README.md.gotmpl

{{ template "chart.header" . }}
{{ template "chart.description" . }}

{{ template "chart.homepageLine" . }}

## Installing the Chart

To install the chart with the release name `prefect-server`:

```console
helm repo add prefect https://prefecthq.github.io/prefect-helm
helm install prefect-server prefect/prefect-server
```

## Prefect Configuration

### Container Port // Port Forwarding

Without making any modifications to the `values.yaml` file, you can access the Prefect UI by port forwarding either the Server `pod` or `service` with the following command and visiting [http:localhost:4200](http:localhost:4200):
```console
kubectl port-forward svc/prefect-server 4200:4200
```

Note: If you choose to make modifications to either the `server.prefectApiUrl` or `service.port`, make sure to update the other value with the updated port!

## PostgreSQL Configuration

### Handling Connection Secrets

#### Using the bundled PostgreSQL chart

By default, Bitnami's PostgreSQL Helm Chart will be deployed. This is **not intended for production use**, and is only
included to provide a functional proof of concept installation.

In this scenario, you'll need to provide _either one_ of the following fields:

1. `postgresql.auth.password`: a password you want to set for the prefect user (default: `prefect-rocks`)

2. `postgresql.auth.existingSecret`: name of an existing secret in your cluster with the following field:

    - `connection-string`: fully-quallified connection string in the format of `postgresql+asyncpg://{username}:{password}@{hostname}/{database}`
        - username = `postgresql.auth.username`
        - hostname = `<release-name>-postgresql.<release-namespace>:<postgresql.containerPorts.postgresql>`
        - database = `postgresql.auth.database`

Two secrets are created when not providing an existing secret name:
1. `prefect-server-postgresql-connection`: used by the prefect-server deployment to connect to the postgresql database.

2. `<release-name>-postgresql-0`: defines the `postgresql.auth.username`'s password on the postgresql server to allow successful authentication from the prefect server.

#### Using an external instance of PostgreSQL

If you want to disable the bundled PostgreSQL chart and use an external instance, provide the following configuration:

```yaml
prefect-server:
  postgresql:
    enabled: false

  secret:
    # Option 1: provide the name of an existing secret following the instructions above.
    create: false
    name: <existing secret name>

    # Option 2: provide the connection string details directly
    create: true
    username: myuser
    password: mypass
    host: myhost.com
    port: 1234
    database: mydb
```

### Connecting with SSL configured

1. Mount the relevant certificate to `/home/prefect/.postgresql` so that it can be found by `asyncpg`. This is the default location postgresql expects per their [documentation](https://www.postgresql.org/docs/current/libpq-ssl.html).
    ```yaml
    prefect-server:
      server:
        extraVolumes:
          - name: db-ssl-secret
            secret:
              secretName: db-ssl-secret
              defaultMode: 384
        extraVolumeMounts:
          - name: db-ssl-secret
            mountPath: "/home/prefect/.postgresql"
            readOnly: true
      postgresql:
        enabled: false
        auth:
          existingSecret: external-db-connection-string
    ```

2. Create a secret to hold the ca certificate for the database with the key `root.crt`
    ```yaml
    apiVersion: v1
    kind: Secret
    metadata:
      name: db-ssl-secret
    data:
      root.crt: BASE64ENCODECERTIFICATE=
    type: Opaque
    ```

3. Set the connection string in the existing secret following this format - `?ssl=verify-ca` is cruicial:
    ```
    postgresql+asyncpg://{username}:{password}@{hostname}/{database}?ssl=verify-ca
    ```

{{ template "chart.maintainersSection" . }}

{{ template "chart.requirementsSection" . }}

{{ template "chart.valuesSection" . }}

{{ template "helm-docs.versionFooter" . }}