feat: enhance worker deployments with additional packages and CA certificates

charts/sentry/templates/sentry/web/deployment-sentry-web.yaml

@@ -80,10 +80,20 @@ spec:
       - name: {{ .Chart.Name }}-web
         image: "{{ template "sentry.image" . }}"
         imagePullPolicy: {{ default "IfNotPresent" .Values.images.sentry.pullPolicy }}
-        command: ["sentry"]
+        command: ["/bin/bash", "-c"]
         args:
-          - "run"
-          - "web"
+          - |
+            {{- if .Values.sentry.web.installAdditionalPackages }}
+            pip install {{ range .Values.sentry.web.installAdditionalPackages }}{{ . }} {{ end }}
+            {{- end }}
+            {{- if .Values.sentry.web.caCertificatesSecret }}
+            mkdir -p /usr/local/share/ca-certificates/
+            for c in $(ls -1 /usr/local/share/ca-certificates/); do
+                cat /usr/local/share/ca-certificates/$c >> $(python3 -m certifi) && echo >> $(python3 -m certifi)
+            done
+            update-ca-certificates
+            {{- end }}
+            sentry run web
           {{- if .Values.sentry.web.workers }}
           - "--workers"
           - "{{ .Values.sentry.web.workers }}"
@@ -131,6 +141,11 @@ spec:
         - name: custom-ca
           mountPath: /etc/pki/ca-trust/custom
         {{ end }}
+        {{- if .Values.sentry.web.caCertificatesSecret }}
+        - name: ca-certificates
+          mountPath: /usr/local/share/ca-certificates
+          readOnly: true
+        {{- end }}
 {{- if .Values.sentry.web.volumeMounts }}
 {{ toYaml .Values.sentry.web.volumeMounts | indent 8 }}
 {{- end }}
@@ -209,4 +224,10 @@ spec:
 {{- if .Values.global.volumes }}
 {{ toYaml .Values.global.volumes | indent 6 }}
 {{- end }}
+{{- if .Values.sentry.web.caCertificatesSecret }}
+      - name: ca-certificates
+        secret:
+          secretName: {{ .Values.sentry.web.caCertificatesSecret }}
+          defaultMode: 0644
+{{- end }}
 {{- end }}

charts/sentry/templates/sentry/worker/deployment-sentry-worker-events.yaml

@@ -78,10 +78,20 @@ spec:
       - name: {{ .Chart.Name }}-worker
         image: "{{ template "sentry.image" . }}"
         imagePullPolicy: {{ default "IfNotPresent" .Values.images.sentry.pullPolicy }}
-        command: ["sentry"]
+        command: ["/bin/bash", "-c"]
         args:
-          - "run"
-          - "worker"
+          - |
+            {{- if .Values.sentry.workerEvents.installAdditionalPackages }}
+            pip install {{ range .Values.sentry.workerEvents.installAdditionalPackages }}{{ . }} {{ end }}
+            {{- end }}
+            {{- if .Values.sentry.workerEvents.caCertificatesSecret }}
+            mkdir -p /usr/local/share/ca-certificates/
+            for c in $(ls -1 /usr/local/share/ca-certificates/); do
+                cat /usr/local/share/ca-certificates/$c >> $(python3 -m certifi) && echo >> $(python3 -m certifi)
+            done
+            update-ca-certificates
+            {{- end }}
+            sentry run worker
           - "-Q"
           - {{ .Values.sentry.workerEvents.queues }}
           {{- if .Values.sentry.workerEvents.concurrency }}
@@ -122,6 +132,11 @@ spec:
         - name: sentry-google-cloud-key
           mountPath: /var/run/secrets/google
         {{ end }}
+        {{- if .Values.sentry.workerEvents.caCertificatesSecret }}
+        - name: ca-certificates
+          mountPath: /usr/local/share/ca-certificates
+          readOnly: true
+        {{- end }}
 {{- if .Values.sentry.workerEvents.volumeMounts }}
 {{ toYaml .Values.sentry.workerEvents.volumeMounts | indent 8 }}
 {{- end }}
@@ -182,4 +197,10 @@ spec:
 {{- if .Values.sentry.workerEvents.volumes }}
 {{ toYaml .Values.sentry.workerEvents.volumes | indent 6 }}
 {{- end }}
+{{- if .Values.sentry.workerEvents.caCertificatesSecret }}
+      - name: ca-certificates
+        secret:
+          secretName: {{ .Values.sentry.workerEvents.caCertificatesSecret }}
+          defaultMode: 0644
+{{- end }}
 {{- end }}

charts/sentry/templates/sentry/worker/deployment-sentry-worker-transactions.yaml

@@ -78,10 +78,20 @@ spec:
       - name: {{ .Chart.Name }}-worker
         image: "{{ template "sentry.image" . }}"
         imagePullPolicy: {{ default "IfNotPresent" .Values.images.sentry.pullPolicy }}
-        command: ["sentry"]
+        command: ["/bin/bash", "-c"]
         args:
-          - "run"
-          - "worker"
+          - |
+            {{- if .Values.sentry.workerTransactions.installAdditionalPackages }}
+            pip install {{ range .Values.sentry.workerTransactions.installAdditionalPackages }}{{ . }} {{ end }}
+            {{- end }}
+            {{- if .Values.sentry.workerTransactions.caCertificatesSecret }}
+            mkdir -p /usr/local/share/ca-certificates/
+            for c in $(ls -1 /usr/local/share/ca-certificates/); do
+                cat /usr/local/share/ca-certificates/$c >> $(python3 -m certifi) && echo >> $(python3 -m certifi)
+            done
+            update-ca-certificates
+            {{- end }}
+            sentry run worker
           - "-Q"
           - {{ .Values.sentry.workerTransactions.queues }}
           {{- if .Values.sentry.workerTransactions.concurrency }}
@@ -122,6 +132,11 @@ spec:
         - name: sentry-google-cloud-key
           mountPath: /var/run/secrets/google
         {{ end }}
+        {{- if .Values.sentry.workerTransactions.caCertificatesSecret }}
+        - name: ca-certificates
+          mountPath: /usr/local/share/ca-certificates
+          readOnly: true
+        {{- end }}
 {{- if .Values.sentry.workerTransactions.volumeMounts }}
 {{ toYaml .Values.sentry.workerTransactions.volumeMounts | indent 8 }}
 {{- end }}
@@ -182,4 +197,10 @@ spec:
 {{- if .Values.sentry.workerTransactions.volumes }}
 {{ toYaml .Values.sentry.workerTransactions.volumes | indent 6 }}
 {{- end }}
+{{- if .Values.sentry.workerTransactions.caCertificatesSecret }}
+      - name: ca-certificates
+        secret:
+          secretName: {{ .Values.sentry.workerTransactions.caCertificatesSecret }}
+          defaultMode: 0644
+{{- end }}
 {{- end }}

charts/sentry/templates/sentry/worker/deployment-sentry-worker.yaml

@@ -78,10 +78,20 @@ spec:
       - name: {{ .Chart.Name }}-worker
         image: "{{ template "sentry.image" . }}"
         imagePullPolicy: {{ default "IfNotPresent" .Values.images.sentry.pullPolicy }}
-        command: ["sentry"]
+        command: ["/bin/bash", "-c"]
         args:
-          - "run"
-          - "worker"
+          - |
+            {{- if .Values.sentry.worker.installAdditionalPackages }}
+            pip install {{ range .Values.sentry.worker.installAdditionalPackages }}{{ . }} {{ end }}
+            {{- end }}
+            {{- if .Values.sentry.worker.caCertificatesSecret }}
+            mkdir -p /usr/local/share/ca-certificates/
+            for c in $(ls -1 /usr/local/share/ca-certificates/); do
+                cat /usr/local/share/ca-certificates/$c >> $(python3 -m certifi) && echo >> $(python3 -m certifi)
+            done
+            update-ca-certificates
+            {{- end }}
+            sentry run worker
           {{- if .Values.sentry.worker.excludeQueues }}
           - "--exclude-queues"
           - "{{ .Values.sentry.worker.excludeQueues }}"
@@ -129,6 +139,11 @@ spec:
         - name: sentry-google-cloud-key
           mountPath: /var/run/secrets/google
         {{ end }}
+        {{- if .Values.sentry.worker.caCertificatesSecret }}
+        - name: ca-certificates
+          mountPath: /usr/local/share/ca-certificates
+          readOnly: true
+        {{- end }}
 {{- if .Values.sentry.worker.volumeMounts }}
 {{ toYaml .Values.sentry.worker.volumeMounts | indent 8 }}
 {{- end }}
@@ -195,4 +210,10 @@ spec:
 {{- if .Values.global.volumes }}
 {{ toYaml .Values.global.volumes | indent 6 }}
 {{- end }}
+{{- if .Values.sentry.worker.caCertificatesSecret }}
+      - name: ca-certificates
+        secret:
+          secretName: {{ .Values.sentry.worker.caCertificatesSecret }}
+          defaultMode: 0644
+{{- end }}
 {{- end }}

charts/sentry/values.yaml

@@ -294,6 +294,11 @@ sentry:
     volumes: []
     volumeMounts: []
     # workers: 3
+    # installAdditionalPackages:
+    #   - django-multidb-router
+    #   - sentry-nodestore-elastic
+    #   - https://github.com/pavels/sentry-s3-nodestore/releases/download/v1.0.3/sentry-s3-nodestore-1.0.3.tar.gz
+    # caCertificatesSecret: ca-certificates  # kubectl create secret generic ca-certificates --from-file=you-certificates.crt --namespace=namespace
 
   features:
     orgSubdomains: false
@@ -350,6 +355,11 @@ sentry:
     topologySpreadConstraints: []
     volumes: []
     volumeMounts: []
+    # installAdditionalPackages:
+    #   - django-multidb-router
+    #   - sentry-nodestore-elastic
+    #   - https://github.com/pavels/sentry-s3-nodestore/releases/download/v1.0.3/sentry-s3-nodestore-1.0.3.tar.gz
+    # caCertificatesSecret: ca-certificates  # kubectl create secret generic ca-certificates --from-file=you-certificates.crt --namespace=namespace
 
   # allows to dedicate some workers to specific queues
   workerEvents:
@@ -390,6 +400,11 @@ sentry:
     topologySpreadConstraints: []
     volumes: []
     volumeMounts: []
+    # installAdditionalPackages:
+    #   - django-multidb-router
+    #   - sentry-nodestore-elastic
+    #   - https://github.com/pavels/sentry-s3-nodestore/releases/download/v1.0.3/sentry-s3-nodestore-1.0.3.tar.gz
+    # caCertificatesSecret: ca-certificates  # kubectl create secret generic ca-certificates --from-file=you-certificates.crt --namespace=namespace
 
   # allows to dedicate some workers to specific queues
   workerTransactions:
@@ -428,6 +443,11 @@ sentry:
     topologySpreadConstraints: []
     volumes: []
     volumeMounts: []
+    # installAdditionalPackages:
+    #   - django-multidb-router
+    #   - sentry-nodestore-elastic
+    #   - https://github.com/pavels/sentry-s3-nodestore/releases/download/v1.0.3/sentry-s3-nodestore-1.0.3.tar.gz
+    # caCertificatesSecret: ca-certificates  # kubectl create secret generic ca-certificates --from-file=you-certificates.crt --namespace=namespace
 
   ingestConsumerAttachments:
     enabled: true