From 964102fe4a3996526b878be5ca4bf8e4c252f453 Mon Sep 17 00:00:00 2001 From: Maximilian Jugl Date: Thu, 18 Apr 2024 13:56:12 +0200 Subject: [PATCH 1/3] fix: remove GitHub credential setup from k8s --- k8s/README.md | 20 -------------------- k8s/generate-k8s-secret-yaml.sh | 18 ------------------ k8s/node-result-deployment.yaml | 2 -- 3 files changed, 40 deletions(-) delete mode 100755 k8s/generate-k8s-secret-yaml.sh diff --git a/k8s/README.md b/k8s/README.md index f16a273..b47bc2e 100644 --- a/k8s/README.md +++ b/k8s/README.md @@ -5,26 +5,6 @@ Make sure you have a k8s cluster running and accessible, e.g. by installing [minikube](https://minikube.sigs.k8s.io/docs/) on your local machine. -## Secret setup to pull from ghcr.io - -Container images will be pulled from the GitHub container registry. -You will need to provide the login credentials as a secret to k8s. -[Follow the GitHub documentation on acquiring a personal access token.](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry#authenticating-to-the-container-registry) - -To save yourself some work, you'll find a script which generates the configuration file to correctly provision the -access token to your k8s instance in this directory. -Simply run the following commands. - -``` -$ ./generate-k8s-secret-yaml.sh "" "" > ghcr-secret.yaml -$ kubectl apply -f ghcr-secret.yaml -``` - -**It is highly encouraged to delete the resulting YAML file afterwards since it contains your access token in -(obfuscated) plain text.** - -## Deploy to k8s - To deploy, simply run the following commands. ``` diff --git a/k8s/generate-k8s-secret-yaml.sh b/k8s/generate-k8s-secret-yaml.sh deleted file mode 100755 index 04451d3..0000000 --- a/k8s/generate-k8s-secret-yaml.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh -if [ "$#" -ne 2 ]; then - echo "usage: $0 github_username github_access_token" - exit 1 -fi - -B64_BASIC_AUTH=$(printf "%s:%s" "$1" "$2" | base64 -w0) -B64_DOCKER_CONFIG_JSON=$(printf '{"auths": {"ghcr.io": {"auth": "%s"}}}' "$B64_BASIC_AUTH" | base64 -w0) - -cat < Date: Thu, 18 Apr 2024 13:58:13 +0200 Subject: [PATCH 2/3] fix: add helm chart, exclude from yaml check --- .pre-commit-config.yaml | 1 + k8s/helm/node-result-service/.helmignore | 101 ++++++++++++++++++ k8s/helm/node-result-service/Chart.yaml | 6 ++ .../templates/minio-deployment.yaml | 28 +++++ .../templates/minio-service.yaml | 12 +++ .../templates/node-result-deployment.yaml | 54 ++++++++++ .../templates/node-result-service.yaml | 12 +++ k8s/helm/node-result-service/values.yaml | 11 ++ 8 files changed, 225 insertions(+) create mode 100644 k8s/helm/node-result-service/.helmignore create mode 100644 k8s/helm/node-result-service/Chart.yaml create mode 100644 k8s/helm/node-result-service/templates/minio-deployment.yaml create mode 100644 k8s/helm/node-result-service/templates/minio-service.yaml create mode 100644 k8s/helm/node-result-service/templates/node-result-deployment.yaml create mode 100644 k8s/helm/node-result-service/templates/node-result-service.yaml create mode 100644 k8s/helm/node-result-service/values.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 3803bae..7aaa7f6 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -8,6 +8,7 @@ repos: - id: check-toml - id: check-yaml args: [ --unsafe ] + exclude: ^k8s/helm/node-result-service/ - id: end-of-file-fixer - id: trailing-whitespace - repo: https://github.com/astral-sh/ruff-pre-commit diff --git a/k8s/helm/node-result-service/.helmignore b/k8s/helm/node-result-service/.helmignore new file mode 100644 index 0000000..b1fda0a --- /dev/null +++ b/k8s/helm/node-result-service/.helmignore @@ -0,0 +1,101 @@ +### VisualStudioCode template +.vscode/* +!.vscode/settings.json +!.vscode/tasks.json +!.vscode/launch.json +!.vscode/extensions.json +!.vscode/*.code-snippets + +# Local History for Visual Studio Code +.history/ + +# Built Visual Studio Code Extensions +*.vsix + +### JetBrains template +# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider +# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839 + +# User-specific stuff +.idea/**/workspace.xml +.idea/**/tasks.xml +.idea/**/usage.statistics.xml +.idea/**/dictionaries +.idea/**/shelf + +# AWS User-specific +.idea/**/aws.xml + +# Generated files +.idea/**/contentModel.xml + +# Sensitive or high-churn files +.idea/**/dataSources/ +.idea/**/dataSources.ids +.idea/**/dataSources.local.xml +.idea/**/sqlDataSources.xml +.idea/**/dynamic.xml +.idea/**/uiDesigner.xml +.idea/**/dbnavigator.xml + +# Gradle +.idea/**/gradle.xml +.idea/**/libraries + +# Gradle and Maven with auto-import +# When using Gradle or Maven with auto-import, you should exclude module files, +# since they will be recreated, and may cause churn. Uncomment if using +# auto-import. +# .idea/artifacts +# .idea/compiler.xml +# .idea/jarRepositories.xml +# .idea/modules.xml +# .idea/*.iml +# .idea/modules +# *.iml +# *.ipr + +# CMake +cmake-build-*/ + +# Mongo Explorer plugin +.idea/**/mongoSettings.xml + +# File-based project format +*.iws + +# IntelliJ +out/ + +# mpeltonen/sbt-idea plugin +.idea_modules/ + +# JIRA plugin +atlassian-ide-plugin.xml + +# Cursive Clojure plugin +.idea/replstate.xml + +# SonarLint plugin +.idea/sonarlint/ + +# Crashlytics plugin (for Android Studio and IntelliJ) +com_crashlytics_export_strings.xml +crashlytics.properties +crashlytics-build.properties +fabric.properties + +# Editor-based Rest Client +.idea/httpRequests + +# Android studio 3.1+ serialized cache file +.idea/caches/build_file_checksums.ser + +### Example user template template +### Example user template + +# IntelliJ project files +.idea +*.iml +out +gen diff --git a/k8s/helm/node-result-service/Chart.yaml b/k8s/helm/node-result-service/Chart.yaml new file mode 100644 index 0000000..59986c5 --- /dev/null +++ b/k8s/helm/node-result-service/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: flame-result-service +description: A Helm Chart for the FLAME Node Result Service +type: application +version: 0.1.0 +appVersion: latest diff --git a/k8s/helm/node-result-service/templates/minio-deployment.yaml b/k8s/helm/node-result-service/templates/minio-deployment.yaml new file mode 100644 index 0000000..76dd13e --- /dev/null +++ b/k8s/helm/node-result-service/templates/minio-deployment.yaml @@ -0,0 +1,28 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Release.Name }}-local-minio-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: {{ .Release.Name }}-minio + template: + metadata: + labels: + app: {{ .Release.Name }}-minio + spec: + containers: + - name: {{ .Release.Name }}-local-minio + image: bitnami/minio:2024.1.16 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9000 + name: http-s3 + env: + - name: MINIO_ROOT_USER + value: {{ required "MinIO user must be set." .Values.env.MINIO_ACCESS_KEY | quote }} + - name: MINIO_ROOT_PASSWORD + value: {{ required "MinIO password must be set." .Values.env.MINIO_SECRET_KEY | quote }} + - name: MINIO_DEFAULT_BUCKETS + value: {{ required "MinIO bucket must be set." .Values.env.MINIO_BUCKET | quote }} diff --git a/k8s/helm/node-result-service/templates/minio-service.yaml b/k8s/helm/node-result-service/templates/minio-service.yaml new file mode 100644 index 0000000..c7555fb --- /dev/null +++ b/k8s/helm/node-result-service/templates/minio-service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Release.Name }}-local-minio-service +spec: + type: NodePort # setting nodePort later is optional + selector: + app: {{ .Release.Name }}-minio + ports: + - protocol: TCP + port: 9000 # port of this service + targetPort: http-s3 # port on the pod diff --git a/k8s/helm/node-result-service/templates/node-result-deployment.yaml b/k8s/helm/node-result-service/templates/node-result-deployment.yaml new file mode 100644 index 0000000..2516c28 --- /dev/null +++ b/k8s/helm/node-result-service/templates/node-result-deployment.yaml @@ -0,0 +1,54 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Release.Name }}-node-result-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: {{ .Release.Name }}-node-result + template: + metadata: + labels: + app: {{ .Release.Name }}-node-result + spec: + containers: + - name: {{ .Release.Name }}-node-result-service + image: ghcr.io/privateaim/node-result-service:sha-7740b53 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8080 + name: http-result-srv + env: + - name: MINIO__ENDPOINT + value: {{ .Release.Name }}-local-minio-service + - name: MINIO__ACCESS_KEY + value: {{ required "MinIO user must be set." .Values.env.MINIO_ACCESS_KEY | quote }} + - name: MINIO__SECRET_KEY + value: {{ required "MinIO password must be set." .Values.env.MINIO_SECRET_KEY | quote }} + - name: MINIO__USE_SSL + value: {{ .Values.env.MINIO_USE_SSL | default false | quote }} + - name: MINIO__BUCKET + value: {{ required "MinIO bucket must be set." .Values.env.MINIO_BUCKET | quote }} + - name: HUB__AUTH_USERNAME + value: {{ required "Hub username must be set." .Values.env.HUB_USERNAME | quote }} + - name: HUB__AUTH_PASSWORD + value: {{ required "Hub password must be set." .Values.env.HUB_PASSWORD | quote }} + - name: OIDC__CERTS_URL + value: {{ required "OIDC endpoint must be set." .Values.env.OIDC_CERTS_URL | quote }} + # Change this to "1" for testing purposes. This will cause the value of OIDC__CERTS_URL to be + # ignored. You will still need to set this variable for the service to start up correctly. + - name: OIDC__SKIP_JWT_VALIDATION + value: "0" + startupProbe: + httpGet: + path: /healthz + port: http-result-srv + failureThreshold: 5 + periodSeconds: 5 + livenessProbe: + httpGet: + path: /healthz + port: http-result-srv + failureThreshold: 3 + periodSeconds: 10 diff --git a/k8s/helm/node-result-service/templates/node-result-service.yaml b/k8s/helm/node-result-service/templates/node-result-service.yaml new file mode 100644 index 0000000..abfbe09 --- /dev/null +++ b/k8s/helm/node-result-service/templates/node-result-service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Release.Name }}-node-result-service +spec: + type: NodePort # setting nodePort later is optional + selector: + app: node-result + ports: + - protocol: TCP + port: 8080 # port of this service + targetPort: http-result-srv # port on the pod diff --git a/k8s/helm/node-result-service/values.yaml b/k8s/helm/node-result-service/values.yaml new file mode 100644 index 0000000..61614ab --- /dev/null +++ b/k8s/helm/node-result-service/values.yaml @@ -0,0 +1,11 @@ +api: + version: 0.1.0 + domain: localhost +env: + HUB_USERNAME: foobar + HUB_PASSWORD: sup3r_s3cr3t + MINIO_ACCESS_KEY: admin + MINIO_SECRET_KEY: s3cr3t_p4ssw0rd + MINIO_USE_SSL: false + MINIO_BUCKET: flame + OIDC_CERTS_URL: http://keycloak-service/realms/flame/protocol/openid-connect/certs From ec967bd3f4908ee9068203a1bb6f80fc5d10c75e Mon Sep 17 00:00:00 2001 From: Maximilian Jugl Date: Thu, 18 Apr 2024 14:02:59 +0200 Subject: [PATCH 3/3] fix: remove redundant values (thanks for the template Bruce) --- k8s/helm/node-result-service/values.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/k8s/helm/node-result-service/values.yaml b/k8s/helm/node-result-service/values.yaml index 61614ab..1ee533c 100644 --- a/k8s/helm/node-result-service/values.yaml +++ b/k8s/helm/node-result-service/values.yaml @@ -1,6 +1,3 @@ -api: - version: 0.1.0 - domain: localhost env: HUB_USERNAME: foobar HUB_PASSWORD: sup3r_s3cr3t