diff --git a/charts/orcha/README.md b/charts/orcha/README.md index 20b0b0e..9d184d6 100644 --- a/charts/orcha/README.md +++ b/charts/orcha/README.md @@ -181,7 +181,13 @@ helm upgrade --install orcha ./charts/orcha \ Database migrations are run automatically by a Helm hook Job when `migrations.enabled` is true. The Job runs `orcha migrate`, which applies Alembic migrations to the Orcha database. -It runs on `post-install` and `pre-upgrade`. +It runs on `pre-install` and `pre-upgrade`, so migrations complete before the app and +worker pods start serving. + +Because the Job runs as a `pre-install` hook (before regular resources are created), a +**fresh install must use a pre-existing database secret** via `secrets.db.existingSecret`; +the chart-managed `db-secrets` Secret does not yet exist during `pre-install`. Upgrades are +unaffected, as the secret already exists. Disable automatic migrations with: diff --git a/charts/orcha/templates/_helpers.tpl b/charts/orcha/templates/_helpers.tpl index db33f19..48c3599 100644 --- a/charts/orcha/templates/_helpers.tpl +++ b/charts/orcha/templates/_helpers.tpl @@ -110,6 +110,25 @@ Database Secret Name {{- end }} {{- end }} +{{/* +Database connection env vars (PG*). Include with `nindent 12` under `env:`. +*/}} +{{- define "orcha.databaseEnv" -}} +- name: PGUSER + value: {{ include "orcha.databaseUser" . | quote }} +- name: PGPASSWORD + valueFrom: + secretKeyRef: + name: {{ include "orcha.dbSecretName" . }} + key: password +- name: PGHOST + value: {{ include "orcha.databaseHost" . | quote }} +- name: PGPORT + value: {{ include "orcha.databasePort" . | quote }} +- name: PGDATABASE + value: {{ include "orcha.databaseName" . | quote }} +{{- end }} + {{/* LLM Secret Name */}} @@ -132,6 +151,28 @@ Langfuse Secret Name {{- end }} {{- end }} +{{/* +Langfuse credential env vars. Include with `nindent 12` under `env:`. +*/}} +{{- define "orcha.langfuseEnv" -}} +{{- if or .Values.secrets.langfuse.publicKey .Values.secrets.langfuse.existingSecret }} +- name: LANGFUSE_PUBLIC_KEY + valueFrom: + secretKeyRef: + name: {{ include "orcha.langfuseSecretName" . }} + key: publicKey + optional: true +{{- end }} +{{- if or .Values.secrets.langfuse.secretKey .Values.secrets.langfuse.existingSecret }} +- name: LANGFUSE_SECRET_KEY + valueFrom: + secretKeyRef: + name: {{ include "orcha.langfuseSecretName" . }} + key: secretKey + optional: true +{{- end }} +{{- end }} + {{/* Temporal Hostname */}} diff --git a/charts/orcha/templates/deployment-worker.yaml b/charts/orcha/templates/deployment-worker.yaml index 1793df1..b6026f5 100644 --- a/charts/orcha/templates/deployment-worker.yaml +++ b/charts/orcha/templates/deployment-worker.yaml @@ -36,19 +36,7 @@ spec: - configMapRef: name: {{ include "orcha.fullname" . }}-llm-config env: - - name: PGUSER - value: {{ include "orcha.databaseUser" . | quote }} - - name: PGPASSWORD - valueFrom: - secretKeyRef: - name: {{ include "orcha.dbSecretName" . }} - key: password - - name: PGHOST - value: {{ include "orcha.databaseHost" . | quote }} - - name: PGPORT - value: {{ include "orcha.databasePort" . | quote }} - - name: PGDATABASE - value: {{ include "orcha.databaseName" . | quote }} + {{- include "orcha.databaseEnv" . | nindent 12 }} - name: TEMPORAL_HOST value: {{ include "orcha.temporalHost" . | quote }} {{- if or .Values.secrets.llm.litellmApiKey .Values.secrets.llm.existingSecret }} @@ -67,21 +55,8 @@ spec: key: ollamaApiKey optional: true {{- end }} - {{- if or .Values.secrets.langfuse.publicKey .Values.secrets.langfuse.existingSecret }} - - name: LANGFUSE_PUBLIC_KEY - valueFrom: - secretKeyRef: - name: {{ include "orcha.langfuseSecretName" . }} - key: publicKey - optional: true - {{- end }} - {{- if or .Values.secrets.langfuse.secretKey .Values.secrets.langfuse.existingSecret }} - - name: LANGFUSE_SECRET_KEY - valueFrom: - secretKeyRef: - name: {{ include "orcha.langfuseSecretName" . }} - key: secretKey - optional: true + {{- with (include "orcha.langfuseEnv" .) }} + {{- . | trimAll "\n" | nindent 12 }} {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} diff --git a/charts/orcha/templates/deployment.yaml b/charts/orcha/templates/deployment.yaml index 7c37df4..5303bac 100644 --- a/charts/orcha/templates/deployment.yaml +++ b/charts/orcha/templates/deployment.yaml @@ -61,19 +61,7 @@ spec: - configMapRef: name: {{ include "orcha.fullname" . }}-llm-config env: - - name: PGUSER - value: {{ include "orcha.databaseUser" . | quote }} - - name: PGPASSWORD - valueFrom: - secretKeyRef: - name: {{ include "orcha.dbSecretName" . }} - key: password - - name: PGHOST - value: {{ include "orcha.databaseHost" . | quote }} - - name: PGPORT - value: {{ include "orcha.databasePort" . | quote }} - - name: PGDATABASE - value: {{ include "orcha.databaseName" . | quote }} + {{- include "orcha.databaseEnv" . | nindent 12 }} - name: TEMPORAL_HOST value: {{ include "orcha.temporalHost" . | quote }} {{- if or .Values.secrets.llm.litellmApiKey .Values.secrets.llm.existingSecret }} @@ -92,21 +80,8 @@ spec: key: ollamaApiKey optional: true {{- end }} - {{- if or .Values.secrets.langfuse.publicKey .Values.secrets.langfuse.existingSecret }} - - name: LANGFUSE_PUBLIC_KEY - valueFrom: - secretKeyRef: - name: {{ include "orcha.langfuseSecretName" . }} - key: publicKey - optional: true - {{- end }} - {{- if or .Values.secrets.langfuse.secretKey .Values.secrets.langfuse.existingSecret }} - - name: LANGFUSE_SECRET_KEY - valueFrom: - secretKeyRef: - name: {{ include "orcha.langfuseSecretName" . }} - key: secretKey - optional: true + {{- with (include "orcha.langfuseEnv" .) }} + {{- . | trimAll "\n" | nindent 12 }} {{- end }} {{- if .Values.persistence.tenants.enabled }} volumeMounts: diff --git a/charts/orcha/templates/migration-job.yaml b/charts/orcha/templates/migration-job.yaml index 56fa389..08c68ef 100644 --- a/charts/orcha/templates/migration-job.yaml +++ b/charts/orcha/templates/migration-job.yaml @@ -7,13 +7,10 @@ metadata: {{- include "orcha.labels" . | nindent 4 }} app.kubernetes.io/component: migrations annotations: - "helm.sh/hook": post-install,pre-upgrade + "helm.sh/hook": pre-install,pre-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded spec: backoffLimit: {{ .Values.migrations.backoffLimit }} - {{- with .Values.migrations.ttlSecondsAfterFinished }} - ttlSecondsAfterFinished: {{ . }} - {{- end }} template: metadata: labels: @@ -38,19 +35,7 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} env: - - name: PGUSER - value: {{ include "orcha.databaseUser" . | quote }} - - name: PGPASSWORD - valueFrom: - secretKeyRef: - name: {{ include "orcha.dbSecretName" . }} - key: password - - name: PGHOST - value: {{ include "orcha.databaseHost" . | quote }} - - name: PGPORT - value: {{ include "orcha.databasePort" . | quote }} - - name: PGDATABASE - value: {{ include "orcha.databaseName" . | quote }} + {{- include "orcha.databaseEnv" . | nindent 12 }} resources: {{- toYaml .Values.migrations.resources | nindent 12 }} {{- with .Values.nodeSelector }} diff --git a/charts/orcha/values.yaml b/charts/orcha/values.yaml index 5c6d691..171a5f9 100644 --- a/charts/orcha/values.yaml +++ b/charts/orcha/values.yaml @@ -10,7 +10,6 @@ image: migrations: enabled: true backoffLimit: 3 - ttlSecondsAfterFinished: 300 resources: {} serviceAccount: