Merge pull request #33 from PrivateAIM/32-add-helm-chart

feat: add Helm chart
PrivateAIM · Apr 18, 2024 · ee9d18f · ee9d18f
2 parents a598eaa + ec967bd
commit ee9d18f
Show file tree

Hide file tree

Showing 11 changed files with 222 additions and 40 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -8,6 +8,7 @@ repos:
       - id: check-toml
       - id: check-yaml
         args: [ --unsafe ]
+        exclude: ^k8s/helm/node-result-service/
       - id: end-of-file-fixer
       - id: trailing-whitespace
   - repo: https://github.com/astral-sh/ruff-pre-commit

diff --git a/k8s/README.md b/k8s/README.md
@@ -5,26 +5,6 @@ Make sure you have a k8s cluster running and accessible, e.g. by
 installing [minikube](https://minikube.sigs.k8s.io/docs/) on your local
 machine.
 
-## Secret setup to pull from ghcr.io
-
-Container images will be pulled from the GitHub container registry.
-You will need to provide the login credentials as a secret to k8s.
-[Follow the GitHub documentation on acquiring a personal access token.](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry#authenticating-to-the-container-registry)
-
-To save yourself some work, you'll find a script which generates the configuration file to correctly provision the
-access token to your k8s instance in this directory.
-Simply run the following commands.
-
-```
-$ ./generate-k8s-secret-yaml.sh "<GitHub username>" "<GitHub access token>" > ghcr-secret.yaml
-$ kubectl apply -f ghcr-secret.yaml
-```
-
-**It is highly encouraged to delete the resulting YAML file afterwards since it contains your access token in
-(obfuscated) plain text.**
-
-## Deploy to k8s
-
 To deploy, simply run the following commands.
 
 ```

diff --git a/k8s/generate-k8s-secret-yaml.sh b/k8s/generate-k8s-secret-yaml.sh
diff --git a/k8s/helm/node-result-service/.helmignore b/k8s/helm/node-result-service/.helmignore
@@ -0,0 +1,101 @@
+### VisualStudioCode template
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json
+!.vscode/extensions.json
+!.vscode/*.code-snippets
+
+# Local History for Visual Studio Code
+.history/
+
+# Built Visual Studio Code Extensions
+*.vsix
+
+### JetBrains template
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider
+# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
+
+# User-specific stuff
+.idea/**/workspace.xml
+.idea/**/tasks.xml
+.idea/**/usage.statistics.xml
+.idea/**/dictionaries
+.idea/**/shelf
+
+# AWS User-specific
+.idea/**/aws.xml
+
+# Generated files
+.idea/**/contentModel.xml
+
+# Sensitive or high-churn files
+.idea/**/dataSources/
+.idea/**/dataSources.ids
+.idea/**/dataSources.local.xml
+.idea/**/sqlDataSources.xml
+.idea/**/dynamic.xml
+.idea/**/uiDesigner.xml
+.idea/**/dbnavigator.xml
+
+# Gradle
+.idea/**/gradle.xml
+.idea/**/libraries
+
+# Gradle and Maven with auto-import
+# When using Gradle or Maven with auto-import, you should exclude module files,
+# since they will be recreated, and may cause churn.  Uncomment if using
+# auto-import.
+# .idea/artifacts
+# .idea/compiler.xml
+# .idea/jarRepositories.xml
+# .idea/modules.xml
+# .idea/*.iml
+# .idea/modules
+# *.iml
+# *.ipr
+
+# CMake
+cmake-build-*/
+
+# Mongo Explorer plugin
+.idea/**/mongoSettings.xml
+
+# File-based project format
+*.iws
+
+# IntelliJ
+out/
+
+# mpeltonen/sbt-idea plugin
+.idea_modules/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Cursive Clojure plugin
+.idea/replstate.xml
+
+# SonarLint plugin
+.idea/sonarlint/
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+
+# Editor-based Rest Client
+.idea/httpRequests
+
+# Android studio 3.1+ serialized cache file
+.idea/caches/build_file_checksums.ser
+
+### Example user template template
+### Example user template
+
+# IntelliJ project files
+.idea
+*.iml
+out
+gen
diff --git a/k8s/helm/node-result-service/Chart.yaml b/k8s/helm/node-result-service/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: flame-result-service
+description: A Helm Chart for the FLAME Node Result Service
+type: application
+version: 0.1.0
+appVersion: latest
diff --git a/k8s/helm/node-result-service/templates/minio-deployment.yaml b/k8s/helm/node-result-service/templates/minio-deployment.yaml
@@ -0,0 +1,28 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}-local-minio-deployment
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}-minio
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}-minio
+    spec:
+      containers:
+        - name: {{ .Release.Name }}-local-minio
+          image: bitnami/minio:2024.1.16
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 9000
+              name: http-s3
+          env:
+            - name: MINIO_ROOT_USER
+              value: {{ required "MinIO user must be set." .Values.env.MINIO_ACCESS_KEY | quote }}
+            - name: MINIO_ROOT_PASSWORD
+              value: {{ required "MinIO password must be set." .Values.env.MINIO_SECRET_KEY | quote }}
+            - name: MINIO_DEFAULT_BUCKETS
+              value: {{ required "MinIO bucket must be set." .Values.env.MINIO_BUCKET | quote }}
diff --git a/k8s/helm/node-result-service/templates/minio-service.yaml b/k8s/helm/node-result-service/templates/minio-service.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}-local-minio-service
+spec:
+  type: NodePort  # setting nodePort later is optional
+  selector:
+    app: {{ .Release.Name }}-minio
+  ports:
+    - protocol: TCP
+      port: 9000  # port of this service
+      targetPort: http-s3  # port on the pod
diff --git a/k8s/helm/node-result-service/templates/node-result-deployment.yaml b/k8s/helm/node-result-service/templates/node-result-deployment.yaml
@@ -0,0 +1,54 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}-node-result-deployment
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}-node-result
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}-node-result
+    spec:
+      containers:
+        - name: {{ .Release.Name }}-node-result-service
+          image: ghcr.io/privateaim/node-result-service:sha-7740b53
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 8080
+              name: http-result-srv
+          env:
+            - name: MINIO__ENDPOINT
+              value: {{ .Release.Name }}-local-minio-service
+            - name: MINIO__ACCESS_KEY
+              value: {{ required "MinIO user must be set." .Values.env.MINIO_ACCESS_KEY | quote }}
+            - name: MINIO__SECRET_KEY
+              value: {{ required "MinIO password must be set." .Values.env.MINIO_SECRET_KEY | quote }}
+            - name: MINIO__USE_SSL
+              value: {{ .Values.env.MINIO_USE_SSL | default false | quote }}
+            - name: MINIO__BUCKET
+              value: {{ required "MinIO bucket must be set." .Values.env.MINIO_BUCKET | quote }}
+            - name: HUB__AUTH_USERNAME
+              value: {{ required "Hub username must be set." .Values.env.HUB_USERNAME | quote }}
+            - name: HUB__AUTH_PASSWORD
+              value: {{ required "Hub password must be set." .Values.env.HUB_PASSWORD | quote }}
+            - name: OIDC__CERTS_URL
+              value: {{ required "OIDC endpoint must be set." .Values.env.OIDC_CERTS_URL | quote }}
+            # Change this to "1" for testing purposes. This will cause the value of OIDC__CERTS_URL to be
+            # ignored. You will still need to set this variable for the service to start up correctly.
+            - name: OIDC__SKIP_JWT_VALIDATION
+              value: "0"
+          startupProbe:
+            httpGet:
+              path: /healthz
+              port: http-result-srv
+            failureThreshold: 5
+            periodSeconds: 5
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: http-result-srv
+            failureThreshold: 3
+            periodSeconds: 10
diff --git a/k8s/helm/node-result-service/templates/node-result-service.yaml b/k8s/helm/node-result-service/templates/node-result-service.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}-node-result-service
+spec:
+  type: NodePort  # setting nodePort later is optional
+  selector:
+    app: node-result
+  ports:
+    - protocol: TCP
+      port: 8080  # port of this service
+      targetPort: http-result-srv  # port on the pod
diff --git a/k8s/helm/node-result-service/values.yaml b/k8s/helm/node-result-service/values.yaml
@@ -0,0 +1,8 @@
+env:
+  HUB_USERNAME: foobar
+  HUB_PASSWORD: sup3r_s3cr3t
+  MINIO_ACCESS_KEY: admin
+  MINIO_SECRET_KEY: s3cr3t_p4ssw0rd
+  MINIO_USE_SSL: false
+  MINIO_BUCKET: flame
+  OIDC_CERTS_URL: http://keycloak-service/realms/flame/protocol/openid-connect/certs
diff --git a/k8s/node-result-deployment.yaml b/k8s/node-result-deployment.yaml
@@ -52,5 +52,3 @@ spec:
               port: http-result-srv
             failureThreshold: 3
             periodSeconds: 10
-      imagePullSecrets:
-        - name: dockerconfigjson-github-com