feat!: affine cloud support (#3813)

Co-authored-by: Hongtao Lye <codert.sn@gmail.com>
Co-authored-by: liuyi <forehalo@gmail.com>
Co-authored-by: LongYinan <lynweklm@gmail.com>
Co-authored-by: X1a0t <405028157@qq.com>
Co-authored-by: JimmFly <yangjinfei001@gmail.com>
Co-authored-by: Peng Xiao <pengxiao@outlook.com>
Co-authored-by: xiaodong zuo <53252747+zuoxiaodong0815@users.noreply.github.com>
Co-authored-by: DarkSky <25152247+darkskygit@users.noreply.github.com>
Co-authored-by: Qi <474021214@qq.com>
Co-authored-by: danielchim <kahungchim@gmail.com>

.github/helm/affine/charts/graphql/templates/_helpers.tpl

@@ -40,6 +40,7 @@ helm.sh/chart: {{ include "graphql.chart" . }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
+monitoring: enabled
 {{- end }}
 
 {{/*
@@ -75,58 +76,3 @@ key: {{ $secret.data.private }}
 key: {{ genPrivateKey "ecdsa" | b64enc }}
 {{- end -}}
 {{- end -}}
-
-{{- define "objectStorage.r2" -}}
-{{- $secret := lookup "v1" "Secret" .Release.Namespace .Values.app.objectStorage.r2.secretName -}}
-{{- if $secret -}}
-{{/*
-   Reusing existing secret data
-*/}}
-accountId: {{ $secret.data.accountId }}
-accessKeyId: {{ $secret.data.accessKeyId }}
-secretAccessKey: {{ $secret.data.secretAccessKey }}
-bucket: {{ $secret.data.bucket }}
-{{- else -}}
-{{/*
-    Generate new data
-*/}}
-accountId: {{ .Values.app.objectStorage.r2.accountId | b64enc }}
-accessKeyId: {{ .Values.app.objectStorage.r2.accessKeyId | b64enc }}
-secretAccessKey: {{ .Values.app.objectStorage.r2.secretAccessKey | b64enc }}
-bucket: {{ .Values.app.objectStorage.r2.bucket | b64enc }}
-{{- end -}}
-{{- end -}}
-
-{{- define "objectStorage.oauth.google" -}}
-{{- $secret := lookup "v1" "Secret" .Release.Namespace .Values.app.oauth.google.secretName -}}
-{{- if $secret -}}
-{{/*
-   Reusing existing secret data
-*/}}
-clientId: {{ $secret.data.clientId }}
-clientSecret: {{ $secret.data.clientSecret }}
-{{- else -}}
-{{/*
-    Generate new data
-*/}}
-clientId: "{{ .Values.app.oauth.google.clientId | b64enc }}"
-clientSecret: "{{ .Values.app.oauth.google.clientSecret | b64enc }}"
-{{- end -}}
-{{- end -}}
-
-{{- define "objectStorage.oauth.github" -}}
-{{- $secret := lookup "v1" "Secret" .Release.Namespace .Values.app.oauth.github.secretName -}}
-{{- if $secret -}}
-{{/*
-   Reusing existing secret data
-*/}}
-clientId: {{ $secret.data.clientId }}
-clientSecret: {{ $secret.data.clientSecret }}
-{{- else -}}
-{{/*
-    Generate new data
-*/}}
-clientId: "{{ .Values.app.oauth.github.clientId | b64enc }}"
-clientSecret: "{{ .Values.app.oauth.github.clientSecret | b64enc }}"
-{{- end -}}
-{{- end -}}

.github/helm/affine/charts/graphql/templates/deployment.yaml

@@ -35,13 +35,36 @@ spec:
                 key: key
           - name: NODE_ENV
             value: "{{ .Values.env }}"
-          - name: DATABSE_PASSWORD
+          - name: NO_COLOR
+            value: "1"
+          - name: SERVER_FLAVOR
+            value: "graphql"
+          - name: AFFINE_ENV
+            value: "{{ .Release.Namespace }}"
+          - name: NEXTAUTH_URL
+            value: "{{ .Values.global.ingress.host }}"
+          - name: DATABASE_PASSWORD
             valueFrom:
               secretKeyRef:
                 name: pg-postgresql
                 key: postgres-password
           - name: DATABASE_URL
-            value: postgres://{{ .Values.database.user }}:$(DATABSE_PASSWORD)@{{ .Values.database.url }}:{{ .Values.database.port }}/{{ .Values.database.name }}
+            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.url }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
+          - name: REDIS_SERVER_ENABLED
+            value: "true"
+          - name: REDIS_SERVER_HOST
+            value: "{{ .Values.global.redis.host }}"
+          - name: REDIS_SERVER_PORT
+            value: "{{ .Values.global.redis.port }}"
+          - name: REDIS_SERVER_USER
+            value: "{{ .Values.global.redis.username }}"
+          - name: REDIS_SERVER_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: redis
+                key: redis-password
+          - name: REDIS_SERVER_DATABASE
+            value: "{{ .Values.global.redis.database }}"
           - name: AFFINE_SERVER_PORT
             value: "{{ .Values.service.port }}"
           - name: AFFINE_SERVER_SUB_PATH
@@ -50,6 +73,37 @@ spec:
             value: "{{ .Values.app.host }}"
           - name: ENABLE_R2_OBJECT_STORAGE
             value: "{{ .Values.app.objectStorage.r2.enabled }}"
+          - name: OAUTH_EMAIL_SENDER
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.oauth.email.secretName }}"
+                key: sender
+          - name: OAUTH_EMAIL_LOGIN
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.oauth.email.secretName }}"
+                key: login
+          - name: OAUTH_EMAIL_SERVER
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.oauth.email.secretName }}"
+                key: server
+          - name: OAUTH_EMAIL_PORT
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.oauth.email.secretName }}"
+                key: port
+          - name: OAUTH_EMAIL_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.oauth.email.secretName }}"
+                key: password
+          - name: DOC_MERGE_INTERVAL
+            value: "{{ .Values.app.doc.mergeInterval }}"
+          {{ if .Values.app.experimental.enableJwstCodec }}
+          - name: DOC_MERGE_USE_JWST_CODEC
+            value: "true"
+          {{ end }}
           {{ if .Values.app.objectStorage.r2.enabled }}
           - name: R2_OBJECT_STORAGE_ACCOUNT_ID
             valueFrom:
@@ -112,6 +166,20 @@ spec:
             initialDelaySeconds: {{ .Values.probe.initialDelaySeconds }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+        {{ if .Values.global.database.gcloud.enabled }}
+        - name: cloud-sql-proxy
+          image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.6.0
+          args:
+            - "--structured-logs"
+            - "--auto-iam-authn"
+            - "{{ .Values.global.database.gcloud.connectionName }}"
+          securityContext:
+            runAsNonRoot: true
+          resources:
+            requests:
+              memory: "2Gi"
+              cpu: "1"
+        {{ end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

.github/helm/affine/charts/graphql/templates/migration.yaml

@@ -5,13 +5,14 @@ metadata:
   labels:
     {{- include "graphql.labels" . | nindent 4 }}
   annotations:
-    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook": post-install,pre-upgrade
     "helm.sh/hook-weight": "-1"
     "helm.sh/hook-delete-policy": before-hook-creation
 
 spec:
   template:
     spec:
+      serviceAccountName: {{ include "graphql.serviceAccountName" . }}
       containers:
       - name: {{ .Chart.Name }}
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
@@ -19,13 +20,21 @@ spec:
         env:
           - name: NODE_ENV
             value: "{{ .Values.env }}"
-          - name: DATABSE_PASSWORD
+          - name: AFFINE_ENV
+            value: "{{ .Release.Namespace }}"
+          - name: DATABASE_PASSWORD
             valueFrom:
               secretKeyRef:
                 name: pg-postgresql
                 key: postgres-password
+          {{ if not .Values.global.database.gcloud.enabled }}
           - name: DATABASE_URL
-            value: postgres://{{ .Values.database.user }}:$(DATABSE_PASSWORD)@{{ .Values.database.url }}:{{ .Values.database.port }}/{{ .Values.database.name }}
+            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.url }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
+          {{ end }}
+          {{ if .Values.global.database.gcloud.enabled }}
+          - name: DATABASE_URL
+            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.gcloud.cloudSqlInternal }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
+          {{ end }}
         resources:
           requests:
             cpu: '100m'

.github/helm/affine/charts/graphql/templates/monitoring.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.global.gke.enabled -}}
+apiVersion: monitoring.googleapis.com/v1
+kind: PodMonitoring
+metadata:
+  name: "{{ .Chart.Name }}-monitoring"
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: "{{ include "graphql.name" . }}"
+  endpoints:
+    - port: {{ .Values.service.port }}
+      interval: 30s
+{{- end }}

.github/helm/affine/charts/graphql/templates/oauth-github-secret.yaml

@@ -1,10 +0,0 @@
-{{- if .Values.app.oauth.github.enabled -}}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: "{{ .Values.app.oauth.github.secretName }}"
-type: Opaque
-data:
-{{- ( include "objectStorage.oauth.github" . ) | indent 2 -}}
-
-{{- end }}

.github/helm/affine/charts/graphql/templates/oauth-google-secret.yaml

@@ -1,10 +0,0 @@
-{{- if .Values.app.oauth.google.enabled -}}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: "{{ .Values.app.oauth.google.secretName }}"
-type: Opaque
-data:
-{{- ( include "objectStorage.oauth.google" . ) | indent 2 -}}
-
-{{- end }}

.github/helm/affine/charts/graphql/templates/oauth.yaml

@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.app.oauth.email.secretName }}"
+type: Opaque
+data:
+  sender: "{{ .Values.app.oauth.email.sender | b64enc }}"
+  login: "{{ .Values.app.oauth.email.login | b64enc }}"
+  password: "{{ .Values.app.oauth.email.password | b64enc }}"
+  server: "{{ .Values.app.oauth.email.server | b64enc }}"
+  port: "{{ .Values.app.oauth.email.port | b64enc }}"
+---
+{{- if .Values.app.oauth.google.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.app.oauth.google.secretName }}"
+type: Opaque
+data:
+  clientId: "{{ .Values.app.oauth.google.clientId | b64enc }}"
+  clientSecret: "{{ .Values.app.oauth.google.clientSecret | b64enc }}"
+{{- end }}
+---
+{{- if .Values.app.oauth.github.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.app.oauth.github.secretName }}"
+type: Opaque
+data:
+  clientId: "{{ .Values.app.oauth.github.clientId | b64enc }}"
+  clientSecret: "{{ .Values.app.oauth.github.clientSecret | b64enc }}"
+{{- end }}

.github/helm/affine/charts/graphql/templates/pg-secret.yaml

@@ -0,0 +1,9 @@
+{{- if .Values.global.database.password -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: pg-postgresql
+type: Opaque
+data:
+  postgres-password: {{ .Values.global.database.password | b64enc }}
+{{- end }}

.github/helm/affine/charts/graphql/templates/r2-secret.yaml

@@ -5,5 +5,8 @@ metadata:
   name: "{{ .Values.app.objectStorage.r2.secretName }}"
 type: Opaque
 data:
-  {{- ( include "objectStorage.r2" . ) | indent 2 -}}
+  accountId: {{ .Values.app.objectStorage.r2.accountId | b64enc }}
+  accessKeyId: {{ .Values.app.objectStorage.r2.accessKeyId | b64enc }}
+  secretAccessKey: {{ .Values.app.objectStorage.r2.secretAccessKey | b64enc }}
+  bucket: {{ .Values.app.objectStorage.r2.bucket | b64enc }}
 {{- end }}

.github/helm/affine/charts/graphql/templates/redis-secret.yaml

@@ -0,0 +1,9 @@
+{{- if .Values.global.redis.password -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: redis
+type: Opaque
+data:
+  redis-password: {{ .Values.global.redis.password | b64enc }}
+{{- end }}