/google-oauth2/GOOGLE_CLIENT_ID)
+              fi
+              if [ -f "/pulsar-manager/secrets/google-oauth2/GOOGLE_CLIENT_SECRET" ]; then
+                export GOOGLE_CLIENT_SECRET=$(cat /pulsar-manager/secrets/google-oauth2/GOOGLE_CLIENT_SECRET)
+              fi
+              if [ -f "/pulsar-manager/secrets/azure-oauth2/AZURE_CLIENT_ID" ]; then
+                export AZURE_CLIENT_ID=$(cat /pulsar-manager/secrets/azure-oauth2/AZURE_CLIENT_ID)
+              fi
+              if [ -f "/pulsar-manager/secrets/azure-oauth2/AZURE_CLIENT_SECRET" ]; then
+                export AZURE_CLIENT_SECRET=$(cat /pulsar-manager/secrets/azure-oauth2/AZURE_CLIENT_SECRET)
+              fi
+              if [ -f "/pulsar-manager/secrets/azure-oauth2/AZURE_TENANT_ID" ]; then
+                export AZURE_TENANT_ID=$(cat /pulsar-manager/secrets/azure-oauth2/AZURE_TENANT_ID)
+              fi
+              if [ -f "/pulsar-manager/secrets/okta-oauth2/OKTA_CLIENT_ID" ]; then
+                export OKTA_CLIENT_ID=$(cat /pulsar-manager/secrets/okta-oauth2/OKTA_CLIENT_ID)
+              fi
+              if [ -f "/pulsar-manager/secrets/okta-oauth2/OKTA_CLIENT_SECRET" ]; then
+                export OKTA_CLIENT_SECRET=$(cat /pulsar-manager/secrets/okta-oauth2/OKTA_CLIENT_SECRET)
+              fi
+              if [ -f "/pulsar-manager/secrets/pulsar-jwt/TOKEN" ]; then
+                export TOKEN=$(cat /pulsar-manager/secrets/pulsar-jwt/TOKEN)
+              fi
+              if [ -f "/pulsar-manager/secrets/db-password/DB_PASSWORD" ]; then
+                export DB_PASSWORD=$(cat /pulsar-manager/secrets/db-password/DB_PASSWORD)
+              fi
+              if [ -f "/pulsar-manager/secrets/db-password/NEW_PASSWORD" ]; then
+                export NEW_PASSWORD=$(cat /pulsar-manager/secrets/db-password/NEW_PASSWORD)
+              fi
+              /pulsar-manager/entrypoint.sh
           env:
           - name: SPRING_CONFIGURATION_FILE
             value: /pulsar-manager/pulsar-manager/application.properties
@@ -85,6 +120,8 @@ spec:
             value: {{ .Values.configData.DEFAULT_NAME }}
           - name: INSTANCE_NAME
             value: {{ .Values.configData.INSTANCE_NAME }}
+          - name: CLUSTER_NAME
+            value: {{ .Values.configData.CLUSTER_NAME | quote }}
           - name: WEB_SERVICE_URL
             value: {{ .Values.broker.webServiceUrl }}
           - name: KOP_SERVICE_URL
@@ -151,6 +188,13 @@ spec:
           {{- end }}
           - name: CONNECTOR_ENABLED
             value: "{{ .Values.configData.CONNECTOR_ENABLED | default "true" }}"
+          {{- if hasSuffix "-all" (toString .Values.image.tag) }}
+          - name: DB_BASE
+            value: sqlite
+          {{- end }}
+          {{- with .Values.extraEnv }}
+{{ toYaml . | indent 10 }}
+          {{- end }}
           {{- if .Values.login.pulsarJwt.enabled }}
           - name: AUTHENTICATION_NAME
             value: "pulsar-jwt"
@@ -208,21 +252,105 @@ spec:
           - secretRef:
               name: {{ .Values.login.pulsarJwt.config.SERVICE_ACCOUNT_SUPER_TOKEN_SECRET }}
           {{- end }}
-          
-          ports:
-          - name: frontend
-            containerPort: {{ .Values.ports.frontend }}
-          - name: backend
-            containerPort: {{ .Values.ports.backend }}
 
           volumeMounts:
           - name: streamnative-console-data
             mountPath: /data
+          - name: tmp-storage
+            mountPath: /tmp
+          - name: run-postgresql-tmpfs
+            mountPath: /run/postgresql
+          - name: pulsar-manager-conf
+            mountPath: /pulsar-manager/pulsar-manager
+          - name: psql
+            mountPath: /pulsar-manager/psql
           {{- if .Values.login.pulsarJwt.enabled }}
           - mountPath: /pulsar-manager/keys
             name: token-keys
             readOnly: true
           {{- end }}
+          {{- if .Values.login.sso.google.enabled }}
+          - name: google-oauth2-secret
+            mountPath: /pulsar-manager/secrets/google-oauth2
+            readOnly: true
+          {{- end }}
+          {{- if .Values.login.sso.azure.enabled }}
+          - name: azure-oauth2-secret
+            mountPath: /pulsar-manager/secrets/azure-oauth2
+            readOnly: true
+          {{- end }}
+          {{- if .Values.login.sso.okta.enabled }}
+          - name: okta-oauth2-secret
+            mountPath: /pulsar-manager/secrets/okta-oauth2
+            readOnly: true
+          {{- end }}
+          {{- if .Values.login.pulsarJwt.enabled }}
+          - name: pulsar-jwt-secret
+            mountPath: /pulsar-manager/secrets/pulsar-jwt
+            readOnly: true
+          {{- end }}
+          {{- if .Values.dbPasswordSecret }}
+          - name: db-password-secret
+            mountPath: /pulsar-manager/secrets/db-password
+            readOnly: true
+          {{- end }}
+        - name: "{{ template "sn_console.fullname" . }}-{{ .Values.component }}-gateway"
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.resources }}
+          resources:
+{{ toYaml .Values.resources | indent 12 }}
+          {{- end }}
+          {{- if .Values.probe.readiness.enabled }}
+          readinessProbe:
+            httpGet:
+              path: /cloud-manager/login/enabled
+              port: {{ .Values.ports.frontend }}
+            initialDelaySeconds: {{ .Values.probe.readiness.initialDelaySeconds }}
+            periodSeconds: {{ .Values.probe.readiness.periodSeconds }}
+            failureThreshold: {{ .Values.probe.readiness.failureThreshold }}
+          {{- end }}
+          {{- if .Values.probe.liveness.enabled }}
+          livenessProbe:
+            httpGet:
+              path: /cloud-manager/login/enabled
+              port: {{ .Values.ports.frontend }}
+            initialDelaySeconds: {{ .Values.probe.liveness.initialDelaySeconds }}
+            periodSeconds: {{ .Values.probe.liveness.periodSeconds }}
+            failureThreshold: {{ .Values.probe.liveness.failureThreshold }}
+          {{- end }}
+          {{- if .Values.probe.startup.enabled }}
+          startupProbe:
+            httpGet:
+              path: /cloud-manager/login/enabled
+              port: {{ .Values.ports.frontend }}
+            initialDelaySeconds: {{ .Values.probe.startup.initialDelaySeconds }}
+            periodSeconds: {{ .Values.probe.startup.periodSeconds }}
+            failureThreshold: {{ .Values.probe.startup.failureThreshold }}
+          {{- end }}
+          workingDir: "/pulsar-manager/gateway"
+          command: ["/pulsar-manager/gateway/gateway-entrypoint.sh"]
+          env:
+          - name: OPENAPI_ENABLED
+            value: "{{ .Values.configData.OPENAPI_ENABLED | default "false" }}"
+          ports:
+          - name: frontend
+            containerPort: {{ .Values.ports.frontend }}
+          - name: backend
+            containerPort: {{ .Values.ports.backend }}
+          volumeMounts:
+          - name: nginx-conf
+            mountPath: /etc/nginx/conf.d
+          - name: nginx-logs
+            mountPath: /var/log/nginx
+          - name: nginx-tmp
+            mountPath: /var/lib/nginx/tmp
+          - name: nginx-run
+            mountPath: /run
+          - name: nginx-lib-log
+            mountPath: /var/lib/nginx/logs
+          - name: tmp-storage
+            mountPath: /tmp
 
       volumes:
       {{- if not .Values.volumes.persistence }}
@@ -254,6 +382,56 @@ spec:
           secretName: {{ .Values.login.pulsarJwt.config.JWT_BROKER_SECRET_KEY }}
           {{- end }}
       {{- end }}
+      {{- if .Values.login.sso.google.enabled }}
+      - name: google-oauth2-secret
+        secret:
+          secretName: {{ .Values.login.sso.google.clientSecretRef }}
+          defaultMode: 0440
+      {{- end }}
+      {{- if .Values.login.sso.azure.enabled }}
+      - name: azure-oauth2-secret
+        secret:
+          secretName: {{ .Values.login.sso.azure.clientSecretRef }}
+          defaultMode: 0440
+      {{- end }}
+      {{- if .Values.login.sso.okta.enabled }}
+      - name: okta-oauth2-secret
+        secret:
+          secretName: {{ .Values.login.sso.okta.clientSecretRef }}
+          defaultMode: 0440
+      {{- end }}
+      {{- if .Values.login.pulsarJwt.enabled }}
+      - name: pulsar-jwt-secret
+        secret:
+          secretName: {{ .Values.login.pulsarJwt.config.SERVICE_ACCOUNT_SUPER_TOKEN_SECRET }}
+          defaultMode: 0440
+      {{- end }}
+      {{- if .Values.dbPasswordSecret }}
+      - name: db-password-secret
+        secret:
+          secretName: {{ .Values.dbPasswordSecret }}
+          defaultMode: 0440
+      {{- end }}
+      - name: tmp-storage
+        emptyDir: {}
+      - name: run-postgresql-tmpfs
+        emptyDir:
+          medium: Memory
+      - name: nginx-conf
+        emptyDir: {}
+      - name: nginx-logs
+        emptyDir: {}
+      - name: nginx-tmp
+        emptyDir: {}
+      - name: nginx-run
+        emptyDir:
+          medium: Memory
+      - name: pulsar-manager-conf
+        emptyDir: {}
+      - name: nginx-lib-log
+        emptyDir: {}
+      - name: psql
+        emptyDir: {}
 
   {{- if or .Values.volumes.data.storageClass .Values.volumes.data.storageClassName }}
   volumeClaimTemplates:

charts/sn-console/values.yaml

@@ -2,11 +2,11 @@
 # Copyright (c) 2019 - 2024 StreamNative, Inc.. All Rights Reserved.
 #
 
-initialize: true
+initialize: false
 
 image:
-  repository: streamnative/sn-platform-console
-  tag: "v1.14.2"
+  repository: streamnative/private-cloud-console
+  tag: "v2.3.27-all"
   pullPolicy: IfNotPresent
   hasCommand: false
 
@@ -47,7 +47,7 @@ resources:
     cpu: 0.1
 volumes:
   # use a persistent volume or emptyDir
-  persistence: true
+  persistence: false
   data:
     name: data
     size: 10Gi
@@ -94,6 +94,8 @@ configData:
   DEFAULT_ORGANIZATION: "streamnative"
   # *required*: the instance name to display for the Pulsar clusters in SN console
   INSTANCE_NAME: "pulsar"
+  # Optional: customize the cluster name shown in Console
+  CLUSTER_NAME: ""
   GLOBAL_RESOURCE_READ_ONLY: false
   REDIRECT_SCHEME: ""
   REDIRECT_HOST: ""
@@ -108,13 +110,29 @@ configData:
   GRAFANA_AUTH_PROXY: false
   GRAFANA_AUTH_PROXY_USER: ""
   DEFAULT_ENVIRONMENT_NAME: "pulsar"
-  DEFAULT_ENVIRONMENT_SERVICE_URL: ""
+  DEFAULT_ENVIRONMENT_SERVICE_URL: "http://private-cloud-proxy:8080"
   BACKEND_DEFAULT_SUPER_USER_ROLE: "pulsar-manager-admin"
   CONNECTOR_ENABLED: true
+  CLUSTER_NAME: "private-cloud"
+
+# Extra environment variables for streamnative-console container
+extraEnv: []
+# Secret name containing DB_PASSWORD and NEW_PASSWORD keys (mounted as files; read by startup script)
+# The secret should have two keys: DB_PASSWORD and NEW_PASSWORD
+# Example command to create the secret:
+#   kubectl create secret generic my-db-password-secret \
+#     --from-literal=DB_PASSWORD=your-db-password \
+#     --from-literal=NEW_PASSWORD=your-new-password
+# Example command to update the secret:
+#   kubectl create secret generic my-db-password-secret \
+#     --from-literal=DB_PASSWORD=your-new-db-password \
+#     --from-literal=NEW_PASSWORD=your-new-password \
+#     --dry-run=client -o yaml | kubectl apply -f -
+dbPasswordSecret: ""
 
 login:
   vault:
-    enabled: true
+    enabled: false
   pulsarJwt:
     enabled: false
     config:
@@ -154,7 +172,7 @@ login:
 
 # broker related settings. configure how streamnative console should access Pulsar brokers.
 broker:
-  webServiceUrl: http://localhost:8080
+  webServiceUrl: http://private-cloud-proxy:8080
   # kopServiceUrl: localhost:9093
   auth:
     authentication: