Add initial helm charts for k8s deployments (#1080)

* Add initial helm charts for k8s deployments

* Temporarily remove K8s tests until in-cluster test is added

* Disable K8s tests in Github Actions (until in-cluster tests are added)

* Update initial Funnel Helm chart

.github/workflows/compliance.yaml

@@ -37,7 +37,7 @@ jobs:
       matrix:
         version: [1.0.0, 1.1.0]
         db: ["boltdb", "mongodb"]
-        compute: ["local", "kubernetes"]
+        compute: ["local"]
         storage: ["local", "s3"]
     needs: build
     runs-on: ubuntu-latest

deployments/kubernetes/README.md

@@ -1,4 +1,3 @@
-> [!WARNING]
 > Funnel's Kubernetes support is in active development and may involve frequent updates 🚧
 
 # Overview
@@ -22,23 +21,19 @@ Kuberenetes Resources:
 kubectl apply -f funnel-service.yml
 ```
 
-Get the clusterIP:
-
-```sh
-kubectl get services funnel --output=yaml | grep "clusterIP:"
-```
-
-Use this value to configure the server hostname of the worker config.
-
 ## 2. Create Funnel config files
 
 > *[funnel-server-config.yml](https://github.com/ohsu-comp-bio/funnel/blob/develop/deployments/kubernetes/funnel-server-config.yml)*
 
-We recommend setting `DisableJobCleanup` to `true` for debugging - otherwise failed jobs will be cleanup up.
-
 > *[funnel-worker-config.yml](https://github.com/ohsu-comp-bio/funnel/blob/develop/deployments/kubernetes/funnel-worker-config.yml)*
 
-***Remember to modify the file to have the actual server hostname.***
+Get the clusterIP:
+
+```sh
+export HOSTNAME=$(kubectl get services funnel --output=jsonpath='{.spec.clusterIP}')
+
+sed -i "s|\${HOSTNAME}|${HOSTNAME}|g" funnel-worker-config.yml
+```
 
 ## 3. Create a ConfigMap
 

deployments/kubernetes/funnel-worker-config.yml

@@ -21,5 +21,5 @@ EventWriters:
   - log
 
 Server:
-  HostName: < funnel service clusterIP >
+  HostName: "${HOSTNAME}"
   RPCPort: 9090

deployments/kubernetes/helm/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

deployments/kubernetes/helm/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: funnel
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"

deployments/kubernetes/helm/templates/NOTES.txt

@@ -0,0 +1,5 @@
+1. To access the Funnel application, use the following instructions:
+
+To access the service locally, use:
+  kubectl --namespace {{ .Release.Namespace }} port-forward svc/{{ include "funnel.fullname" . }} 8080:8000
+  echo "Visit http://127.0.0.1:8080"

deployments/kubernetes/helm/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "funnel.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "funnel.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "funnel.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "funnel.labels" -}}
+helm.sh/chart: {{ include "funnel.chart" . }}
+{{ include "funnel.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "funnel.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "funnel.name" . }}
+app.kubernetes.io/instance: funnel
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "funnel.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "funnel.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

deployments/kubernetes/helm/templates/configmap.yaml

@@ -0,0 +1,84 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: funnel-config
+data:
+  funnel-server-config.yaml: |-
+    Database: boltdb
+
+    Compute: kubernetes
+
+    Logger:
+      Level: debug
+
+    Kubernetes:
+      # The executor used to execute tasks. Available executors: docker, kubernetes
+      Executor: "kubernetes"
+      DisableJobCleanup: false
+      DisableReconciler: false
+      ReconcileRate: 5m
+      Namespace: default
+      Template: |
+        apiVersion: batch/v1
+        kind: Job
+        metadata:
+          ## DO NOT CHANGE NAME
+          name: {{.TaskId}}
+          namespace: {{.Namespace}}
+        spec:
+          backoffLimit: 0
+          completions: 1
+          template:
+            spec:
+              restartPolicy: Never
+              serviceAccountName: funnel-sa
+              containers:
+                - name: {{printf "funnel-worker-%s" .TaskId}}
+                  image: quay.io/ohsu-comp-bio/funnel:latest
+                  imagePullPolicy: IfNotPresent
+                  args:
+                    - "worker"
+                    - "run"
+                    - "--config"
+                    - "/etc/config/funnel-worker-config.yaml"
+                    - "--taskID"
+                    - {{.TaskId}}
+                  resources:
+                      requests:
+                        cpu: {{if ne .Cpus 0 -}}{{.Cpus}}{{ else }}{{"100m"}}{{end}}
+                        memory: {{if ne .RamGb 0.0 -}}{{printf "%.0fG" .RamGb}}{{else}}{{"16M"}}{{end}}
+                        ephemeral-storage: {{if ne .DiskGb 0.0 -}}{{printf "%.0fG" .DiskGb}}{{else}}{{"100M"}}{{end}}
+                  volumeMounts:
+                    - name: {{printf "funnel-storage-%s" .TaskId}}
+                      mountPath: {{printf "/opt/funnel/funnel-work-dir/%s" .TaskId}}
+                    - name: config-volume
+                      mountPath: /etc/config
+
+                  securityContext:
+                    privileged: true
+
+              volumes:
+                - name: {{printf "funnel-storage-%s" .TaskId}}
+                  emptyDir: {}
+                - name: config-volume
+                  configMap:
+                    name: funnel-config    
+
+  funnel-worker-config.yaml: |-
+    Database: boltdb
+    BoltDB:
+      Path: /opt/funnel/funnel-work-dir/funnel.bolt.db
+    Compute: kubernetes
+    Kubernetes:
+      Executor: "kubernetes"
+    Logger:
+      Level: debug
+    RPCClient:
+      MaxRetries: 3
+      Timeout: 30s
+    EventWriters:
+      - rpc
+      - log
+    Server:
+      HostName: ""
+      RPCPort: 9090

deployments/kubernetes/helm/templates/deployment.yaml

@@ -0,0 +1,51 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "funnel.fullname" . }}
+  labels:
+    {{- include "funnel.labels" . | nindent 4 }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      {{- include "funnel.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "funnel.labels" . | nindent 8 }}
+    spec:
+      serviceAccountName: {{ include "funnel.serviceAccountName" . }}
+      containers:
+        - name: funnel
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: Always
+          command:
+            - 'funnel'
+            - 'server'
+            - 'run'
+            - '--config'
+            - '/etc/config/funnel-server-config.yaml'
+          resources:
+            requests:
+              cpu: {{ .Values.resources.requests.cpu }}
+              memory: {{ .Values.resources.requests.memory }}
+            limits:
+              cpu: {{ .Values.resources.limits.cpu }}
+              memory: {{ .Values.resources.limits.memory }}
+          ports:
+            - name: http
+              containerPort: 8000
+            - name: rpc
+              containerPort: 9090
+          volumeMounts:
+            - name: funnel-deployment-storage
+              mountPath: /opt/funnel/funnel-work-dir
+            - name: config-volume
+              mountPath: /etc/config
+      volumes:
+        - name: funnel-deployment-storage
+          persistentVolumeClaim:
+            claimName: funnel-pvc
+        - name: config-volume
+          configMap:
+            name: funnel-config

deployments/kubernetes/helm/templates/role.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "funnel.fullname" . }}-role
+rules:
+  - apiGroups: [""]
+    resources: ["pods", "pods/log"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["batch", "extensions"]
+    resources: ["jobs"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: ["extensions", "apps"]
+    resources: ["deployments"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+{{- end }}

deployments/kubernetes/helm/templates/rolebinding.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: funnel-rolebinding
+subjects:
+  - kind: ServiceAccount
+    name: funnel-sa
+roleRef:
+  kind: Role
+  name: funnel-role
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

deployments/kubernetes/helm/templates/service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: funnel-service
+spec:
+  type: ClusterIP
+  ports:
+    - name: http
+      protocol: TCP
+      port: 8000
+      targetPort: 8000
+    - name: rpc
+      protocol: TCP
+  selector:
+    {{- include "funnel.selectorLabels" . | nindent 4 }}
+      port: 9090
+      targetPort: 9090

deployments/kubernetes/helm/templates/serviceaccount.yaml

@@ -0,0 +1,9 @@
+{{- if .Values.rbac.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: funnel-sa
+  labels:
+    {{- include "funnel.labels" . | nindent 4 }}
+automountServiceAccountToken: true
+{{- end }}

deployments/kubernetes/helm/templates/tests/test-connection.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "funnel.fullname" . }}-test-connection"
+  labels:
+    {{- include "funnel.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: ['{{ include "funnel.fullname" . }}:{{ .Values.service.port }}']
+  restartPolicy: Never