-
Notifications
You must be signed in to change notification settings - Fork 28
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add a starter for vo-cutouts-style FastAPI Safir apps that use UWS. Update the code underlying phalanx application create so that it will substitute <CHARTENVPREFIX> in every template, not just configmap.yaml.
- Loading branch information
Showing
19 changed files
with
740 additions
and
14 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,11 +1,10 @@ | ||
# Helm starters for Phalanx | ||
|
||
Each subdirectory of this directory is a Helm starter for a class of Phalanx service. | ||
Use the starters with the `-p` option to `helm create`. | ||
For example, from the `applications` directory: | ||
These are used by the `phalanx application create` command. | ||
|
||
For example, from the top of a Phalanx checkout: | ||
|
||
```sh | ||
helm create new-service -p $(pwd)/../starters/rsp-web-service | ||
phalanx application create --starter fastapi-safir <application> | ||
``` | ||
|
||
The path to the starter directory must be absolute, not relative, or Helm will try to use it has a path relative to `$HOME/.local/share/helm`. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: v2 | ||
name: <CHARTNAME> | ||
version: 1.0.0 | ||
description: "Helm starter chart for a new FastAPI Safir app using UWS" | ||
sources: | ||
- "https://github.com/lsst-sqre/<CHARTNAME>" | ||
appVersion: 0.1.0 | ||
|
||
dependencies: | ||
- name: redis | ||
version: 1.0.12 | ||
repository: https://lsst-sqre.github.io/charts/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
database-password: | ||
description: >- | ||
Password used to authenticate to the PostgreSQL database used to store job | ||
information. This password may be changed at any time. | ||
redis-password: | ||
description: >- | ||
Password used to authenticate to the internal Redis server, deployed as | ||
part of the same Argo CD application and used to manage the work | ||
queue. This secret can be changed at any time, but both the Redis server | ||
and all deployments will then have to be restarted to pick up the new | ||
value. | ||
generate: | ||
type: password |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
{{/* vim: set filetype=mustache: */}} | ||
{{/* | ||
Create chart name and version as used by the chart label. | ||
*/}} | ||
{{- define "<CHARTNAME>.chart" -}} | ||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} | ||
{{- end }} | ||
|
||
{{/* | ||
Common labels | ||
*/}} | ||
{{- define "<CHARTNAME>.labels" -}} | ||
helm.sh/chart: {{ include "<CHARTNAME>.chart" . }} | ||
{{ include "<CHARTNAME>.selectorLabels" . }} | ||
{{- if .Chart.AppVersion }} | ||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} | ||
{{- end }} | ||
app.kubernetes.io/managed-by: {{ .Release.Service }} | ||
{{- end }} | ||
|
||
{{/* | ||
Selector labels | ||
*/}} | ||
{{- define "<CHARTNAME>.selectorLabels" -}} | ||
app.kubernetes.io/name: "<CHARTNAME>" | ||
app.kubernetes.io/instance: {{ .Release.Name }} | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
name: <CHARTNAME> | ||
labels: | ||
{{- include "<CHARTNAME>.labels" . | nindent 4 }} | ||
data: | ||
<CHARTENVPREFIX>_ARQ_QUEUE_URL: "redis://<CHARTNAME>-redis.{{ .Release.Namespace }}" | ||
{{- if .Values.cloudsql.enabled }} | ||
<CHARTENVPREFIX>_DATABASE_URL: "postgresql://<CHARTNAME>@localhost/<CHARTNAME>" | ||
{{- end }} | ||
<CHARTENVPREFIX>_GRACE_PERIOD: {{ .Values.config.gracePeriod | quote }} | ||
<CHARTENVPREFIX>_LIFETIME: {{ .Values.config.lifetime | quote }} | ||
<CHARTENVPREFIX>_SERVICE_ACCOUNT: {{ required "config.serviceAccount must be set" .Values.config.serviceAccount | quote }} | ||
<CHARTENVPREFIX>_STORAGE_URL: {{ required "config.storageBucketUrl must be set" .Values.config.storageBucketUrl | quote }} | ||
<CHARTENVPREFIX>_SYNC_TIMEOUT: {{ .Values.config.syncTimeout | quote }} | ||
<CHARTENVPREFIX>_TIMEOUT: {{ .Values.config.timeout | quote }} | ||
<CHARTENVPREFIX>_LOG_LEVEL: {{ .Values.config.loglevel | quote }} | ||
<CHARTENVPREFIX>_PATH_PREFIX: {{ .Values.config.pathPrefix | quote }} | ||
<CHARTENVPREFIX>_PROFILE: {{ .Values.config.logProfile | quote }} |
96 changes: 96 additions & 0 deletions
96
starters/fastapi-safir-uws/templates/db-worker-deployment.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,96 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: <CHARTNAME>-db-worker | ||
labels: | ||
{{- include "<CHARTNAME>.labels" . | nindent 4 }} | ||
spec: | ||
replicas: {{ .Values.databaseWorker.replicaCount }} | ||
selector: | ||
matchLabels: | ||
{{- include "<CHARTNAME>.selectorLabels" . | nindent 6 }} | ||
app.kubernetes.io/component: "db-worker" | ||
template: | ||
metadata: | ||
annotations: | ||
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} | ||
{{- with .Values.databaseWorker.podAnnotations }} | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} | ||
labels: | ||
{{- include "<CHARTNAME>.selectorLabels" . | nindent 8 }} | ||
app.kubernetes.io/component: "db-worker" | ||
<CHARTNAME>-redis-client: "true" | ||
spec: | ||
{{- with .Values.databaseWorker.affinity }} | ||
affinity: | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} | ||
{{- if .Values.cloudsql.enabled }} | ||
serviceAccountName: "<CHARTNAME>" | ||
{{- else }} | ||
automountServiceAccountToken: false | ||
{{- end }} | ||
containers: | ||
{{- if .Values.cloudsql.enabled }} | ||
- name: "cloud-sql-proxy" | ||
command: | ||
- "/cloud_sql_proxy" | ||
- "-ip_address_types=PRIVATE" | ||
- "-log_debug_stdout=true" | ||
- "-structured_logs=true" | ||
- "-instances={{ required "cloudsql.instanceConnectionName must be specified" .Values.cloudsql.instanceConnectionName }}=tcp:5432" | ||
image: "{{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }}" | ||
imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy | quote }} | ||
securityContext: | ||
allowPrivilegeEscalation: false | ||
capabilities: | ||
drop: | ||
- "all" | ||
readOnlyRootFilesystem: true | ||
runAsNonRoot: true | ||
runAsUser: 65532 | ||
runAsGroup: 65532 | ||
{{- end }} | ||
- name: "db-worker" | ||
command: | ||
- "arq" | ||
- "<CHARTNAME>.workers.uws.WorkerSettings" | ||
env: | ||
- name: "<CHARTENVPREFIX>_ARQ_QUEUE_PASSWORD" | ||
valueFrom: | ||
secretKeyRef: | ||
name: "<CHARTNAME>" | ||
key: "redis-password" | ||
- name: "<CHARTENVPREFIX>_DATABASE_PASSWORD" | ||
valueFrom: | ||
secretKeyRef: | ||
name: "<CHARTNAME>" | ||
key: "database-password" | ||
envFrom: | ||
- configMapRef: | ||
name: "<CHARTNAME>" | ||
{{- with .Values.databaseWorker.resources }} | ||
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" | ||
imagePullPolicy: {{ .Values.image.pullPolicy | quote }} | ||
resources: | ||
{{- toYaml . | nindent 12 }} | ||
{{- end }} | ||
securityContext: | ||
allowPrivilegeEscalation: false | ||
capabilities: | ||
drop: | ||
- "all" | ||
readOnlyRootFilesystem: true | ||
securityContext: | ||
runAsNonRoot: true | ||
runAsUser: 1000 | ||
runAsGroup: 1000 | ||
{{- with .Values.databaseWorker.nodeSelector }} | ||
nodeSelector: | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} | ||
{{- with .Values.databaseWorker.tolerations }} | ||
tolerations: | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} |
15 changes: 15 additions & 0 deletions
15
starters/fastapi-safir-uws/templates/db-worker-networkpolicy.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
apiVersion: networking.k8s.io/v1 | ||
kind: NetworkPolicy | ||
metadata: | ||
name: <CHARTNAME>-db-worker | ||
labels: | ||
{{- include "<CHARTNAME>.labels" . | nindent 4 }} | ||
spec: | ||
podSelector: | ||
# This policy controls inbound access to the database workers. | ||
matchLabels: | ||
{{- include "<CHARTNAME>.selectorLabels" . | nindent 6 }} | ||
app.kubernetes.io/component: "db-worker" | ||
policyTypes: | ||
# Block all inbound access. | ||
- Ingress |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,105 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: "<CHARTNAME>" | ||
labels: | ||
{{- include "<CHARTNAME>.labels" . | nindent 4 }} | ||
spec: | ||
replicas: {{ .Values.frontend.replicaCount }} | ||
selector: | ||
matchLabels: | ||
{{- include "<CHARTNAME>.selectorLabels" . | nindent 6 }} | ||
app.kubernetes.io/component: "frontend" | ||
template: | ||
metadata: | ||
annotations: | ||
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} | ||
{{- with .Values.frontend.podAnnotations }} | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} | ||
labels: | ||
{{- include "<CHARTNAME>.selectorLabels" . | nindent 8 }} | ||
app.kubernetes.io/component: "frontend" | ||
<CHARTNAME>-redis-client: "true" | ||
spec: | ||
{{- with .Values.frontend.affinity }} | ||
affinity: | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} | ||
{{- if .Values.cloudsql.enabled }} | ||
serviceAccountName: "<CHARTNAME>" | ||
{{- else }} | ||
automountServiceAccountToken: false | ||
{{- end }} | ||
containers: | ||
{{- if .Values.cloudsql.enabled }} | ||
- name: "cloud-sql-proxy" | ||
command: | ||
- "/cloud_sql_proxy" | ||
- "-ip_address_types=PRIVATE" | ||
- "-log_debug_stdout=true" | ||
- "-structured_logs=true" | ||
- "-instances={{ required "cloudsql.instanceConnectionName must be specified" .Values.cloudsql.instanceConnectionName }}=tcp:5432" | ||
image: "{{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }}" | ||
imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy | quote }} | ||
{{- with .Values.cloudsql.resources }} | ||
resources: | ||
{{- toYaml . | nindent 12 }} | ||
{{- end }} | ||
securityContext: | ||
allowPrivilegeEscalation: false | ||
capabilities: | ||
drop: | ||
- "all" | ||
readOnlyRootFilesystem: true | ||
runAsNonRoot: true | ||
runAsUser: 65532 | ||
runAsGroup: 65532 | ||
{{- end }} | ||
- name: "<CHARTNAME>" | ||
env: | ||
- name: "<CHARTENVPREFIX>_ARQ_QUEUE_PASSWORD" | ||
valueFrom: | ||
secretKeyRef: | ||
name: "<CHARTNAME>" | ||
key: "redis-password" | ||
- name: "<CHARTENVPREFIX>_DATABASE_PASSWORD" | ||
valueFrom: | ||
secretKeyRef: | ||
name: "<CHARTNAME>" | ||
key: "database-password" | ||
envFrom: | ||
- configMapRef: | ||
name: "<CHARTNAME>" | ||
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" | ||
imagePullPolicy: {{ .Values.image.pullPolicy | quote }} | ||
ports: | ||
- containerPort: 8080 | ||
name: "http" | ||
protocol: "TCP" | ||
readinessProbe: | ||
httpGet: | ||
path: "/api/<CHARTNAME>/availability" | ||
port: "http" | ||
{{- with .Values.frontend.resources }} | ||
resources: | ||
{{- toYaml . | nindent 12 }} | ||
{{- end }} | ||
securityContext: | ||
allowPrivilegeEscalation: false | ||
capabilities: | ||
drop: | ||
- "all" | ||
readOnlyRootFilesystem: true | ||
{{- with .Values.frontend.nodeSelector }} | ||
nodeSelector: | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} | ||
securityContext: | ||
runAsNonRoot: true | ||
runAsUser: 1000 | ||
runAsGroup: 1000 | ||
{{- with .Values.frontend.tolerations }} | ||
tolerations: | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
apiVersion: gafaelfawr.lsst.io/v1alpha1 | ||
kind: GafaelfawrIngress | ||
metadata: | ||
name: "<CHARTNAME>" | ||
labels: | ||
{{- include "<CHARTNAME>.labels" . | nindent 4 }} | ||
config: | ||
baseUrl: {{ .Values.global.baseUrl | quote }} | ||
scopes: | ||
all: | ||
- "read:image" | ||
# Request a delegated token to use for making calls to Butler server with the | ||
# end-user's credentials. | ||
delegate: | ||
internal: | ||
service: "<CHARTNAME>" | ||
scopes: | ||
- "read:image" | ||
template: | ||
metadata: | ||
name: "<CHARTNAME>" | ||
{{- with .Values.ingress.annotations }} | ||
annotations: | ||
{{- toYaml . | nindent 6 }} | ||
{{- end }} | ||
spec: | ||
rules: | ||
- host: {{ required "global.host must be set" .Values.global.host | quote }} | ||
http: | ||
paths: | ||
- path: {{ .Values.config.pathPrefix | quote }} | ||
pathType: "Prefix" | ||
backend: | ||
service: | ||
name: "<CHARTNAME>" | ||
port: | ||
number: 8080 |
Oops, something went wrong.