From f6072d8b7adb6dbc4b71839bf2f4931c48ab1e83 Mon Sep 17 00:00:00 2001 From: EliseCastle23 Date: Wed, 26 Jul 2023 13:36:07 -0600 Subject: [PATCH 01/27] made the necessary changes for Indexd to work with the new slim python image and gunicorn. I also added in the ability to have an nginx sidecar container with gunicorn if needed. --- helm/indexd/Chart.yaml | 2 +- helm/indexd/README.md | 16 ++++++---- helm/indexd/templates/_helpers.tpl | 11 +++++++ helm/indexd/templates/deployment.yaml | 18 +++++++++-- helm/indexd/templates/nginx_config.yaml | 14 +++++++++ helm/indexd/templates/pre-install.yaml | 9 +++--- helm/indexd/templates/uwsgi.yaml | 42 ------------------------- helm/indexd/templates/wsgi.yaml | 9 ++++++ helm/indexd/values.yaml | 26 ++++++++++----- 9 files changed, 83 insertions(+), 64 deletions(-) create mode 100644 helm/indexd/templates/nginx_config.yaml delete mode 100644 helm/indexd/templates/uwsgi.yaml create mode 100644 helm/indexd/templates/wsgi.yaml diff --git a/helm/indexd/Chart.yaml b/helm/indexd/Chart.yaml index 54634c9d..8890042a 100644 --- a/helm/indexd/Chart.yaml +++ b/helm/indexd/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.10 +version: 0.1.11 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/indexd/README.md b/helm/indexd/README.md index ae4ea0bb..cdf8497b 100644 --- a/helm/indexd/README.md +++ b/helm/indexd/README.md @@ -1,6 +1,6 @@ # indexd -![Version: 0.1.10](https://img.shields.io/badge/Version-0.1.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.11](https://img.shields.io/badge/Version-0.1.11-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 indexd @@ -56,10 +56,10 @@ A Helm chart for gen3 indexd | global.revproxyArn | string | `"arn:aws:acm:us-east-1:123456:certificate"` | ARN of the reverse proxy certificate. | | global.tierAccessLevel | string | `"libre"` | Access level for tiers. acceptable values for `tier_access_level` are: `libre`, `regular` and `private`. If omitted, by default common will be treated as `private` | | global.tierAccessLimit | int | `1000` | Only relevant if tireAccessLevel is set to "regular". Summary charts below this limit will not appear for aggregated data. | -| image | map | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cdis/indexd","tag":""}` | Docker image information. | -| image.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | +| image | map | `{"pullPolicy":"Never","repository":"quay.io/cdis/indexd","tag":"feat_GPE-788"}` | Docker image information. | +| image.pullPolicy | string | `"Never"` | When to pull the image. | | image.repository | string | `"quay.io/cdis/indexd"` | The Docker image repository for the indexd service | -| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | +| image.tag | string | `"feat_GPE-788"` | Overrides the image tag whose default is the chart appVersion. | | imagePullSecrets | list | `[]` | Docker image pull secrets. | | nameOverride | string | `""` | Override the name of the chart. | | nodeSelector | map | `{}` | Node Selector for the pods | @@ -95,10 +95,14 @@ A Helm chart for gen3 indexd | serviceAccount.annotations | map | `{}` | Annotations to add to the service account. | | serviceAccount.create | bool | `false` | Specifies whether a service account should be created. | | serviceAccount.name | string | `""` | The name of the service account | +| sidecar | map | `{"enabled":true,"image":"quay.io/cdis/nginx","pullPolicy":"Always","tag":"master"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | +| sidecar.enabled | bool | `true` | Whether to enable the nginx sidecar image. | +| sidecar.image | string | `"quay.io/cdis/nginx"` | The Docker image repository for nginx | +| sidecar.pullPolicy | string | `"Always"` | When to pull the image. | +| sidecar.tag | string | `"master"` | Image tag. | | tolerations | list | `[]` | Tolerations for the pods | -| uwsgi | map | `{"listen":1024}` | Values for overriding uwsgi settings | | volumeMounts | list | `[{"mountPath":"/var/www/indexd/local_settings.py","name":"config-volume","readOnly":true,"subPath":"local_settings.py"}]` | Volumes to mount to the container. | -| volumes | list | `[{"configMap":{"name":"indexd-uwsgi"},"name":"uwsgi-config"},{"name":"config-volume","secret":{"secretName":"indexd-settings"}}]` | Volumes to attach to the pod | +| volumes | list | `[{"configMap":{"name":"indexd-wsgi"},"name":"wsgi-config"},{"name":"config-volume","secret":{"secretName":"indexd-settings"}},{"configMap":{"name":"nginx-configmap"},"name":"nginx-config"}]` | Volumes to attach to the pod | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/helm/indexd/templates/_helpers.tpl b/helm/indexd/templates/_helpers.tpl index 0f83473c..17978f19 100644 --- a/helm/indexd/templates/_helpers.tpl +++ b/helm/indexd/templates/_helpers.tpl @@ -101,4 +101,15 @@ Create the name of the service account to use */}} {{- define "indexd-gateway-creds" -}} {{- default (randAlphaNum 32) .Values.secrets.userdb.gateway }} +{{- end }} + +{{/* +Port for Gunicorn to bind to depending on if nginx sidecar is deployed. +*/}} +{{- define "indexd.gunicornPort" -}} +{{- if .Values.sidecar.enabled}} +{{- default 8000 }} +{{- else }} +{{- default 80}} +{{- end }} {{- end }} \ No newline at end of file diff --git a/helm/indexd/templates/deployment.yaml b/helm/indexd/templates/deployment.yaml index 497d4f45..cd8df3c9 100644 --- a/helm/indexd/templates/deployment.yaml +++ b/helm/indexd/templates/deployment.yaml @@ -81,9 +81,9 @@ spec: value: {{ .Values.defaultPrefix }} {{- toYaml .Values.env | nindent 12 }} volumeMounts: - - name: "uwsgi-config" - mountPath: "/etc/uwsgi/uwsgi.ini" - subPath: uwsgi.ini + - name: "wsgi-config" + mountPath: "/indexd/deployment/wsgi/gunicorn.conf.py" + subPath: gunicorn.conf.py - name: "config-volume" readOnly: true mountPath: "/var/www/indexd/local_settings.py" @@ -104,6 +104,18 @@ spec: port: http resources: {{- toYaml .Values.resources | nindent 12 }} + {{- if .Values.sidecar.enabled }} + - name: sidecar-nginx + image: {{ .Values.sidecar.image }} + ports: + - name: http + containerPort: 80 + protocol: TCP + volumeMounts: + - name: "nginx-config" + mountPath: "/etc/nginx/conf.d/default.conf" + subPath: default.conf + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/helm/indexd/templates/nginx_config.yaml b/helm/indexd/templates/nginx_config.yaml new file mode 100644 index 00000000..525cd8dd --- /dev/null +++ b/helm/indexd/templates/nginx_config.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: nginx-configmap +data: + default.conf: | + server { + listen 80; + server_name localhost; # Replace with your domain or IP address + + location / { + proxy_pass http://127.0.0.1:8000; # Gunicorn binds to this address + } + } diff --git a/helm/indexd/templates/pre-install.yaml b/helm/indexd/templates/pre-install.yaml index a6f6cd9f..8ba15353 100644 --- a/helm/indexd/templates/pre-install.yaml +++ b/helm/indexd/templates/pre-install.yaml @@ -82,8 +82,9 @@ spec: # Script always succeeds if it runs (echo exits with 0) # indexd image does not include jq, so use python - | - echo 'python /indexd/bin/index_admin.py create --username "fence" --password "${FENCE_PASS}' - python /indexd/bin/index_admin.py create --username "fence" --password "${FENCE_PASS}" - echo 'python /indexd/bin/index_admin.py create --username "sheepdog" --password "${SHEEPDOG_PASS}' - python /indexd/bin/index_admin.py create --username "sheepdog" --password "${SHEEPDOG_PASS}" + source /root/.cache/pypoetry/virtualenvs/indexd-25E0ynMx-py3.9/bin/activate + echo 'python3 /indexd/bin/index_admin.py create --username "fence" --password "${FENCE_PASS}' + python3 /indexd/bin/index_admin.py create --username "fence" --password "${FENCE_PASS}" + echo 'python3 /indexd/bin/index_admin.py create --username "sheepdog" --password "${SHEEPDOG_PASS}' + python3 /indexd/bin/index_admin.py create --username "sheepdog" --password "${SHEEPDOG_PASS}" restartPolicy: Never \ No newline at end of file diff --git a/helm/indexd/templates/uwsgi.yaml b/helm/indexd/templates/uwsgi.yaml deleted file mode 100644 index a6eef58c..00000000 --- a/helm/indexd/templates/uwsgi.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: indexd-uwsgi -data: - uwsgi.ini: | - [uwsgi] - protocol = uwsgi - socket = /var/run/gen3/uwsgi.sock - buffer-size = 32768 - uid = nginx - gid = nginx - chown-socket = nginx:nginx - chmod-socket = 666 - master = true - harakiri-verbose = true - # No global HARAKIRI, using only user HARAKIRI, because export overwrites it - # Cannot overwrite global HARAKIRI with user's: https://git.io/fjYuD - # harakiri = 45 - ; If VIRTUAL_ENV is set then use its value to specify the virtualenv directory - if-env = VIRTUAL_ENV - virtualenv = %(_) - endif = - http-timeout = 45 - socket-timeout = 45 - worker-reload-mercy = 45 - reload-mercy = 45 - mule-reload-mercy = 45 - disable-logging = true - wsgi-file=/indexd/wsgi.py - plugins = python3 - vacuum = true - pythonpath = /indexd/ - stats = 127.0.0.1:9191 - stats-http = true - env = prometheus_multiproc_dir=/var/tmp/uwsgi_flask_metrics - exec-asap = /indexd/clear_prometheus_multiproc /var/tmp/uwsgi_flask_metrics - # Initialize application in worker processes, not master. This prevents the - # workers from all trying to open the same database connections at startup. - lazy = true - lazy-apps = true - listen = {{ .Values.uwsgi.listen }} diff --git a/helm/indexd/templates/wsgi.yaml b/helm/indexd/templates/wsgi.yaml new file mode 100644 index 00000000..d52565f5 --- /dev/null +++ b/helm/indexd/templates/wsgi.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: indexd-wsgi +data: + gunicorn.conf.py: | + wsgi_app = "deployment.wsgi.wsgi:application" + bind = "0.0.0.0:{{ include "indexd.gunicornPort" . }}" + workers = 1 diff --git a/helm/indexd/values.yaml b/helm/indexd/values.yaml index e9ee3d9c..7d92f2cf 100644 --- a/helm/indexd/values.yaml +++ b/helm/indexd/values.yaml @@ -94,9 +94,20 @@ image: # -- (string) The Docker image repository for the indexd service repository: quay.io/cdis/indexd # -- (string) When to pull the image. - pullPolicy: IfNotPresent + pullPolicy: Never # -- (string) Overrides the image tag whose default is the chart appVersion. - tag: "" + tag: "feat_GPE-788" + +# -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. +sidecar: + # -- (bool) Whether to enable the nginx sidecar image. + enabled: true + # -- (string) The Docker image repository for nginx + image: quay.io/cdis/nginx + # -- (string) When to pull the image. + pullPolicy: Always + # -- (string) Image tag. + tag: "master" # -- (list) Docker image pull secrets. imagePullSecrets: [] @@ -177,12 +188,15 @@ affinity: {} # -- (list) Volumes to attach to the pod volumes: -- name: uwsgi-config +- name: wsgi-config configMap: - name: indexd-uwsgi + name: indexd-wsgi - name: config-volume secret: secretName: "indexd-settings" +- name: nginx-config + configMap: + name: nginx-configmap # -- (list) Volumes to mount to the container. volumeMounts: @@ -205,10 +219,6 @@ secrets: sheepdog: # gateway: -# -- (map) Values for overriding uwsgi settings -uwsgi: - listen: 1024 - # -- (string) default prefix for indexd defaultPrefix: "PREFIX/" From 73b932359422b79a9d446debf9799cb9124ceec9 Mon Sep 17 00:00:00 2001 From: EliseCastle23 Date: Wed, 26 Jul 2023 13:59:57 -0600 Subject: [PATCH 02/27] running gunicorn with a low priledged user. --- helm/indexd/templates/wsgi.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/helm/indexd/templates/wsgi.yaml b/helm/indexd/templates/wsgi.yaml index d52565f5..16a92119 100644 --- a/helm/indexd/templates/wsgi.yaml +++ b/helm/indexd/templates/wsgi.yaml @@ -7,3 +7,5 @@ data: wsgi_app = "deployment.wsgi.wsgi:application" bind = "0.0.0.0:{{ include "indexd.gunicornPort" . }}" workers = 1 + user = 'nobody' + group = 'nobody' From 4ded8dabf5145397525a8ff0c6fd2c59e35dc157 Mon Sep 17 00:00:00 2001 From: EliseCastle23 Date: Wed, 9 Aug 2023 09:26:03 -0600 Subject: [PATCH 03/27] changing the user to "appuser" instead of "nobody" --- helm/indexd/templates/wsgi.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/helm/indexd/templates/wsgi.yaml b/helm/indexd/templates/wsgi.yaml index 16a92119..0d02b1e8 100644 --- a/helm/indexd/templates/wsgi.yaml +++ b/helm/indexd/templates/wsgi.yaml @@ -7,5 +7,5 @@ data: wsgi_app = "deployment.wsgi.wsgi:application" bind = "0.0.0.0:{{ include "indexd.gunicornPort" . }}" workers = 1 - user = 'nobody' - group = 'nobody' + user = 'appuser' + group = 'appuser' From aaf27942adad94237b5f02e8670e20f3f0c347a9 Mon Sep 17 00:00:00 2001 From: EliseCastle23 Date: Fri, 11 Aug 2023 09:13:15 -0600 Subject: [PATCH 04/27] cleaning up conf --- helm/indexd/templates/nginx_config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/indexd/templates/nginx_config.yaml b/helm/indexd/templates/nginx_config.yaml index 525cd8dd..e93f13bc 100644 --- a/helm/indexd/templates/nginx_config.yaml +++ b/helm/indexd/templates/nginx_config.yaml @@ -6,7 +6,7 @@ data: default.conf: | server { listen 80; - server_name localhost; # Replace with your domain or IP address + server_name localhost; location / { proxy_pass http://127.0.0.1:8000; # Gunicorn binds to this address From cfffb60d057861b12727cd98ec80f5041fb267ab Mon Sep 17 00:00:00 2001 From: EliseCastle23 Date: Tue, 15 Aug 2023 13:55:10 -0600 Subject: [PATCH 05/27] fixing the virtual environment call --- helm/indexd/templates/pre-install.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/indexd/templates/pre-install.yaml b/helm/indexd/templates/pre-install.yaml index 8ba15353..ae0eca5a 100644 --- a/helm/indexd/templates/pre-install.yaml +++ b/helm/indexd/templates/pre-install.yaml @@ -82,7 +82,7 @@ spec: # Script always succeeds if it runs (echo exits with 0) # indexd image does not include jq, so use python - | - source /root/.cache/pypoetry/virtualenvs/indexd-25E0ynMx-py3.9/bin/activate + source .venv/bin/activate echo 'python3 /indexd/bin/index_admin.py create --username "fence" --password "${FENCE_PASS}' python3 /indexd/bin/index_admin.py create --username "fence" --password "${FENCE_PASS}" echo 'python3 /indexd/bin/index_admin.py create --username "sheepdog" --password "${SHEEPDOG_PASS}' From de1072763dbfc18a9efef7484d286808f39b4710 Mon Sep 17 00:00:00 2001 From: EliseCastle23 Date: Thu, 14 Sep 2023 15:36:23 -0600 Subject: [PATCH 06/27] Making it so the nginx sidecar is always deployed --- helm/indexd/README.md | 3 +-- helm/indexd/templates/_helpers.tpl | 11 ----------- helm/indexd/templates/wsgi.yaml | 2 +- helm/indexd/values.yaml | 2 -- 4 files changed, 2 insertions(+), 16 deletions(-) diff --git a/helm/indexd/README.md b/helm/indexd/README.md index cdf8497b..2ee22d09 100644 --- a/helm/indexd/README.md +++ b/helm/indexd/README.md @@ -95,8 +95,7 @@ A Helm chart for gen3 indexd | serviceAccount.annotations | map | `{}` | Annotations to add to the service account. | | serviceAccount.create | bool | `false` | Specifies whether a service account should be created. | | serviceAccount.name | string | `""` | The name of the service account | -| sidecar | map | `{"enabled":true,"image":"quay.io/cdis/nginx","pullPolicy":"Always","tag":"master"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | -| sidecar.enabled | bool | `true` | Whether to enable the nginx sidecar image. | +| sidecar | map | `{"image":"quay.io/cdis/nginx","pullPolicy":"Always","tag":"master"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | | sidecar.image | string | `"quay.io/cdis/nginx"` | The Docker image repository for nginx | | sidecar.pullPolicy | string | `"Always"` | When to pull the image. | | sidecar.tag | string | `"master"` | Image tag. | diff --git a/helm/indexd/templates/_helpers.tpl b/helm/indexd/templates/_helpers.tpl index 17978f19..0f83473c 100644 --- a/helm/indexd/templates/_helpers.tpl +++ b/helm/indexd/templates/_helpers.tpl @@ -101,15 +101,4 @@ Create the name of the service account to use */}} {{- define "indexd-gateway-creds" -}} {{- default (randAlphaNum 32) .Values.secrets.userdb.gateway }} -{{- end }} - -{{/* -Port for Gunicorn to bind to depending on if nginx sidecar is deployed. -*/}} -{{- define "indexd.gunicornPort" -}} -{{- if .Values.sidecar.enabled}} -{{- default 8000 }} -{{- else }} -{{- default 80}} -{{- end }} {{- end }} \ No newline at end of file diff --git a/helm/indexd/templates/wsgi.yaml b/helm/indexd/templates/wsgi.yaml index 0d02b1e8..8b1fa214 100644 --- a/helm/indexd/templates/wsgi.yaml +++ b/helm/indexd/templates/wsgi.yaml @@ -5,7 +5,7 @@ metadata: data: gunicorn.conf.py: | wsgi_app = "deployment.wsgi.wsgi:application" - bind = "0.0.0.0:{{ include "indexd.gunicornPort" . }}" + bind = "0.0.0.0:8000" workers = 1 user = 'appuser' group = 'appuser' diff --git a/helm/indexd/values.yaml b/helm/indexd/values.yaml index 7d92f2cf..cdf89f11 100644 --- a/helm/indexd/values.yaml +++ b/helm/indexd/values.yaml @@ -100,8 +100,6 @@ image: # -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. sidecar: - # -- (bool) Whether to enable the nginx sidecar image. - enabled: true # -- (string) The Docker image repository for nginx image: quay.io/cdis/nginx # -- (string) When to pull the image. From b8208754cfcf7cf2b8b16d053a297d100fae24df Mon Sep 17 00:00:00 2001 From: Jawad Qureshi Date: Tue, 14 Nov 2023 13:51:35 -0600 Subject: [PATCH 07/27] Add nginx sidecar for gunicorn to fence --- .secrets.baseline | 14 ++++++------- helm/fence/Chart.yaml | 2 +- helm/fence/README.md | 8 ++++++-- helm/fence/nginx-config.yaml | 13 ++++++++++++ helm/fence/templates/fence-deployment.yaml | 23 +++++++++++++++------- helm/fence/values.yaml | 16 +++++++++++++++ helm/fence/wsgi.yaml | 11 +++++++++++ 7 files changed, 70 insertions(+), 17 deletions(-) create mode 100644 helm/fence/nginx-config.yaml create mode 100644 helm/fence/wsgi.yaml diff --git a/.secrets.baseline b/.secrets.baseline index ea7061a4..3d2d316d 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "^.secrets.baseline$", "lines": null }, - "generated_at": "2023-07-27T21:47:16Z", + "generated_at": "2023-11-14T19:51:24Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -289,10 +289,10 @@ "type": "Secret Keyword" }, { - "hashed_secret": "9d8fada0e01336e865c461bb3549084d206fe6da", + "hashed_secret": "680318f193e2ef208430b002ad07ff98a79ac457", "is_secret": false, "is_verified": false, - "line_number": 181, + "line_number": 185, "type": "Secret Keyword" } ], @@ -356,7 +356,7 @@ "hashed_secret": "5d07e1b80e448a213b392049888111e1779a52db", "is_secret": false, "is_verified": false, - "line_number": 1916, + "line_number": 1932, "type": "Secret Keyword" } ], @@ -470,10 +470,10 @@ "type": "Secret Keyword" }, { - "hashed_secret": "1cc98556e7b1353c7bd08344f9190808b0d3d6d4", - "is_secret": true, + "hashed_secret": "ffa29bb5e69093c793d39762da0340f0bcf3fe53", + "is_secret": false, "is_verified": false, - "line_number": 101, + "line_number": 104, "type": "Secret Keyword" } ], diff --git a/helm/fence/Chart.yaml b/helm/fence/Chart.yaml index 529a6d94..36d58d86 100644 --- a/helm/fence/Chart.yaml +++ b/helm/fence/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.13 +version: 0.1.14 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/fence/README.md b/helm/fence/README.md index d75bdfa4..475f9096 100644 --- a/helm/fence/README.md +++ b/helm/fence/README.md @@ -1,6 +1,6 @@ # fence -![Version: 0.1.13](https://img.shields.io/badge/Version-0.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.14](https://img.shields.io/badge/Version-0.1.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 Fence @@ -163,6 +163,10 @@ A Helm chart for gen3 Fence | serviceAccount.annotations."eks.amazonaws.com/role-arn" | string | `nil` | The Amazon Resource Name (ARN) of the role to associate with the service account | | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. | | serviceAccount.name | string | `"fence-sa"` | The name of the service account | +| sidecar | map | `{"enabled":true,"image":"quay.io/cdis/nginx","pullPolicy":"Always","tag":"master"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | +| sidecar.image | string | `"quay.io/cdis/nginx"` | The Docker image repository for nginx | +| sidecar.pullPolicy | string | `"Always"` | When to pull the image. | +| sidecar.tag | string | `"master"` | Image tag. | | tolerations | list | `[]` | Tolerations for the pods | | usersync | map | `{"addDbgap":false,"custom_image":null,"onlyDbgap":false,"schedule":"*/30 * * * *","secrets":{"awsAccessKeyId":"","awsSecretAccessKey":""},"slack_send_dbgap":false,"slack_webhook":"None","syncFromDbgap":false,"userYamlS3Path":"s3://cdis-gen3-users/helm-test/user.yaml","usersync":false}` | Configuration options for usersync cronjob. | | usersync.addDbgap | bool | `false` | Force attempting a dbgap sync if "true", falls back on user.yaml | @@ -178,7 +182,7 @@ A Helm chart for gen3 Fence | usersync.userYamlS3Path | string | `"s3://cdis-gen3-users/helm-test/user.yaml"` | Path to the user.yaml file in S3. | | usersync.usersync | bool | `false` | Whether to run Fence usersync or not. | | volumeMounts | list | `[{"mountPath":"/var/www/fence/local_settings.py","name":"old-config-volume","readOnly":true,"subPath":"local_settings.py"},{"mountPath":"/var/www/fence/fence_credentials.json","name":"json-secret-volume","readOnly":true,"subPath":"fence_credentials.json"},{"mountPath":"/var/www/fence/creds.json","name":"creds-volume","readOnly":true,"subPath":"creds.json"},{"mountPath":"/var/www/fence/config_helper.py","name":"config-helper","readOnly":true,"subPath":"config_helper.py"},{"mountPath":"/fence/fence/static/img/logo.svg","name":"logo-volume","readOnly":true,"subPath":"logo.svg"},{"mountPath":"/fence/fence/static/privacy_policy.md","name":"privacy-policy","readOnly":true,"subPath":"privacy_policy.md"},{"mountPath":"/var/www/fence/fence-config.yaml","name":"config-volume","readOnly":true,"subPath":"fence-config.yaml"},{"mountPath":"/var/www/fence/yaml_merge.py","name":"yaml-merge","readOnly":true,"subPath":"yaml_merge.py"},{"mountPath":"/var/www/fence/fence_google_app_creds_secret.json","name":"fence-google-app-creds-secret-volume","readOnly":true,"subPath":"fence_google_app_creds_secret.json"},{"mountPath":"/var/www/fence/fence_google_storage_creds_secret.json","name":"fence-google-storage-creds-secret-volume","readOnly":true,"subPath":"fence_google_storage_creds_secret.json"},{"mountPath":"/fence/keys/key/jwt_private_key.pem","name":"fence-jwt-keys","readOnly":true,"subPath":"jwt_private_key.pem"}]` | Volumes to mount to the container. | -| volumes | list | `[{"name":"old-config-volume","secret":{"secretName":"fence-secret"}},{"name":"json-secret-volume","secret":{"optional":true,"secretName":"fence-json-secret"}},{"name":"creds-volume","secret":{"secretName":"fence-creds"}},{"configMap":{"name":"config-helper","optional":true},"name":"config-helper"},{"configMap":{"name":"logo-config"},"name":"logo-volume"},{"name":"config-volume","secret":{"secretName":"fence-config"}},{"name":"fence-google-app-creds-secret-volume","secret":{"secretName":"fence-google-app-creds-secret"}},{"name":"fence-google-storage-creds-secret-volume","secret":{"secretName":"fence-google-storage-creds-secret"}},{"name":"fence-jwt-keys","secret":{"secretName":"fence-jwt-keys"}},{"configMap":{"name":"privacy-policy"},"name":"privacy-policy"},{"configMap":{"name":"fence-yaml-merge","optional":true},"name":"yaml-merge"}]` | Volumes to attach to the container. | +| volumes | list | `[{"name":"old-config-volume","secret":{"secretName":"fence-secret"}},{"name":"json-secret-volume","secret":{"optional":true,"secretName":"fence-json-secret"}},{"name":"creds-volume","secret":{"secretName":"fence-creds"}},{"configMap":{"name":"config-helper","optional":true},"name":"config-helper"},{"configMap":{"name":"logo-config"},"name":"logo-volume"},{"name":"config-volume","secret":{"secretName":"fence-config"}},{"name":"fence-google-app-creds-secret-volume","secret":{"secretName":"fence-google-app-creds-secret"}},{"name":"fence-google-storage-creds-secret-volume","secret":{"secretName":"fence-google-storage-creds-secret"}},{"name":"fence-jwt-keys","secret":{"secretName":"fence-jwt-keys"}},{"configMap":{"name":"privacy-policy"},"name":"privacy-policy"},{"configMap":{"name":"fence-yaml-merge","optional":true},"name":"yaml-merge"},{"configMap":{"name":"fence-wsgi"},"name":"wsgi-config"},{"configMap":{"name":"fence-nginx-configmap"},"name":"nginx-config"}]` | Volumes to attach to the container. | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/helm/fence/nginx-config.yaml b/helm/fence/nginx-config.yaml new file mode 100644 index 00000000..0f422ef9 --- /dev/null +++ b/helm/fence/nginx-config.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: fence-nginx-configmap +data: + default.conf: | + server { + listen 80; + server_name localhost; + location / { + proxy_pass http://127.0.0.1:8000; # Gunicorn binds to this address + } + } \ No newline at end of file diff --git a/helm/fence/templates/fence-deployment.yaml b/helm/fence/templates/fence-deployment.yaml index 2fe2c6ec..733371c5 100644 --- a/helm/fence/templates/fence-deployment.yaml +++ b/helm/fence/templates/fence-deployment.yaml @@ -31,19 +31,28 @@ spec: volumes: {{- toYaml .Values.volumes | nindent 8 }} containers: + {{- if .Values.sidecar.enabled }} + - name: sidecar-nginx + image: {{ .Values.sidecar.image }} + ports: + - name: http + containerPort: 80 + volumeMounts: + - name: "nginx-config" + mountPath: "/etc/nginx/conf.d/default.conf" + subPath: default.conf + {{- end }} - name: fence image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - - name: http - containerPort: 80 - protocol: TCP - - name: https - containerPort: 443 - protocol: TCP + - name: app + containerPort: 8000 + # - name: https + # containerPort: 443 + # protocol: TCP - name: container containerPort: 6567 - protocol: TCP livenessProbe: httpGet: path: /_status diff --git a/helm/fence/values.yaml b/helm/fence/values.yaml index f0352346..950922d6 100644 --- a/helm/fence/values.yaml +++ b/helm/fence/values.yaml @@ -118,6 +118,16 @@ image: # -- (string) Overrides the image tag whose default is the chart appVersion. tag: "master" +# -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. +sidecar: + enabled: true + # -- (string) The Docker image repository for nginx + image: quay.io/cdis/nginx + # -- (string) When to pull the image. + pullPolicy: Always + # -- (string) Image tag. + tag: "master" + # -- (list) Docker image pull secrets. imagePullSecrets: [] @@ -333,6 +343,12 @@ volumes: configMap: name: "fence-yaml-merge" optional: true + - name: wsgi-config + configMap: + name: fence-wsgi + - name: nginx-config + configMap: + name: fence-nginx-configmap # -- (list) Volumes to mount to the container. volumeMounts: diff --git a/helm/fence/wsgi.yaml b/helm/fence/wsgi.yaml new file mode 100644 index 00000000..ff258ad7 --- /dev/null +++ b/helm/fence/wsgi.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: fence-wsgi +data: + gunicorn.conf.py: | + wsgi_app = "deployment.wsgi.wsgi:application" + bind = "0.0.0.0:8000" + workers = 1 + user = 'appuser' + group = 'appuser' From d1be1a74f855abf6fd50f6bf7cb231cb8e652e10 Mon Sep 17 00:00:00 2001 From: Jawad Qureshi Date: Tue, 14 Nov 2023 13:52:20 -0600 Subject: [PATCH 08/27] Add nginx sidecar for gunicorn to fence --- helm/fence/{ => templates}/nginx-config.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename helm/fence/{ => templates}/nginx-config.yaml (100%) diff --git a/helm/fence/nginx-config.yaml b/helm/fence/templates/nginx-config.yaml similarity index 100% rename from helm/fence/nginx-config.yaml rename to helm/fence/templates/nginx-config.yaml From 2b91116115e102247cd93612c00d166dc8acda30 Mon Sep 17 00:00:00 2001 From: Jawad Qureshi Date: Tue, 14 Nov 2023 13:53:07 -0600 Subject: [PATCH 09/27] Add nginx sidecar for gunicorn to fence --- helm/fence/{ => templates}/wsgi.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename helm/fence/{ => templates}/wsgi.yaml (100%) diff --git a/helm/fence/wsgi.yaml b/helm/fence/templates/wsgi.yaml similarity index 100% rename from helm/fence/wsgi.yaml rename to helm/fence/templates/wsgi.yaml From bb6544beff103f4b21638134029f70f7db68fd68 Mon Sep 17 00:00:00 2001 From: Jawad Qureshi Date: Tue, 14 Nov 2023 14:01:49 -0600 Subject: [PATCH 10/27] bump indexd and fence --- helm/gen3/Chart.yaml | 4 ++-- helm/gen3/README.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/helm/gen3/Chart.yaml b/helm/gen3/Chart.yaml index 1d602327..7c0b4377 100644 --- a/helm/gen3/Chart.yaml +++ b/helm/gen3/Chart.yaml @@ -28,7 +28,7 @@ dependencies: version: "0.1.7" repository: file://../common - name: fence - version: "0.1.13" + version: "0.1.14" repository: "file://../fence" condition: fence.enabled - name: guppy @@ -40,7 +40,7 @@ dependencies: repository: "file://../hatchery" condition: hatchery.enabled - name: indexd - version: "0.1.10" + version: "0.1.11" repository: "file://../indexd" condition: indexd.enabled - name: manifestservice diff --git a/helm/gen3/README.md b/helm/gen3/README.md index acf56f1c..6c8bfea7 100644 --- a/helm/gen3/README.md +++ b/helm/gen3/README.md @@ -25,10 +25,10 @@ Helm chart to deploy Gen3 Data Commons | file://../aws-es-proxy | aws-es-proxy | 0.1.6 | | file://../common | common | 0.1.7 | | file://../elasticsearch | elasticsearch | 0.1.5 | -| file://../fence | fence | 0.1.13 | +| file://../fence | fence | 0.1.14 | | file://../guppy | guppy | 0.1.8 | | file://../hatchery | hatchery | 0.1.6 | -| file://../indexd | indexd | 0.1.10 | +| file://../indexd | indexd | 0.1.11 | | file://../manifestservice | manifestservice | 0.1.10 | | file://../metadata | metadata | 0.1.8 | | file://../peregrine | peregrine | 0.1.9 | From 5cf550af8605f51944860817ec3a3200fcfa7e91 Mon Sep 17 00:00:00 2001 From: Jawad Qureshi Date: Mon, 20 Nov 2023 16:27:13 -0600 Subject: [PATCH 11/27] Update fence to run nginx as sidecar --- helm/fence/README.md | 4 +- helm/fence/templates/fence-deployment.yaml | 52 +++++++++---------- helm/fence/templates/presigned-url-fence.yaml | 21 +++++++- helm/fence/templates/useryaml-job.yaml | 2 +- helm/fence/values.yaml | 4 +- 5 files changed, 49 insertions(+), 34 deletions(-) diff --git a/helm/fence/README.md b/helm/fence/README.md index 475f9096..ec4013c4 100644 --- a/helm/fence/README.md +++ b/helm/fence/README.md @@ -115,7 +115,7 @@ A Helm chart for gen3 Fence | global.syncFromDbgap | bool | `false` | Whether to sync data from dbGaP. | | global.tierAccessLevel | string | `"libre"` | Access level for tiers. acceptable values for `tier_access_level` are: `libre`, `regular` and `private`. If omitted, by default common will be treated as `private` | | global.tierAccessLimit | int | `1000` | Only relevant if tireAccessLevel is set to "regular". Summary charts below this limit will not appear for aggregated data. | -| image.pullPolicy | string | `"Always"` | When to pull the image. This value should be "Always" to ensure the latest image is used. | +| image.pullPolicy | string | `"IfNotPresent"` | When to pull the image. This value should be "Always" to ensure the latest image is used. | | image.repository | string | `"quay.io/cdis/fence"` | The Docker image repository for the fence service | | image.tag | string | `"master"` | Overrides the image tag whose default is the chart appVersion. | | imagePullSecrets | list | `[]` | Docker image pull secrets. | @@ -181,7 +181,7 @@ A Helm chart for gen3 Fence | usersync.syncFromDbgap | bool | `false` | Whether to sync data from dbGaP. | | usersync.userYamlS3Path | string | `"s3://cdis-gen3-users/helm-test/user.yaml"` | Path to the user.yaml file in S3. | | usersync.usersync | bool | `false` | Whether to run Fence usersync or not. | -| volumeMounts | list | `[{"mountPath":"/var/www/fence/local_settings.py","name":"old-config-volume","readOnly":true,"subPath":"local_settings.py"},{"mountPath":"/var/www/fence/fence_credentials.json","name":"json-secret-volume","readOnly":true,"subPath":"fence_credentials.json"},{"mountPath":"/var/www/fence/creds.json","name":"creds-volume","readOnly":true,"subPath":"creds.json"},{"mountPath":"/var/www/fence/config_helper.py","name":"config-helper","readOnly":true,"subPath":"config_helper.py"},{"mountPath":"/fence/fence/static/img/logo.svg","name":"logo-volume","readOnly":true,"subPath":"logo.svg"},{"mountPath":"/fence/fence/static/privacy_policy.md","name":"privacy-policy","readOnly":true,"subPath":"privacy_policy.md"},{"mountPath":"/var/www/fence/fence-config.yaml","name":"config-volume","readOnly":true,"subPath":"fence-config.yaml"},{"mountPath":"/var/www/fence/yaml_merge.py","name":"yaml-merge","readOnly":true,"subPath":"yaml_merge.py"},{"mountPath":"/var/www/fence/fence_google_app_creds_secret.json","name":"fence-google-app-creds-secret-volume","readOnly":true,"subPath":"fence_google_app_creds_secret.json"},{"mountPath":"/var/www/fence/fence_google_storage_creds_secret.json","name":"fence-google-storage-creds-secret-volume","readOnly":true,"subPath":"fence_google_storage_creds_secret.json"},{"mountPath":"/fence/keys/key/jwt_private_key.pem","name":"fence-jwt-keys","readOnly":true,"subPath":"jwt_private_key.pem"}]` | Volumes to mount to the container. | +| volumeMounts | list | `[{"mountPath":"/var/www/fence/local_settings.py","name":"old-config-volume","readOnly":true,"subPath":"local_settings.py"},{"mountPath":"/var/www/fence/fence_credentials.json","name":"json-secret-volume","readOnly":true,"subPath":"fence_credentials.json"},{"mountPath":"/var/www/fence/creds.json","name":"creds-volume","readOnly":true,"subPath":"creds.json"},{"mountPath":"/var/www/fence/config_helper.py","name":"config-helper","readOnly":true,"subPath":"config_helper.py"},{"mountPath":"/fence/fence/static/img/logo.svg","name":"logo-volume","readOnly":true,"subPath":"logo.svg"},{"mountPath":"/fence/fence/static/privacy_policy.md","name":"privacy-policy","readOnly":true,"subPath":"privacy_policy.md"},{"mountPath":"/var/www/fence/fence-config.yaml","name":"config-volume","readOnly":true,"subPath":"fence-config.yaml"},{"mountPath":"/var/www/fence/yaml_merge.py","name":"yaml-merge","readOnly":true,"subPath":"yaml_merge.py"},{"mountPath":"/var/www/fence/fence_google_app_creds_secret.json","name":"fence-google-app-creds-secret-volume","readOnly":true,"subPath":"fence_google_app_creds_secret.json"},{"mountPath":"/var/www/fence/fence_google_storage_creds_secret.json","name":"fence-google-storage-creds-secret-volume","readOnly":true,"subPath":"fence_google_storage_creds_secret.json"},{"mountPath":"/fence/keys/key/jwt_private_key.pem","name":"fence-jwt-keys","readOnly":false,"subPath":"jwt_private_key.pem"}]` | Volumes to mount to the container. | | volumes | list | `[{"name":"old-config-volume","secret":{"secretName":"fence-secret"}},{"name":"json-secret-volume","secret":{"optional":true,"secretName":"fence-json-secret"}},{"name":"creds-volume","secret":{"secretName":"fence-creds"}},{"configMap":{"name":"config-helper","optional":true},"name":"config-helper"},{"configMap":{"name":"logo-config"},"name":"logo-volume"},{"name":"config-volume","secret":{"secretName":"fence-config"}},{"name":"fence-google-app-creds-secret-volume","secret":{"secretName":"fence-google-app-creds-secret"}},{"name":"fence-google-storage-creds-secret-volume","secret":{"secretName":"fence-google-storage-creds-secret"}},{"name":"fence-jwt-keys","secret":{"secretName":"fence-jwt-keys"}},{"configMap":{"name":"privacy-policy"},"name":"privacy-policy"},{"configMap":{"name":"fence-yaml-merge","optional":true},"name":"yaml-merge"},{"configMap":{"name":"fence-wsgi"},"name":"wsgi-config"},{"configMap":{"name":"fence-nginx-configmap"},"name":"nginx-config"}]` | Volumes to attach to the container. | ---------------------------------------------- diff --git a/helm/fence/templates/fence-deployment.yaml b/helm/fence/templates/fence-deployment.yaml index 733371c5..2affba98 100644 --- a/helm/fence/templates/fence-deployment.yaml +++ b/helm/fence/templates/fence-deployment.yaml @@ -28,26 +28,21 @@ spec: spec: enableServiceLinks: false serviceAccountName: {{ include "fence.serviceAccountName" . }} + # TODO: Fix nginx image so it runs as non-root + # securityContext: + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 volumes: {{- toYaml .Values.volumes | nindent 8 }} containers: - {{- if .Values.sidecar.enabled }} - - name: sidecar-nginx - image: {{ .Values.sidecar.image }} - ports: - - name: http - containerPort: 80 - volumeMounts: - - name: "nginx-config" - mountPath: "/etc/nginx/conf.d/default.conf" - subPath: default.conf - {{- end }} - name: fence image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - name: app containerPort: 8000 + protocol: TCP # - name: https # containerPort: 443 # protocol: TCP @@ -63,18 +58,15 @@ spec: readinessProbe: httpGet: path: /_status - port: http + port: app resources: {{- toYaml .Values.resources | nindent 12 }} command: ["/bin/bash"] args: - "-c" - | - echo "${FENCE_PUBLIC_CONFIG:-""}" > "/var/www/fence/fence-config-public.yaml" - python /var/www/fence/yaml_merge.py /var/www/fence/fence-config-public.yaml /var/www/fence/fence-config-secret.yaml > /var/www/fence/fence-config.yaml - if [[ -f /fence/keys/key/jwt_private_key.pem ]]; then - openssl rsa -in /fence/keys/key/jwt_private_key.pem -pubout > /fence/keys/key/jwt_public_key.pem - fi + # echo "${FENCE_PUBLIC_CONFIG:-""}" > "/var/www/fence/fence-config-public.yaml" + # python /var/www/fence/yaml_merge.py /var/www/fence/fence-config-public.yaml /var/www/fence/fence-config-secret.yaml > /var/www/fence/fence-config.yaml bash /fence/dockerrun.bash && if [[ -f /dockerrun.sh ]]; then bash /dockerrun.sh; fi env: {{- if .Values.global.ddEnabled }} @@ -83,20 +75,25 @@ spec: {{- toYaml .Values.env | nindent 12 }} volumeMounts: {{- toYaml .Values.volumeMounts | nindent 12 }} + {{- if .Values.sidecar.enabled }} + - name: sidecar-nginx + image: {{ .Values.sidecar.image }} + ports: + - name: http + containerPort: 80 + readinessProbe: + httpGet: + path: /_status + port: http + volumeMounts: + - name: "nginx-config" + mountPath: "/etc/nginx/conf.d/default.conf" + subPath: default.conf + {{- end }} initContainers: - name: fence-init image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - ports: - - name: http - containerPort: 80 - protocol: TCP - - name: https - containerPort: 443 - protocol: TCP - - name: container - containerPort: 6567 - protocol: TCP resources: {{- toYaml .Values.resources | nindent 12 }} command: ["/bin/bash"] @@ -105,6 +102,7 @@ spec: - | # echo "${FENCE_PUBLIC_CONFIG:-""}" > "/var/www/fence/fence-config-public.yaml" # python /var/www/fence/yaml_merge.py /var/www/fence/fence-config-public.yaml /var/www/fence/fence-config-secret.yaml > /var/www/fence/fence-config.yaml + # sleep infinity if fence-create migrate --help > /dev/null 2>&1; then if ! grep -E 'ENABLE_DB_MIGRATION"?: *false' /var/www/fence/fence-config.yaml; then echo "Running db migration: fence-create migrate" diff --git a/helm/fence/templates/presigned-url-fence.yaml b/helm/fence/templates/presigned-url-fence.yaml index 534c81e9..1196e692 100644 --- a/helm/fence/templates/presigned-url-fence.yaml +++ b/helm/fence/templates/presigned-url-fence.yaml @@ -21,15 +21,20 @@ spec: app: presigned-url-fence spec: serviceAccountName: {{ include "fence.serviceAccountName" . }} + # TODO: Fix nginx image so it runs as non-root + # securityContext: + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 volumes: {{- toYaml .Values.volumes | nindent 8 }} containers: - name: presigned-url-fence image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: Always + imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - name: http - containerPort: 80 + containerPort: 8000 protocol: TCP - name: https containerPort: 443 @@ -64,6 +69,18 @@ spec: {{- toYaml .Values.env | nindent 12 }} volumeMounts: {{- toYaml .Values.volumeMounts | nindent 12 }} + {{- if .Values.sidecar.enabled }} + - name: sidecar-nginx + image: {{ .Values.sidecar.image }} + ports: + - name: http + containerPort: 80 + protocol: TCP + volumeMounts: + - name: "nginx-config" + mountPath: "/etc/nginx/conf.d/default.conf" + subPath: default.conf + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/helm/fence/templates/useryaml-job.yaml b/helm/fence/templates/useryaml-job.yaml index 6adb96c4..83c520ba 100644 --- a/helm/fence/templates/useryaml-job.yaml +++ b/helm/fence/templates/useryaml-job.yaml @@ -27,7 +27,7 @@ spec: containers: - name: fence image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: Always + imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }} env: {{- toYaml .Values.env | nindent 10 }} volumeMounts: diff --git a/helm/fence/values.yaml b/helm/fence/values.yaml index 950922d6..0dd6a560 100644 --- a/helm/fence/values.yaml +++ b/helm/fence/values.yaml @@ -114,7 +114,7 @@ image: # -- (string) The Docker image repository for the fence service repository: quay.io/cdis/fence # -- (string) When to pull the image. This value should be "Always" to ensure the latest image is used. - pullPolicy: Always + pullPolicy: IfNotPresent # -- (string) Overrides the image tag whose default is the chart appVersion. tag: "master" @@ -393,7 +393,7 @@ volumeMounts: mountPath: "/var/www/fence/fence_google_storage_creds_secret.json" subPath: fence_google_storage_creds_secret.json - name: "fence-jwt-keys" - readOnly: true + readOnly: false mountPath: "/fence/keys/key/jwt_private_key.pem" subPath: "jwt_private_key.pem" From b5f5d91aabdcb72eda85d2736641379948092497 Mon Sep 17 00:00:00 2001 From: Jawad Qureshi Date: Tue, 21 Nov 2023 10:51:39 -0600 Subject: [PATCH 12/27] Update fence to run nginx as sidecar --- helm/fence/README.md | 8 ++++---- helm/fence/templates/fence-deployment.yaml | 14 +++++++------- helm/fence/templates/nginx-config.yaml | 2 +- helm/fence/templates/presigned-url-fence.yaml | 12 ++++++------ helm/fence/values.yaml | 6 +++--- 5 files changed, 21 insertions(+), 21 deletions(-) diff --git a/helm/fence/README.md b/helm/fence/README.md index ec4013c4..278d2db1 100644 --- a/helm/fence/README.md +++ b/helm/fence/README.md @@ -163,10 +163,10 @@ A Helm chart for gen3 Fence | serviceAccount.annotations."eks.amazonaws.com/role-arn" | string | `nil` | The Amazon Resource Name (ARN) of the role to associate with the service account | | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. | | serviceAccount.name | string | `"fence-sa"` | The name of the service account | -| sidecar | map | `{"enabled":true,"image":"quay.io/cdis/nginx","pullPolicy":"Always","tag":"master"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | -| sidecar.image | string | `"quay.io/cdis/nginx"` | The Docker image repository for nginx | -| sidecar.pullPolicy | string | `"Always"` | When to pull the image. | -| sidecar.tag | string | `"master"` | Image tag. | +| sidecar | map | `{"enabled":true,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | +| sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx | +| sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | +| sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. | | tolerations | list | `[]` | Tolerations for the pods | | usersync | map | `{"addDbgap":false,"custom_image":null,"onlyDbgap":false,"schedule":"*/30 * * * *","secrets":{"awsAccessKeyId":"","awsSecretAccessKey":""},"slack_send_dbgap":false,"slack_webhook":"None","syncFromDbgap":false,"userYamlS3Path":"s3://cdis-gen3-users/helm-test/user.yaml","usersync":false}` | Configuration options for usersync cronjob. | | usersync.addDbgap | bool | `false` | Force attempting a dbgap sync if "true", falls back on user.yaml | diff --git a/helm/fence/templates/fence-deployment.yaml b/helm/fence/templates/fence-deployment.yaml index 2affba98..ee1ea2bb 100644 --- a/helm/fence/templates/fence-deployment.yaml +++ b/helm/fence/templates/fence-deployment.yaml @@ -28,11 +28,10 @@ spec: spec: enableServiceLinks: false serviceAccountName: {{ include "fence.serviceAccountName" . }} - # TODO: Fix nginx image so it runs as non-root - # securityContext: - # runAsUser: 1000 - # runAsGroup: 1000 - # fsGroup: 1000 + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 volumes: {{- toYaml .Values.volumes | nindent 8 }} containers: @@ -77,10 +76,11 @@ spec: {{- toYaml .Values.volumeMounts | nindent 12 }} {{- if .Values.sidecar.enabled }} - name: sidecar-nginx - image: {{ .Values.sidecar.image }} + image: {{ .Values.sidecar.image }}:{{ .Values.sidecar.tag }} + imagePullPolicy: {{ .Values.sidecar.pullPolicy }} ports: - name: http - containerPort: 80 + containerPort: 8080 readinessProbe: httpGet: path: /_status diff --git a/helm/fence/templates/nginx-config.yaml b/helm/fence/templates/nginx-config.yaml index 0f422ef9..aeaac14f 100644 --- a/helm/fence/templates/nginx-config.yaml +++ b/helm/fence/templates/nginx-config.yaml @@ -5,7 +5,7 @@ metadata: data: default.conf: | server { - listen 80; + listen 8080; server_name localhost; location / { proxy_pass http://127.0.0.1:8000; # Gunicorn binds to this address diff --git a/helm/fence/templates/presigned-url-fence.yaml b/helm/fence/templates/presigned-url-fence.yaml index 1196e692..f007cdda 100644 --- a/helm/fence/templates/presigned-url-fence.yaml +++ b/helm/fence/templates/presigned-url-fence.yaml @@ -21,11 +21,10 @@ spec: app: presigned-url-fence spec: serviceAccountName: {{ include "fence.serviceAccountName" . }} - # TODO: Fix nginx image so it runs as non-root - # securityContext: - # runAsUser: 1000 - # runAsGroup: 1000 - # fsGroup: 1000 + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 volumes: {{- toYaml .Values.volumes | nindent 8 }} containers: @@ -71,7 +70,8 @@ spec: {{- toYaml .Values.volumeMounts | nindent 12 }} {{- if .Values.sidecar.enabled }} - name: sidecar-nginx - image: {{ .Values.sidecar.image }} + image: {{ .Values.sidecar.image }}:{{ .Values.sidecar.tag }} + imagePullPolicy: {{ .Values.sidecar.pullPolicy }} ports: - name: http containerPort: 80 diff --git a/helm/fence/values.yaml b/helm/fence/values.yaml index 0dd6a560..0ea4cd01 100644 --- a/helm/fence/values.yaml +++ b/helm/fence/values.yaml @@ -122,11 +122,11 @@ image: sidecar: enabled: true # -- (string) The Docker image repository for nginx - image: quay.io/cdis/nginx + image: quay.io/cdis/nginx-sidecar # -- (string) When to pull the image. - pullPolicy: Always + pullPolicy: IfNotPresent # -- (string) Image tag. - tag: "master" + tag: "nginx-sidecar-feat_nginx-sidecar" # -- (list) Docker image pull secrets. imagePullSecrets: [] From dceb8f0597311b611ddc84191230cc7b600d8af0 Mon Sep 17 00:00:00 2001 From: EliseCastle23 Date: Mon, 27 Nov 2023 15:46:28 -0700 Subject: [PATCH 13/27] adding gunicorn changes for audit, metadata, manifestservice, etc. --- .secrets.baseline | 4 +- helm/audit/Chart.yaml | 2 +- helm/audit/README.md | 6 ++- helm/audit/templates/deployment.yaml | 37 +++++++++++++++++-- helm/audit/templates/nginx_config.yaml | 14 +++++++ helm/audit/templates/wsgi.yaml | 13 +++++++ helm/audit/values.yaml | 10 +++++ helm/fence/templates/wsgi.yaml | 4 +- helm/indexd/README.md | 16 ++++---- helm/indexd/templates/deployment.yaml | 20 +++++++--- helm/indexd/templates/nginx_config.yaml | 4 +- helm/indexd/templates/wsgi.yaml | 5 ++- helm/indexd/values.yaml | 13 ++++--- helm/manifestservice/Chart.yaml | 2 +- helm/manifestservice/README.md | 10 +++-- .../manifestservice/templates/deployment.yaml | 26 +++++++++++-- .../templates/nginx_config.yaml | 14 +++++++ helm/manifestservice/templates/wsgi.yaml | 12 ++++++ helm/manifestservice/values.yaml | 19 ++++++++++ helm/metadata/Chart.yaml | 2 +- helm/metadata/README.md | 14 ++++--- helm/metadata/templates/deployment.yaml | 32 ++++++++++++++-- helm/metadata/templates/nginx_config.yaml | 14 +++++++ helm/metadata/templates/wsgi.yaml | 13 +++++++ helm/metadata/values.yaml | 17 ++++++++- helm/sheepdog/Chart.yaml | 2 +- helm/sheepdog/README.md | 8 +++- helm/sheepdog/templates/deployment.yaml | 36 +++++++++++++++--- helm/sheepdog/templates/nginx_config.yaml | 14 +++++++ helm/sheepdog/templates/wsgi.yaml | 12 ++++++ helm/sheepdog/values.yaml | 15 +++++++- 31 files changed, 349 insertions(+), 61 deletions(-) create mode 100644 helm/audit/templates/nginx_config.yaml create mode 100644 helm/audit/templates/wsgi.yaml create mode 100644 helm/manifestservice/templates/nginx_config.yaml create mode 100644 helm/manifestservice/templates/wsgi.yaml create mode 100644 helm/metadata/templates/nginx_config.yaml create mode 100644 helm/metadata/templates/wsgi.yaml create mode 100644 helm/sheepdog/templates/nginx_config.yaml create mode 100644 helm/sheepdog/templates/wsgi.yaml diff --git a/.secrets.baseline b/.secrets.baseline index 3d2d316d..5f44ae46 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "^.secrets.baseline$", "lines": null }, - "generated_at": "2023-11-14T19:51:24Z", + "generated_at": "2023-11-27T22:42:44Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -806,7 +806,7 @@ "hashed_secret": "afc848c316af1a89d49826c5ae9d00ed769415f3", "is_secret": false, "is_verified": false, - "line_number": 229, + "line_number": 242, "type": "Secret Keyword" } ], diff --git a/helm/audit/Chart.yaml b/helm/audit/Chart.yaml index 966a2573..4201f353 100644 --- a/helm/audit/Chart.yaml +++ b/helm/audit/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.9 +version: 0.1.10 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/audit/README.md b/helm/audit/README.md index e7d15409..58650067 100644 --- a/helm/audit/README.md +++ b/helm/audit/README.md @@ -1,6 +1,6 @@ # audit -![Version: 0.1.9](https://img.shields.io/badge/Version-0.1.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.10](https://img.shields.io/badge/Version-0.1.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for Kubernetes @@ -106,6 +106,10 @@ A Helm chart for Kubernetes | serviceAccount.annotations."eks.amazonaws.com/role-arn" | string | `nil` | The Amazon Resource Name (ARN) of the role to associate with the service account | | serviceAccount.create | bool | `true` | Whether to create a service account | | serviceAccount.name | string | `"audit-service-sa"` | The name of the service account | +| sidecar | map | `{"enabled":true,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | +| sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx | +| sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | +| sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. | | tolerations | list | `[]` | Tolerations for the pods | | volumeMounts | list | `[]` | Volumes to mount to the container. | | volumes | list | `[]` | Volumes to attach to the container. | diff --git a/helm/audit/templates/deployment.yaml b/helm/audit/templates/deployment.yaml index 6d4db6f6..b6b1e28b 100644 --- a/helm/audit/templates/deployment.yaml +++ b/helm/audit/templates/deployment.yaml @@ -26,11 +26,21 @@ spec: {{- include "common.datadogLabels" . | nindent 8 }} {{- end }} spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 serviceAccountName: {{ include "audit.serviceAccountName" . }} volumes: - name: config-volume secret: secretName: "audit-g3auto" + - name: wsgi-config + configMap: + name: audit-wsgi + - name: nginx-config + configMap: + name: audit-nginx-configmap {{- with .Values.volumes }} {{- toYaml . | nindent 8 }} {{- end }} @@ -39,20 +49,20 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - - containerPort: 80 + - containerPort: 8000 name: http protocol: TCP livenessProbe: httpGet: path: /_status - port: 80 + port: 8000 initialDelaySeconds: 30 periodSeconds: 60 timeoutSeconds: 30 readinessProbe: httpGet: path: /_status - port: 80 + port: 8000 resources: {{- toYaml .Values.resources | nindent 12 }} env: @@ -95,9 +105,28 @@ spec: readOnly: true mountPath: "/src/audit-service-config.yaml" subPath: "audit-service-config.yaml" + - name: "wsgi-config" + mountPath: "/audit-service/deployment/wsgi/gunicorn.conf.py" + subPath: gunicorn.conf.py {{- with .Values.volumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} + {{- if .Values.sidecar.enabled }} + - name: sidecar-nginx + image: {{ .Values.sidecar.image }}:{{ .Values.sidecar.tag }} + imagePullPolicy: {{ .Values.sidecar.pullPolicy }} + ports: + - name: http + containerPort: 8080 + readinessProbe: + httpGet: + path: /_status + port: http + volumeMounts: + - name: "nginx-config" + mountPath: "/etc/nginx/conf.d/default.conf" + subPath: default.conf + {{- end }} initContainers: - name: audit-init image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" @@ -139,7 +168,7 @@ spec: args: - "-c" - | - /env/bin/alembic upgrade head + alembic upgrade head volumeMounts: - name: "config-volume" readOnly: true diff --git a/helm/audit/templates/nginx_config.yaml b/helm/audit/templates/nginx_config.yaml new file mode 100644 index 00000000..2dbb5edb --- /dev/null +++ b/helm/audit/templates/nginx_config.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: audit-nginx-configmap +data: + default.conf: | + server { + listen 8080; + server_name localhost; + + location / { + proxy_pass http://127.0.0.1:8000; # Gunicorn binds to this address + } + } \ No newline at end of file diff --git a/helm/audit/templates/wsgi.yaml b/helm/audit/templates/wsgi.yaml new file mode 100644 index 00000000..2acc9008 --- /dev/null +++ b/helm/audit/templates/wsgi.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: audit-wsgi +data: + gunicorn.conf.py: | + wsgi_app = "deployment.wsgi.wsgi:application" + bind = "0.0.0.0:8000" + workers = 1 + user = 'gen3' + group = 'gen3' + timeout = 300 + worker_class = "uvicorn.workers.UvicornWorker" \ No newline at end of file diff --git a/helm/audit/values.yaml b/helm/audit/values.yaml index 97e70118..2343bb89 100644 --- a/helm/audit/values.yaml +++ b/helm/audit/values.yaml @@ -85,6 +85,16 @@ image: # -- (string) Overrides the image tag whose default is the chart appVersion. tag: "master" +# -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. +sidecar: + enabled: true + # -- (string) The Docker image repository for nginx + image: quay.io/cdis/nginx-sidecar + # -- (string) When to pull the image. + pullPolicy: IfNotPresent + # -- (string) Image tag. + tag: "nginx-sidecar-feat_nginx-sidecar" + # -- (list) Docker image pull secrets. imagePullSecrets: [] diff --git a/helm/fence/templates/wsgi.yaml b/helm/fence/templates/wsgi.yaml index ff258ad7..db3bd9dc 100644 --- a/helm/fence/templates/wsgi.yaml +++ b/helm/fence/templates/wsgi.yaml @@ -7,5 +7,5 @@ data: wsgi_app = "deployment.wsgi.wsgi:application" bind = "0.0.0.0:8000" workers = 1 - user = 'appuser' - group = 'appuser' + user = 'gen3' + group = 'gen3' diff --git a/helm/indexd/README.md b/helm/indexd/README.md index 2ee22d09..e83fae53 100644 --- a/helm/indexd/README.md +++ b/helm/indexd/README.md @@ -56,10 +56,10 @@ A Helm chart for gen3 indexd | global.revproxyArn | string | `"arn:aws:acm:us-east-1:123456:certificate"` | ARN of the reverse proxy certificate. | | global.tierAccessLevel | string | `"libre"` | Access level for tiers. acceptable values for `tier_access_level` are: `libre`, `regular` and `private`. If omitted, by default common will be treated as `private` | | global.tierAccessLimit | int | `1000` | Only relevant if tireAccessLevel is set to "regular". Summary charts below this limit will not appear for aggregated data. | -| image | map | `{"pullPolicy":"Never","repository":"quay.io/cdis/indexd","tag":"feat_GPE-788"}` | Docker image information. | -| image.pullPolicy | string | `"Never"` | When to pull the image. | +| image | map | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cdis/indexd","tag":""}` | Docker image information. | +| image.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | | image.repository | string | `"quay.io/cdis/indexd"` | The Docker image repository for the indexd service | -| image.tag | string | `"feat_GPE-788"` | Overrides the image tag whose default is the chart appVersion. | +| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | | imagePullSecrets | list | `[]` | Docker image pull secrets. | | nameOverride | string | `""` | Override the name of the chart. | | nodeSelector | map | `{}` | Node Selector for the pods | @@ -95,13 +95,13 @@ A Helm chart for gen3 indexd | serviceAccount.annotations | map | `{}` | Annotations to add to the service account. | | serviceAccount.create | bool | `false` | Specifies whether a service account should be created. | | serviceAccount.name | string | `""` | The name of the service account | -| sidecar | map | `{"image":"quay.io/cdis/nginx","pullPolicy":"Always","tag":"master"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | -| sidecar.image | string | `"quay.io/cdis/nginx"` | The Docker image repository for nginx | -| sidecar.pullPolicy | string | `"Always"` | When to pull the image. | -| sidecar.tag | string | `"master"` | Image tag. | +| sidecar | map | `{"enabled":true,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | +| sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx | +| sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | +| sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. | | tolerations | list | `[]` | Tolerations for the pods | | volumeMounts | list | `[{"mountPath":"/var/www/indexd/local_settings.py","name":"config-volume","readOnly":true,"subPath":"local_settings.py"}]` | Volumes to mount to the container. | -| volumes | list | `[{"configMap":{"name":"indexd-wsgi"},"name":"wsgi-config"},{"name":"config-volume","secret":{"secretName":"indexd-settings"}},{"configMap":{"name":"nginx-configmap"},"name":"nginx-config"}]` | Volumes to attach to the pod | +| volumes | list | `[{"configMap":{"name":"indexd-wsgi"},"name":"wsgi-config"},{"name":"config-volume","secret":{"secretName":"indexd-settings"}},{"configMap":{"name":"indexd-nginx-configmap"},"name":"nginx-config"}]` | Volumes to attach to the pod | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/helm/indexd/templates/deployment.yaml b/helm/indexd/templates/deployment.yaml index cd8df3c9..7b86d48b 100644 --- a/helm/indexd/templates/deployment.yaml +++ b/helm/indexd/templates/deployment.yaml @@ -26,6 +26,10 @@ spec: {{- include "common.datadogLabels" . | nindent 8 }} {{- end }} spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 {{- with .Values.volumes }} volumes: {{- toYaml . | nindent 8 }} @@ -90,27 +94,31 @@ spec: subPath: "local_settings.py" ports: - name: http - containerPort: 80 + containerPort: 8000 protocol: TCP livenessProbe: httpGet: path: /_status - port: http + port: 8000 initialDelaySeconds: 30 periodSeconds: 10 readinessProbe: httpGet: path: /_status - port: http + port: 8000 resources: {{- toYaml .Values.resources | nindent 12 }} {{- if .Values.sidecar.enabled }} - name: sidecar-nginx - image: {{ .Values.sidecar.image }} + image: {{ .Values.sidecar.image }}:{{ .Values.sidecar.tag }} + imagePullPolicy: {{ .Values.sidecar.pullPolicy }} ports: - name: http - containerPort: 80 - protocol: TCP + containerPort: 8080 + readinessProbe: + httpGet: + path: /_status + port: http volumeMounts: - name: "nginx-config" mountPath: "/etc/nginx/conf.d/default.conf" diff --git a/helm/indexd/templates/nginx_config.yaml b/helm/indexd/templates/nginx_config.yaml index e93f13bc..4aeeb71c 100644 --- a/helm/indexd/templates/nginx_config.yaml +++ b/helm/indexd/templates/nginx_config.yaml @@ -1,11 +1,11 @@ apiVersion: v1 kind: ConfigMap metadata: - name: nginx-configmap + name: indexd-nginx-configmap data: default.conf: | server { - listen 80; + listen 8080; server_name localhost; location / { diff --git a/helm/indexd/templates/wsgi.yaml b/helm/indexd/templates/wsgi.yaml index 8b1fa214..7a0b5056 100644 --- a/helm/indexd/templates/wsgi.yaml +++ b/helm/indexd/templates/wsgi.yaml @@ -7,5 +7,6 @@ data: wsgi_app = "deployment.wsgi.wsgi:application" bind = "0.0.0.0:8000" workers = 1 - user = 'appuser' - group = 'appuser' + user = 'gen3' + group = 'gen3' + timeout = 300 diff --git a/helm/indexd/values.yaml b/helm/indexd/values.yaml index cdf89f11..f918e5bf 100644 --- a/helm/indexd/values.yaml +++ b/helm/indexd/values.yaml @@ -94,18 +94,19 @@ image: # -- (string) The Docker image repository for the indexd service repository: quay.io/cdis/indexd # -- (string) When to pull the image. - pullPolicy: Never + pullPolicy: IfNotPresent # -- (string) Overrides the image tag whose default is the chart appVersion. - tag: "feat_GPE-788" + tag: "" # -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. sidecar: + enabled: true # -- (string) The Docker image repository for nginx - image: quay.io/cdis/nginx + image: quay.io/cdis/nginx-sidecar # -- (string) When to pull the image. - pullPolicy: Always + pullPolicy: IfNotPresent # -- (string) Image tag. - tag: "master" + tag: "nginx-sidecar-feat_nginx-sidecar" # -- (list) Docker image pull secrets. imagePullSecrets: [] @@ -194,7 +195,7 @@ volumes: secretName: "indexd-settings" - name: nginx-config configMap: - name: nginx-configmap + name: indexd-nginx-configmap # -- (list) Volumes to mount to the container. volumeMounts: diff --git a/helm/manifestservice/Chart.yaml b/helm/manifestservice/Chart.yaml index a8920546..e01a6ba2 100644 --- a/helm/manifestservice/Chart.yaml +++ b/helm/manifestservice/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.10 +version: 0.1.11 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/manifestservice/README.md b/helm/manifestservice/README.md index 4e74a196..df190c0e 100644 --- a/helm/manifestservice/README.md +++ b/helm/manifestservice/README.md @@ -1,6 +1,6 @@ # manifestservice -![Version: 0.1.10](https://img.shields.io/badge/Version-0.1.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.11](https://img.shields.io/badge/Version-0.1.11-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for Kubernetes @@ -66,12 +66,16 @@ A Helm chart for Kubernetes | serviceAccount.annotations | map | `{}` | Annotations to add to the service account. | | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. | | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | +| sidecar | map | `{"enabled":true,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | +| sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx | +| sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | +| sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. | | strategy | map | `{"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"}` | Rolling update deployment strategy | | strategy.rollingUpdate.maxSurge | int | `1` | Number of additional replicas to add during rollout. | | strategy.rollingUpdate.maxUnavailable | int | `0` | Maximum amount of pods that can be unavailable during the update. | | terminationGracePeriodSeconds | int | `50` | Grace period that applies to the total time it takes for both the PreStop hook to execute and for the Container to stop normally. | -| volumeMounts | list | `[{"mountPath":"/var/gen3/config/","name":"config-volume","readOnly":true}]` | Volumes to mount to the container. | -| volumes | list | `[{"name":"config-volume","secret":{"secretName":"manifestservice-g3auto"}}]` | Volumes to attach to the container. | +| volumeMounts | list | `[{"mountPath":"/manifestservice/deployment/wsgi/gunicorn.conf.py","name":"wsgi-config","subPath":"gunicorn.conf.py"},{"mountPath":"/var/gen3/config/","name":"config-volume","readOnly":true}]` | Volumes to mount to the container. | +| volumes | list | `[{"configMap":{"name":"manifestservice-wsgi"},"name":"wsgi-config"},{"name":"config-volume","secret":{"secretName":"manifestservice-g3auto"}},{"configMap":{"name":"manifestservice-nginx-configmap"},"name":"nginx-config"}]` | Volumes to attach to the container. | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/helm/manifestservice/templates/deployment.yaml b/helm/manifestservice/templates/deployment.yaml index 4dd08001..8f589e25 100644 --- a/helm/manifestservice/templates/deployment.yaml +++ b/helm/manifestservice/templates/deployment.yaml @@ -28,6 +28,10 @@ spec: {{- include "common.datadogLabels" . | nindent 8 }} {{- end }} spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 {{- with .Values.affinity }} affinity: {{- toYaml . | nindent 8 }} @@ -50,15 +54,31 @@ spec: resources: {{- toYaml .Values.resources | nindent 12 }} ports: - - containerPort: 80 + - containerPort: 8000 livenessProbe: httpGet: path: /_status - port: 80 + port: 8000 initialDelaySeconds: 10 periodSeconds: 60 timeoutSeconds: 30 readinessProbe: httpGet: path: /_status - port: 80 + port: 8000 + {{- if .Values.sidecar.enabled }} + - name: sidecar-nginx + image: {{ .Values.sidecar.image }}:{{ .Values.sidecar.tag }} + imagePullPolicy: {{ .Values.sidecar.pullPolicy }} + ports: + - name: http + containerPort: 8080 + readinessProbe: + httpGet: + path: /_status + port: http + volumeMounts: + - name: "nginx-config" + mountPath: "/etc/nginx/conf.d/default.conf" + subPath: default.conf + {{- end }} diff --git a/helm/manifestservice/templates/nginx_config.yaml b/helm/manifestservice/templates/nginx_config.yaml new file mode 100644 index 00000000..473061ff --- /dev/null +++ b/helm/manifestservice/templates/nginx_config.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: manifestservice-nginx-configmap +data: + default.conf: | + server { + listen 8080; + server_name localhost; + + location / { + proxy_pass http://127.0.0.1:8000; # Gunicorn binds to this address + } + } \ No newline at end of file diff --git a/helm/manifestservice/templates/wsgi.yaml b/helm/manifestservice/templates/wsgi.yaml new file mode 100644 index 00000000..da55efe7 --- /dev/null +++ b/helm/manifestservice/templates/wsgi.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: manifestservice-wsgi +data: + gunicorn.conf.py: | + wsgi_app = "deployment.wsgi.wsgi:application" + bind = "0.0.0.0:8000" + workers = 1 + user = 'gen3' + group = 'gen3' + timeout = 300 \ No newline at end of file diff --git a/helm/manifestservice/values.yaml b/helm/manifestservice/values.yaml index 2607c9a7..53ee7417 100644 --- a/helm/manifestservice/values.yaml +++ b/helm/manifestservice/values.yaml @@ -28,6 +28,16 @@ image: # -- (string) Overrides the image tag whose default is the chart appVersion. tag: "2022.09" +# -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. +sidecar: + enabled: true + # -- (string) The Docker image repository for nginx + image: quay.io/cdis/nginx-sidecar + # -- (string) When to pull the image. + pullPolicy: IfNotPresent + # -- (string) Image tag. + tag: "nginx-sidecar-feat_nginx-sidecar" + # -- (map) Kubernetes service information. service: # -- (string) Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". @@ -90,9 +100,15 @@ automountServiceAccountToken: false # -- (list) Volumes to attach to the container. volumes: + - name: wsgi-config + configMap: + name: manifestservice-wsgi - name: config-volume secret: secretName: "manifestservice-g3auto" + - name: nginx-config + configMap: + name: manifestservice-nginx-configmap # -- (int) Grace period that applies to the total time it takes for both the PreStop hook to execute and for the Container to stop normally. terminationGracePeriodSeconds: 50 @@ -108,6 +124,9 @@ env: # -- (list) Volumes to mount to the container. volumeMounts: + - name: "wsgi-config" + mountPath: "/manifestservice/deployment/wsgi/gunicorn.conf.py" + subPath: gunicorn.conf.py - name: "config-volume" readOnly: true mountPath: "/var/gen3/config/" diff --git a/helm/metadata/Chart.yaml b/helm/metadata/Chart.yaml index 718ca364..5a079f18 100644 --- a/helm/metadata/Chart.yaml +++ b/helm/metadata/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.8 +version: 0.1.9 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/metadata/README.md b/helm/metadata/README.md index aa2422ea..8303f893 100644 --- a/helm/metadata/README.md +++ b/helm/metadata/README.md @@ -1,6 +1,6 @@ # metadata -![Version: 0.1.8](https://img.shields.io/badge/Version-0.1.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.9](https://img.shields.io/badge/Version-0.1.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 Metadata Service @@ -23,7 +23,7 @@ A Helm chart for gen3 Metadata Service | affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].values | list | `["metadata"]` | Value for the match expression key. | | affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.topologyKey | string | `"kubernetes.io/hostname"` | Value for topology key label. | | aggMdsNamespace | string | `nil` | Namespae to use if AggMds is enabled. | -| args | list | `["-c","/env/bin/alembic upgrade head\n"]` | Arguments to pass to the init container. | +| args | list | `["-c","alembic upgrade head\n"]` | Arguments to pass to the init container. | | automountServiceAccountToken | bool | `false` | Automount the default service account token | | autoscaling | map | `{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80}` | Configuration for autoscaling the number of replicas | | autoscaling.enabled | bool | `false` | Whether autoscaling is enabled | @@ -97,15 +97,19 @@ A Helm chart for gen3 Metadata Service | resources.requests.memory | string | `"12Mi"` | The amount of memory requested | | revisionHistoryLimit | int | `2` | Number of old revisions to retain | | selectorLabels | map | `nil` | Will completely override the selectorLabels defined in the common chart's _label_setup.tpl | -| service | map | `{"port":[{"name":"http","port":80,"protocol":"TCP","targetPort":80}],"type":"ClusterIP"}` | Kubernetes service information. | -| service.port | int | `[{"name":"http","port":80,"protocol":"TCP","targetPort":80}]` | The port number that the service exposes. | +| service | map | `{"port":[{"name":"http","port":80,"protocol":"TCP","targetPort":8000}],"type":"ClusterIP"}` | Kubernetes service information. | +| service.port | int | `[{"name":"http","port":80,"protocol":"TCP","targetPort":8000}]` | The port number that the service exposes. | | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". | | serviceAnnotations."getambassador.io/config" | string | `"---\napiVersion: ambassador/v1\nambassador_id: \"gen3\"\nkind: Mapping\nname: metadata_mapping\nprefix: /index/\nservice: http://metadata-service:80\n"` | | +| sidecar | map | `{"enabled":true,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | +| sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx | +| sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | +| sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. | | strategy | map | `{"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"}` | Rolling update deployment strategy | | strategy.rollingUpdate.maxSurge | int | `1` | Number of additional replicas to add during rollout. | | strategy.rollingUpdate.maxUnavailable | int | `0` | Maximum amount of pods that can be unavailable during the update. | | useAggMds | bool | `nil` | Set to true to aggregate metadata from multiple other Metadata Service instances. | -| volumeMounts | list | `[{"mountPath":"/src/.env","name":"config-volume-g3auto","readOnly":true,"subPath":"metadata.env"},{"mountPath":"/aggregate_config.json","name":"config-volume","readOnly":true,"subPath":"aggregate_config.json"},{"mountPath":"/metadata.json","name":"config-manifest","readOnly":true,"subPath":"json"}]` | Volumes to mount to the container. | +| volumeMounts | list | `[{"mountPath":"/metadata-service/deployment/wsgi/gunicorn.conf.py","name":"wsgi-config","subPath":"gunicorn.conf.py"},{"mountPath":"/src/.env","name":"config-volume-g3auto","readOnly":true,"subPath":"metadata.env"},{"mountPath":"/aggregate_config.json","name":"config-volume","readOnly":true,"subPath":"aggregate_config.json"},{"mountPath":"/metadata.json","name":"config-manifest","readOnly":true,"subPath":"json"}]` | Volumes to mount to the container. | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/helm/metadata/templates/deployment.yaml b/helm/metadata/templates/deployment.yaml index ba6c0378..e455a79e 100644 --- a/helm/metadata/templates/deployment.yaml +++ b/helm/metadata/templates/deployment.yaml @@ -31,6 +31,10 @@ spec: {{- include "common.datadogLabels" . | nindent 8 }} {{- end }} spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 {{- with .Values.affinity }} affinity: {{- toYaml . | nindent 8 }} @@ -48,6 +52,12 @@ spec: configMap: name: manifest-metadata optional: true + - name: wsgi-config + configMap: + name: metadata-wsgi + - name: nginx-config + configMap: + name: metadata-nginx-configmap containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" @@ -101,16 +111,16 @@ spec: livenessProbe: httpGet: path: /_status - port: 80 + port: 8000 initialDelaySeconds: 30 periodSeconds: 60 timeoutSeconds: 30 readinessProbe: httpGet: path: /_status - port: 80 + port: 8000 ports: - - containerPort: 80 + - containerPort: 8000 {{- with .Values.volumeMounts }} volumeMounts: {{- toYaml . | nindent 10 }} @@ -119,6 +129,22 @@ spec: resources: {{- toYaml . | nindent 12 }} {{- end }} + {{- if .Values.sidecar.enabled }} + - name: sidecar-nginx + image: {{ .Values.sidecar.image }}:{{ .Values.sidecar.tag }} + imagePullPolicy: {{ .Values.sidecar.pullPolicy }} + ports: + - name: http + containerPort: 8080 + readinessProbe: + httpGet: + path: /_status + port: http + volumeMounts: + - name: "nginx-config" + mountPath: "/etc/nginx/conf.d/default.conf" + subPath: default.conf + {{- end }} initContainers: - name: {{ .Values.initContainerName }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" diff --git a/helm/metadata/templates/nginx_config.yaml b/helm/metadata/templates/nginx_config.yaml new file mode 100644 index 00000000..afbfe026 --- /dev/null +++ b/helm/metadata/templates/nginx_config.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: metadata-nginx-configmap +data: + default.conf: | + server { + listen 8080; + server_name localhost; + + location / { + proxy_pass http://127.0.0.1:8000; # Gunicorn binds to this address + } + } \ No newline at end of file diff --git a/helm/metadata/templates/wsgi.yaml b/helm/metadata/templates/wsgi.yaml new file mode 100644 index 00000000..9a71581b --- /dev/null +++ b/helm/metadata/templates/wsgi.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: metadata-wsgi +data: + gunicorn.conf.py: | + wsgi_app = "deployment.wsgi.wsgi:application" + bind = "0.0.0.0:8000" + workers = 1 + user = 'gen3' + group = 'gen3' + timeout = 300 + worker_class = "uvicorn.workers.UvicornWorker" \ No newline at end of file diff --git a/helm/metadata/values.yaml b/helm/metadata/values.yaml index baaa5cb6..ef099f36 100644 --- a/helm/metadata/values.yaml +++ b/helm/metadata/values.yaml @@ -144,6 +144,16 @@ image: debug: false +# -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. +sidecar: + enabled: true + # -- (string) The Docker image repository for nginx + image: quay.io/cdis/nginx-sidecar + # -- (string) When to pull the image. + pullPolicy: IfNotPresent + # -- (string) Image tag. + tag: "nginx-sidecar-feat_nginx-sidecar" + # Environment Variables # -- (string) Elasticsearch endpoint. esEndpoint: elasticsearch:9200 @@ -154,6 +164,9 @@ aggMdsNamespace: # -- (list) Volumes to mount to the container. volumeMounts: + - name: "wsgi-config" + mountPath: "/metadata-service/deployment/wsgi/gunicorn.conf.py" + subPath: gunicorn.conf.py - name: config-volume-g3auto readOnly: true mountPath: /src/.env @@ -205,7 +218,7 @@ command: ["/bin/sh"] args: - "-c" - | - /env/bin/alembic upgrade head + alembic upgrade head # Service and Pod serviceAnnotations: @@ -226,7 +239,7 @@ service: port: - protocol: TCP port: 80 - targetPort: 80 + targetPort: 8000 name: http # Values to determine the labels that are used for the deployment, pod, etc. diff --git a/helm/sheepdog/Chart.yaml b/helm/sheepdog/Chart.yaml index cb5745a2..7a68d313 100644 --- a/helm/sheepdog/Chart.yaml +++ b/helm/sheepdog/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.10 +version: 0.1.11 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/sheepdog/README.md b/helm/sheepdog/README.md index e2a57245..6977e49f 100644 --- a/helm/sheepdog/README.md +++ b/helm/sheepdog/README.md @@ -1,6 +1,6 @@ # sheepdog -![Version: 0.1.10](https://img.shields.io/badge/Version-0.1.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.11](https://img.shields.io/badge/Version-0.1.11-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 Sheepdog Service @@ -111,11 +111,15 @@ A Helm chart for gen3 Sheepdog Service | service | map | `{"port":80,"type":"ClusterIP"}` | Kubernetes service information. | | service.port | int | `80` | The port number that the service exposes. | | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". | +| sidecar | map | `{"enabled":true,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | +| sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx | +| sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | +| sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. | | strategy | map | `{"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"}` | Rolling update deployment strategy | | strategy.rollingUpdate.maxSurge | int | `1` | Number of additional replicas to add during rollout. | | strategy.rollingUpdate.maxUnavailable | int | `0` | Maximum amount of pods that can be unavailable during the update. | | terminationGracePeriodSeconds | int | `50` | sheepdog transactions take forever - try to let the complete before termination | -| volumeMounts | list | `[{"mountPath":"/var/www/sheepdog/wsgi.py","name":"config-volume","readOnly":true,"subPath":"wsgi.py"}]` | Volumes to mount to the container. | +| volumeMounts | list | `[{"mountPath":"/sheepdog/deployment/wsgi/wsgi.py","name":"config-volume","readOnly":true,"subPath":"wsgi.py"},{"mountPath":"/sheepdog/deployment/wsgi/gunicorn.conf.py","name":"wsgi-config","subPath":"gunicorn.conf.py"}]` | Volumes to mount to the container. | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/helm/sheepdog/templates/deployment.yaml b/helm/sheepdog/templates/deployment.yaml index d56beb93..b135118a 100644 --- a/helm/sheepdog/templates/deployment.yaml +++ b/helm/sheepdog/templates/deployment.yaml @@ -35,6 +35,10 @@ spec: {{- include "common.datadogLabels" . | nindent 8 }} {{- end }} spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 {{- with .Values.affinity }} affinity: {{- toYaml . | nindent 8 }} @@ -47,9 +51,16 @@ spec: - name: config-helper configMap: name: config-helper + - name: wsgi-config + configMap: + name: sheepdog-wsgi + - name: nginx-config + configMap: + name: sheepdog-nginx-configmap initContainers: - name: sheepdog-init image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} env: {{- if .Values.global.ddEnabled }} {{- include "common.datadogEnvVar" . | nindent 12 }} @@ -107,12 +118,11 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - - containerPort: 80 - - containerPort: 443 + - containerPort: 8000 livenessProbe: httpGet: path: /_status?timeout=20 - port: 80 + port: 8000 initialDelaySeconds: 30 periodSeconds: 60 timeoutSeconds: 30 @@ -120,7 +130,7 @@ spec: initialDelaySeconds: 30 httpGet: path: /_status?timeout=2 - port: 80 + port: 8000 # command: ["/bin/bash" ] # args: # - "-c" @@ -236,4 +246,20 @@ spec: {{- toYaml . | nindent 10 }} {{- end }} resources: - {{- toYaml .Values.resources | nindent 12 }} \ No newline at end of file + {{- toYaml .Values.resources | nindent 12 }} + {{- if .Values.sidecar.enabled }} + - name: sidecar-nginx + image: {{ .Values.sidecar.image }}:{{ .Values.sidecar.tag }} + imagePullPolicy: {{ .Values.sidecar.pullPolicy }} + ports: + - name: http + containerPort: 8080 + readinessProbe: + httpGet: + path: /_status + port: http + volumeMounts: + - name: "nginx-config" + mountPath: "/etc/nginx/conf.d/default.conf" + subPath: default.conf + {{- end }} \ No newline at end of file diff --git a/helm/sheepdog/templates/nginx_config.yaml b/helm/sheepdog/templates/nginx_config.yaml new file mode 100644 index 00000000..bf035d9d --- /dev/null +++ b/helm/sheepdog/templates/nginx_config.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: sheepdog-nginx-configmap +data: + default.conf: | + server { + listen 8080; + server_name localhost; + + location / { + proxy_pass http://127.0.0.1:8000; # Gunicorn binds to this address + } + } \ No newline at end of file diff --git a/helm/sheepdog/templates/wsgi.yaml b/helm/sheepdog/templates/wsgi.yaml new file mode 100644 index 00000000..6905a7a2 --- /dev/null +++ b/helm/sheepdog/templates/wsgi.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: sheepdog-wsgi +data: + gunicorn.conf.py: | + wsgi_app = "deployment.wsgi.wsgi:application" + bind = "0.0.0.0:8000" + workers = 1 + user = 'gen3' + group = 'gen3' + timeout = 300 \ No newline at end of file diff --git a/helm/sheepdog/values.yaml b/helm/sheepdog/values.yaml index 941c33c6..f01598d3 100644 --- a/helm/sheepdog/values.yaml +++ b/helm/sheepdog/values.yaml @@ -156,6 +156,16 @@ image: # -- (string) Overrides the image tag whose default is the chart appVersion. tag: "helm-test" +# -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. +sidecar: + enabled: true + # -- (string) The Docker image repository for nginx + image: quay.io/cdis/nginx-sidecar + # -- (string) When to pull the image. + pullPolicy: IfNotPresent + # -- (string) Image tag. + tag: "nginx-sidecar-feat_nginx-sidecar" + # Environment Variables # -- (string) URL of the data dictionary. dictionaryUrl: https://s3.amazonaws.com/dictionary-artifacts/datadictionary/develop/schema.json @@ -171,8 +181,11 @@ authNamespace: default volumeMounts: - name: "config-volume" readOnly: true - mountPath: "/var/www/sheepdog/wsgi.py" + mountPath: "/sheepdog/deployment/wsgi/wsgi.py" subPath: "wsgi.py" + - name: "wsgi-config" + mountPath: "/sheepdog/deployment/wsgi/gunicorn.conf.py" + subPath: gunicorn.conf.py # -- (map) Resource requests and limits for the containers in the pod resources: From da0ab3895a1b0955b5da4c293d29a37c9c369113 Mon Sep 17 00:00:00 2001 From: Edward Malinowski Date: Tue, 28 Nov 2023 08:38:59 -0600 Subject: [PATCH 14/27] adding gunicorn changes for peregrine, requestor, wts --- .secrets.baseline | 12 +++--- helm/peregrine/Chart.yaml | 2 +- helm/peregrine/README.md | 10 +++-- helm/peregrine/templates/deployment.yaml | 35 +++++++++++----- helm/peregrine/templates/nginx_config.yaml | 13 ++++++ helm/peregrine/templates/wsgi.yaml | 13 ++++++ helm/peregrine/values.yaml | 23 +++++++++++ helm/requestor/Chart.yaml | 2 +- helm/requestor/README.md | 8 +++- helm/requestor/templates/deployment.yaml | 34 ++++++++++++++-- helm/requestor/templates/nginx_config.yaml | 13 ++++++ helm/requestor/templates/wsgi.yaml | 13 ++++++ helm/requestor/values.yaml | 17 ++++++-- helm/wts/Chart.yaml | 2 +- helm/wts/README.md | 7 +++- helm/wts/templates/deployment.yaml | 46 ++++++++++++++++------ helm/wts/templates/nginx_config.yaml | 13 ++++++ helm/wts/templates/wsgi.yaml | 13 ++++++ helm/wts/values.yaml | 24 +++++++++++ 19 files changed, 257 insertions(+), 43 deletions(-) create mode 100644 helm/peregrine/templates/nginx_config.yaml create mode 100644 helm/peregrine/templates/wsgi.yaml create mode 100644 helm/requestor/templates/nginx_config.yaml create mode 100644 helm/requestor/templates/wsgi.yaml create mode 100644 helm/wts/templates/nginx_config.yaml create mode 100644 helm/wts/templates/wsgi.yaml diff --git a/.secrets.baseline b/.secrets.baseline index 5f44ae46..f95e2c40 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "^.secrets.baseline$", "lines": null }, - "generated_at": "2023-11-27T22:42:44Z", + "generated_at": "2023-11-28T14:38:50Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -470,7 +470,7 @@ "type": "Secret Keyword" }, { - "hashed_secret": "ffa29bb5e69093c793d39762da0340f0bcf3fe53", + "hashed_secret": "44cb746036385723dde2ac36e53da8932a69bfe2", "is_secret": false, "is_verified": false, "line_number": 104, @@ -488,10 +488,10 @@ ], "helm/manifestservice/README.md": [ { - "hashed_secret": "611f2e9064b518afdb23f201321f39029dd28917", + "hashed_secret": "3231d1a39e7956e9e5e7b59c5f3bef462f71333c", "is_secret": false, "is_verified": false, - "line_number": 74, + "line_number": 78, "type": "Secret Keyword" } ], @@ -564,10 +564,10 @@ "type": "Secret Keyword" }, { - "hashed_secret": "7d4e263f1ae83868444f5327219830493a7d1486", + "hashed_secret": "489e396b7c68f95c6018f7b98ef7b1b94587ef29", "is_secret": false, "is_verified": false, - "line_number": 96, + "line_number": 100, "type": "Secret Keyword" } ], diff --git a/helm/peregrine/Chart.yaml b/helm/peregrine/Chart.yaml index cfdfe6e3..ada8310a 100644 --- a/helm/peregrine/Chart.yaml +++ b/helm/peregrine/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.9 +version: 0.1.10 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/peregrine/README.md b/helm/peregrine/README.md index 838e811c..0742499b 100644 --- a/helm/peregrine/README.md +++ b/helm/peregrine/README.md @@ -1,6 +1,6 @@ # peregrine -![Version: 0.1.9](https://img.shields.io/badge/Version-0.1.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2023.01](https://img.shields.io/badge/AppVersion-2023.01-informational?style=flat-square) +![Version: 0.1.10](https://img.shields.io/badge/Version-0.1.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2023.01](https://img.shields.io/badge/AppVersion-2023.01-informational?style=flat-square) A Helm chart for gen3 Peregrine service @@ -91,9 +91,13 @@ A Helm chart for gen3 Peregrine service | serviceAccount.annotations | map | `{}` | Annotations to add to the service account. | | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. | | serviceAccount.name | string | `""` | The name of the service account | +| sidecar | map | `{"enabled":true,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | +| sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx | +| sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | +| sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. | | tolerations | list | `[]` | Tolerations for the pods | -| volumeMounts | list | `nil` | Volumes to mount to the container. | -| volumes | list | `[{"emptyDir":{},"name":"shared-data"},{"name":"config-volume","secret":{"secretName":"peregrine-secret"}}]` | Volumes to attach to the container. | +| volumeMounts | list | `[{"mountPath":"/peregrine/deployment/wsgi/wsgi.py","name":"config-volume","readOnly":true,"subPath":"settings.py"},{"mountPath":"/peregrine/deployment/wsgi/gunicorn.conf.py","name":"wsgi-config","subPath":"gunicorn.conf.py"}]` | Volumes to mount to the container. | +| volumes | list | `[{"emptyDir":{},"name":"shared-data"},{"name":"config-volume","secret":{"secretName":"peregrine-secret"}},{"configMap":{"name":"peregrine-wsgi"},"name":"wsgi-config"},{"configMap":{"name":"peregrine-nginx-configmap"},"name":"nginx-config"}]` | Volumes to attach to the container. | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/helm/peregrine/templates/deployment.yaml b/helm/peregrine/templates/deployment.yaml index 561df45c..a661b8a0 100644 --- a/helm/peregrine/templates/deployment.yaml +++ b/helm/peregrine/templates/deployment.yaml @@ -26,6 +26,10 @@ spec: {{- include "common.datadogLabels" . | nindent 8 }} {{- end }} spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 {{- with .Values.volumes }} volumes: {{- toYaml . | nindent 8 }} @@ -147,19 +151,16 @@ spec: value: "False" - name: CONF_HOSTNAME value: {{ .Values.global.hostname }} + {{- with .Values.volumeMounts }} volumeMounts: - - name: "config-volume" - readOnly: true - mountPath: "/var/www/peregrine/wsgi.py" - subPath: "settings.py" + {{- toYaml . | nindent 10 }} + {{- end }} ports: - - name: http - containerPort: 80 - protocol: TCP + - containerPort: 8000 livenessProbe: httpGet: path: /_status?timeout=20 - port: http + port: 8000 # peregrine can take forever to initialize initialDelaySeconds: 60 periodSeconds: 60 @@ -167,9 +168,25 @@ spec: readinessProbe: httpGet: path: /_status?timeout=2 - port: http + port: 8000 resources: {{- toYaml .Values.resources | nindent 12 }} + {{- if .Values.sidecar.enabled }} + - name: sidecar-nginx + image: {{ .Values.sidecar.image }}:{{ .Values.sidecar.tag }} + imagePullPolicy: {{ .Values.sidecar.pullPolicy }} + ports: + - name: http + containerPort: 8080 + readinessProbe: + httpGet: + path: /_status + port: http + volumeMounts: + - name: "nginx-config" + mountPath: "/etc/nginx/conf.d/default.conf" + subPath: default.conf + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/helm/peregrine/templates/nginx_config.yaml b/helm/peregrine/templates/nginx_config.yaml new file mode 100644 index 00000000..1b65d97f --- /dev/null +++ b/helm/peregrine/templates/nginx_config.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: peregrine-nginx-configmap +data: + default.conf: | + server { + listen 8080; + server_name localhost; + location / { + proxy_pass http://127.0.0.1:8000; # Gunicorn binds to this address + } + } \ No newline at end of file diff --git a/helm/peregrine/templates/wsgi.yaml b/helm/peregrine/templates/wsgi.yaml new file mode 100644 index 00000000..ce563b63 --- /dev/null +++ b/helm/peregrine/templates/wsgi.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: peregrine-wsgi +data: + gunicorn.conf.py: | + wsgi_app = "deployment.wsgi.wsgi:application" + bind = "0.0.0.0:8000" + workers = 1 + user = 'gen3' + group = 'gen3' + timeout = 300 + worker_class = "uvicorn.workers.UvicornWorker" \ No newline at end of file diff --git a/helm/peregrine/values.yaml b/helm/peregrine/values.yaml index 3335f8e3..83dd3546 100644 --- a/helm/peregrine/values.yaml +++ b/helm/peregrine/values.yaml @@ -94,6 +94,16 @@ image: # -- (string) Overrides the image tag whose default is the chart appVersion. tag: "" +# -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. +sidecar: + enabled: true + # -- (string) The Docker image repository for nginx + image: quay.io/cdis/nginx-sidecar + # -- (string) When to pull the image. + pullPolicy: IfNotPresent + # -- (string) Image tag. + tag: "nginx-sidecar-feat_nginx-sidecar" + # -- (list) Docker image pull secrets. imagePullSecrets: [] @@ -182,9 +192,22 @@ volumes: - name: config-volume secret: secretName: "peregrine-secret" +- name: wsgi-config + configMap: + name: peregrine-wsgi +- name: nginx-config + configMap: + name: peregrine-nginx-configmap # -- (list) Volumes to mount to the container. volumeMounts: + - name: "config-volume" + readOnly: true + mountPath: "/peregrine/deployment/wsgi/wsgi.py" + subPath: "settings.py" + - name: "wsgi-config" + mountPath: "/peregrine/deployment/wsgi/gunicorn.conf.py" + subPath: gunicorn.conf.py # Values to determine the labels that are used for the deployment, pod, etc. # -- (string) Valid options are "production" or "dev". If invalid option is set- the value will default to "dev". diff --git a/helm/requestor/Chart.yaml b/helm/requestor/Chart.yaml index 4e59fb2a..2c4a8c43 100644 --- a/helm/requestor/Chart.yaml +++ b/helm/requestor/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.8 +version: 0.1.9 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/requestor/README.md b/helm/requestor/README.md index 5e7666f8..52878c7b 100644 --- a/helm/requestor/README.md +++ b/helm/requestor/README.md @@ -1,6 +1,6 @@ # requestor -![Version: 0.1.8](https://img.shields.io/badge/Version-0.1.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.9](https://img.shields.io/badge/Version-0.1.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 Requestor Service @@ -105,10 +105,14 @@ A Helm chart for gen3 Requestor Service | service | map | `{"port":[{"name":"http","port":80,"protocol":"TCP","targetPort":80}],"type":"ClusterIP"}` | Kubernetes service information. | | service.port | int | `[{"name":"http","port":80,"protocol":"TCP","targetPort":80}]` | The port number that the service exposes. | | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". | +| sidecar | map | `{"enabled":true,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | +| sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx | +| sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | +| sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. | | strategy | map | `{"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"}` | Rolling update deployment strategy | | strategy.rollingUpdate.maxSurge | int | `1` | Number of additional replicas to add during rollout. | | strategy.rollingUpdate.maxUnavailable | int | `0` | Maximum amount of pods that can be unavailable during the update. | -| volumeMounts | list | `nil` | Volumes to mount to the container. | +| volumeMounts | list | `[{"mountPath":"/requestor/deployment/wsgi/gunicorn.conf.py","name":"wsgi-config","subPath":"gunicorn.conf.py"}]` | Volumes to mount to the container. | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/helm/requestor/templates/deployment.yaml b/helm/requestor/templates/deployment.yaml index 24876c59..4add1707 100644 --- a/helm/requestor/templates/deployment.yaml +++ b/helm/requestor/templates/deployment.yaml @@ -31,6 +31,10 @@ spec: {{- include "common.datadogLabels" . | nindent 8 }} {{- end }} spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 {{- with .Values.affinity }} affinity: {{- toYaml . | nindent 8 }} @@ -40,6 +44,12 @@ spec: - name: config-volume secret: secretName: "requestor-g3auto" + - name: wsgi-config + configMap: + name: requestor-wsgi + - name: nginx-config + configMap: + name: requestor-nginx-configmap containers: - name: requestor image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" @@ -86,16 +96,16 @@ spec: livenessProbe: httpGet: path: /_status - port: 80 + port: 8000 initialDelaySeconds: 30 periodSeconds: 60 timeoutSeconds: 30 readinessProbe: httpGet: path: /_status - port: 80 + port: 8000 ports: - - containerPort: 80 + - containerPort: 8000 {{- with .Values.volumeMounts }} volumeMounts: {{- toYaml . | nindent 10 }} @@ -104,6 +114,22 @@ spec: resources: {{- toYaml . | nindent 12 }} {{- end }} + {{- if .Values.sidecar.enabled }} + - name: sidecar-nginx + image: {{ .Values.sidecar.image }}:{{ .Values.sidecar.tag }} + imagePullPolicy: {{ .Values.sidecar.pullPolicy }} + ports: + - name: http + containerPort: 8080 + readinessProbe: + httpGet: + path: /_status + port: http + volumeMounts: + - name: "nginx-config" + mountPath: "/etc/nginx/conf.d/default.conf" + subPath: default.conf + {{- end }} initContainers: - name: requestor-db-migrate image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" @@ -156,4 +182,4 @@ spec: args: - "-c" - | - /env/bin/alembic upgrade head \ No newline at end of file + alembic upgrade head \ No newline at end of file diff --git a/helm/requestor/templates/nginx_config.yaml b/helm/requestor/templates/nginx_config.yaml new file mode 100644 index 00000000..906a598e --- /dev/null +++ b/helm/requestor/templates/nginx_config.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: requestor-nginx-configmap +data: + default.conf: | + server { + listen 8080; + server_name localhost; + location / { + proxy_pass http://127.0.0.1:8000; # Gunicorn binds to this address + } + } \ No newline at end of file diff --git a/helm/requestor/templates/wsgi.yaml b/helm/requestor/templates/wsgi.yaml new file mode 100644 index 00000000..ee5feac0 --- /dev/null +++ b/helm/requestor/templates/wsgi.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: requestor-wsgi +data: + gunicorn.conf.py: | + wsgi_app = "deployment.wsgi.wsgi:application" + bind = "0.0.0.0:8000" + workers = 1 + user = 'gen3' + group = 'gen3' + timeout = 300 + worker_class = "uvicorn.workers.UvicornWorker" \ No newline at end of file diff --git a/helm/requestor/values.yaml b/helm/requestor/values.yaml index 437ffac6..88063add 100644 --- a/helm/requestor/values.yaml +++ b/helm/requestor/values.yaml @@ -159,16 +159,25 @@ image: # -- (string) Overrides the image tag whose default is the chart appVersion. tag: "master" +# -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. +sidecar: + enabled: true + # -- (string) The Docker image repository for nginx + image: quay.io/cdis/nginx-sidecar + # -- (string) When to pull the image. + pullPolicy: IfNotPresent + # -- (string) Image tag. + tag: "nginx-sidecar-feat_nginx-sidecar" + # Environment Variables # -- (string) Arborist service URL. arboristUrl: http://arborist-service # -- (list) Volumes to mount to the container. volumeMounts: - # - name: "config-volume" - # readOnly: true - # mountPath: "/src/requestor-config.yaml" - # subPath: "requestor-config.yaml" + - name: "wsgi-config" + mountPath: "/requestor/deployment/wsgi/gunicorn.conf.py" + subPath: gunicorn.conf.py # -- (map) Resource requests and limits for the containers in the pod resources: diff --git a/helm/wts/Chart.yaml b/helm/wts/Chart.yaml index a1c29c60..31869111 100644 --- a/helm/wts/Chart.yaml +++ b/helm/wts/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.10 +version: 0.1.11 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/wts/README.md b/helm/wts/README.md index 7644f5fc..ceac5d6b 100644 --- a/helm/wts/README.md +++ b/helm/wts/README.md @@ -1,6 +1,6 @@ # wts -![Version: 0.1.10](https://img.shields.io/badge/Version-0.1.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.11](https://img.shields.io/badge/Version-0.1.11-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 workspace token service @@ -97,7 +97,12 @@ A Helm chart for gen3 workspace token service | serviceAccount.annotations | map | `{}` | Annotations to add to the service account. | | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. | | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | +| sidecar | map | `{"enabled":true,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | +| sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx | +| sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | +| sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. | | tolerations | list | `[]` | Tolerations for the pods | +| volumeMounts | list | `[{"mountPath":"/var/www/wts/appcreds.json","name":"wts-secret","readOnly":true,"subPath":"appcreds.json"},{"mountPath":"/wts/deployment/wsgi/wsgi.py","name":"config-volume","readOnly":true,"subPath":"wsgi.py"},{"mountPath":"/wts/deployment/wsgi/gunicorn.conf.py","name":"wsgi-config","subPath":"gunicorn.conf.py"}]` | Volumes to mount to the container. | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/helm/wts/templates/deployment.yaml b/helm/wts/templates/deployment.yaml index e3f20dec..c2eb0b85 100644 --- a/helm/wts/templates/deployment.yaml +++ b/helm/wts/templates/deployment.yaml @@ -38,6 +38,10 @@ spec: {{- include "common.datadogLabels" . | nindent 8 }} {{- end }} spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: @@ -55,6 +59,12 @@ spec: - name: wts-secret secret: secretName: "wts-g3auto" + - name: wsgi-config + configMap: + name: wts-wsgi + - name: nginx-config + configMap: + name: wts-nginx-configmap {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -64,25 +74,24 @@ spec: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with .Values.volumeMounts }} volumeMounts: - - name: "wts-secret" - readOnly: true - mountPath: "/var/www/wts/appcreds.json" - subPath: appcreds.json + {{- toYaml . | nindent 10 }} + {{- end }} ports: - name: http - containerPort: 80 + containerPort: 8000 protocol: TCP livenessProbe: httpGet: path: /_status - port: 80 + port: 8000 failureThreshold: 10 initialDelaySeconds: 5 readinessProbe: httpGet: path: /_status - port: 80 + port: 8000 env: {{- if .Values.global.ddEnabled }} {{- include "common.datadogEnvVar" . | nindent 11 }} @@ -137,15 +146,30 @@ spec: value: postgresql://$(PGUSER):$(PGPASSWORD)@$(PGHOST):5432/$(PGDB) resources: {{- toYaml .Values.resources | nindent 12 }} + {{- if .Values.sidecar.enabled }} + - name: sidecar-nginx + image: {{ .Values.sidecar.image }}:{{ .Values.sidecar.tag }} + imagePullPolicy: {{ .Values.sidecar.pullPolicy }} + ports: + - name: http + containerPort: 8080 + readinessProbe: + httpGet: + path: /_status + port: http + volumeMounts: + - name: "nginx-config" + mountPath: "/etc/nginx/conf.d/default.conf" + subPath: default.conf + {{- end }} initContainers: - name: wts-db-migrate image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with .Values.volumeMounts }} volumeMounts: - - name: "wts-secret" - readOnly: true - mountPath: "/var/www/wts/appcreds.json" - subPath: appcreds.json + {{- toYaml . | nindent 10 }} + {{- end }} env: - name: PGHOST valueFrom: diff --git a/helm/wts/templates/nginx_config.yaml b/helm/wts/templates/nginx_config.yaml new file mode 100644 index 00000000..bdf65d4f --- /dev/null +++ b/helm/wts/templates/nginx_config.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: wts-nginx-configmap +data: + default.conf: | + server { + listen 8080; + server_name localhost; + location / { + proxy_pass http://127.0.0.1:8000; # Gunicorn binds to this address + } + } \ No newline at end of file diff --git a/helm/wts/templates/wsgi.yaml b/helm/wts/templates/wsgi.yaml new file mode 100644 index 00000000..55bf6e9c --- /dev/null +++ b/helm/wts/templates/wsgi.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: wts-wsgi +data: + gunicorn.conf.py: | + wsgi_app = "deployment.wsgi.wsgi:application" + bind = "0.0.0.0:8000" + workers = 1 + user = 'gen3' + group = 'gen3' + timeout = 300 + worker_class = "uvicorn.workers.UvicornWorker" \ No newline at end of file diff --git a/helm/wts/values.yaml b/helm/wts/values.yaml index 2eb8c2d1..d8b979f0 100644 --- a/helm/wts/values.yaml +++ b/helm/wts/values.yaml @@ -95,6 +95,16 @@ image: # -- (string) Overrides the image tag whose default is the chart appVersion. tag: "feat_wts_internalfence" +# -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. +sidecar: + enabled: true + # -- (string) The Docker image repository for nginx + image: quay.io/cdis/nginx-sidecar + # -- (string) When to pull the image. + pullPolicy: IfNotPresent + # -- (string) Image tag. + tag: "nginx-sidecar-feat_nginx-sidecar" + # -- (list) Docker image pull secrets. imagePullSecrets: [] @@ -146,6 +156,20 @@ service: # -- (int) Secure port on which the service is exposed httpsPort: 443 +# -- (list) Volumes to mount to the container. +volumeMounts: + - name: "wts-secret" + readOnly: true + mountPath: "/var/www/wts/appcreds.json" + subPath: appcreds.json + - name: "config-volume" + readOnly: true + mountPath: "/wts/deployment/wsgi/wsgi.py" + subPath: "wsgi.py" + - name: "wsgi-config" + mountPath: "/wts/deployment/wsgi/gunicorn.conf.py" + subPath: gunicorn.conf.py + # -- (map) Resource requests and limits for the containers in the pod resources: # -- (map) The amount of resources that the container requests From a996869c44d64d45cb873c7cff5e1b4a73609204 Mon Sep 17 00:00:00 2001 From: Edward Malinowski Date: Tue, 28 Nov 2023 16:02:46 -0600 Subject: [PATCH 15/27] adding gunicorn changes for peregrine, requestor, wts --- helm/wts/README.md | 2 +- helm/wts/values.yaml | 4 ---- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/helm/wts/README.md b/helm/wts/README.md index ceac5d6b..d5b60509 100644 --- a/helm/wts/README.md +++ b/helm/wts/README.md @@ -102,7 +102,7 @@ A Helm chart for gen3 workspace token service | sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | | sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. | | tolerations | list | `[]` | Tolerations for the pods | -| volumeMounts | list | `[{"mountPath":"/var/www/wts/appcreds.json","name":"wts-secret","readOnly":true,"subPath":"appcreds.json"},{"mountPath":"/wts/deployment/wsgi/wsgi.py","name":"config-volume","readOnly":true,"subPath":"wsgi.py"},{"mountPath":"/wts/deployment/wsgi/gunicorn.conf.py","name":"wsgi-config","subPath":"gunicorn.conf.py"}]` | Volumes to mount to the container. | +| volumeMounts | list | `[{"mountPath":"/var/www/wts/appcreds.json","name":"wts-secret","readOnly":true,"subPath":"appcreds.json"},{"mountPath":"/wts/deployment/wsgi/gunicorn.conf.py","name":"wsgi-config","subPath":"gunicorn.conf.py"}]` | Volumes to mount to the container. | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/helm/wts/values.yaml b/helm/wts/values.yaml index d8b979f0..fe1dcbf7 100644 --- a/helm/wts/values.yaml +++ b/helm/wts/values.yaml @@ -162,10 +162,6 @@ volumeMounts: readOnly: true mountPath: "/var/www/wts/appcreds.json" subPath: appcreds.json - - name: "config-volume" - readOnly: true - mountPath: "/wts/deployment/wsgi/wsgi.py" - subPath: "wsgi.py" - name: "wsgi-config" mountPath: "/wts/deployment/wsgi/gunicorn.conf.py" subPath: gunicorn.conf.py From 8dbb793f496b4c1d9c44351e04efdb0793bdaf95 Mon Sep 17 00:00:00 2001 From: Jawad Qureshi Date: Tue, 28 Nov 2023 17:56:52 -0600 Subject: [PATCH 16/27] Fix peregrine wsgi --- helm/metadata/README.md | 4 ++-- helm/peregrine/templates/wsgi.yaml | 3 +-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/helm/metadata/README.md b/helm/metadata/README.md index 213ca172..7a66aad3 100644 --- a/helm/metadata/README.md +++ b/helm/metadata/README.md @@ -25,7 +25,7 @@ A Helm chart for gen3 Metadata Service | affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.topologyKey | string | `"kubernetes.io/hostname"` | Value for topology key label. | | aggMdsConfig | string | `"{\n \"configuration\": {\n \"schema\": {\n \"_subjects_count\": {\n \"type\": \"integer\"\n },\n \"__manifest\": {\n \"description\": \"an array of filename (usually DRS ids and its size\",\n \"type\": \"array\",\n \"properties\": {\n \"file_name\": {\n \"type\": \"string\"\n },\n \"file_size\": {\n \"type\": \"integer\"\n }\n }\n },\n \"tags\": {\n \"type\": \"array\"\n },\n \"_unique_id\": {},\n \"study_description\": {},\n \"study_id\": {},\n \"study_url\": {},\n \"project_id\": {},\n \"short_name\": {\n \"default\": \"not_set\"\n },\n \"year\": {\n \"default\": \"not_set\"\n },\n \"full_name\": {},\n \"commons_url\": {},\n \"commons\": {}\n },\n \"settings\": {\n \"cache_drs\": true\n }\n },\n \"adapter_commons\": {\n \"Gen3\": {\n \"mds_url\": \"https://gen3.datacommons.io/\",\n \"commons_url\": \"gen3.datacommons.io/\",\n \"adapter\": \"gen3\",\n \"config\": {\n \"guid_type\": \"discovery_metadata\",\n \"study_field\": \"gen3_discovery\"\n },\n \"keep_original_fields\": false,\n \"field_mappings\": {\n \"tags\": \"path:tags\",\n \"_unique_id\": \"path:_unique_id\",\n \"study_description\": \"path:summary\",\n \"full_name\": \"path:study_title\",\n \"short_name\": \"path:short_name\",\n \"year\": \"path:year\",\n \"accession_number\": \"path:accession_number\",\n \"commons\": \"Gen3 Data Commons\",\n \"study_url\": {\n \"path\": \"link\",\n \"default\": \"unknown\"\n }\n }\n }\n }\n}\n"` | | | aggMdsNamespace | string | `"default"` | Namespae to use if AggMds is enabled. | -| args | list | `["-c","/env/bin/alembic upgrade head\n"]` | Arguments to pass to the init container. | +| args | list | `["-c","alembic upgrade head\n"]` | Arguments to pass to the init container. | | automountServiceAccountToken | bool | `false` | Automount the default service account token | | autoscaling | map | `{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80}` | Configuration for autoscaling the number of replicas | | autoscaling.enabled | bool | `false` | Whether autoscaling is enabled | @@ -117,7 +117,7 @@ A Helm chart for gen3 Metadata Service | strategy.rollingUpdate.maxSurge | int | `1` | Number of additional replicas to add during rollout. | | strategy.rollingUpdate.maxUnavailable | int | `0` | Maximum amount of pods that can be unavailable during the update. | | useAggMds | bool | `"True"` | Set to true to aggregate metadata from multiple other Metadata Service instances. | -| volumeMounts | list | `[{"mountPath":"/src/.env","name":"config-volume-g3auto","readOnly":true,"subPath":"metadata.env"},{"mountPath":"/aggregate_config.json","name":"config-volume","readOnly":true,"subPath":"aggregate_config.json"},{"mountPath":"/metadata.json","name":"config-manifest","readOnly":true,"subPath":"json"}]` | Volumes to mount to the container. | +| volumeMounts | list | `[{"mountPath":"/metadata-service/deployment/wsgi/gunicorn.conf.py","name":"wsgi-config","subPath":"gunicorn.conf.py"},{"mountPath":"/src/.env","name":"config-volume-g3auto","readOnly":true,"subPath":"metadata.env"},{"mountPath":"/aggregate_config.json","name":"config-volume","readOnly":true,"subPath":"aggregate_config.json"},{"mountPath":"/metadata.json","name":"config-manifest","readOnly":true,"subPath":"json"}]` | Volumes to mount to the container. | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/helm/peregrine/templates/wsgi.yaml b/helm/peregrine/templates/wsgi.yaml index ce563b63..52e4028e 100644 --- a/helm/peregrine/templates/wsgi.yaml +++ b/helm/peregrine/templates/wsgi.yaml @@ -9,5 +9,4 @@ data: workers = 1 user = 'gen3' group = 'gen3' - timeout = 300 - worker_class = "uvicorn.workers.UvicornWorker" \ No newline at end of file + timeout = 300 \ No newline at end of file From f05ba28fb09d1fb1973e07b5b6be64515dd97c47 Mon Sep 17 00:00:00 2001 From: Jawad Qureshi Date: Tue, 28 Nov 2023 18:01:35 -0600 Subject: [PATCH 17/27] add ttlSecondsAfterFinished: 100 to some jobs --- helm/common/templates/_db_setup_job.tpl | 1 + helm/indexd/templates/pre-install.yaml | 1 + helm/wts/templates/wts-oidc.yaml | 1 + 3 files changed, 3 insertions(+) diff --git a/helm/common/templates/_db_setup_job.tpl b/helm/common/templates/_db_setup_job.tpl index 7acd75bb..91ebdb2c 100644 --- a/helm/common/templates/_db_setup_job.tpl +++ b/helm/common/templates/_db_setup_job.tpl @@ -36,6 +36,7 @@ kind: Job metadata: name: {{ .Chart.Name }}-dbcreate spec: + ttlSecondsAfterFinished: 100 template: metadata: labels: diff --git a/helm/indexd/templates/pre-install.yaml b/helm/indexd/templates/pre-install.yaml index ae0eca5a..26ab96a4 100644 --- a/helm/indexd/templates/pre-install.yaml +++ b/helm/indexd/templates/pre-install.yaml @@ -9,6 +9,7 @@ metadata: name: indexd-userdb spec: backoffLimit: 0 + ttlSecondsAfterFinished: 100 template: metadata: labels: diff --git a/helm/wts/templates/wts-oidc.yaml b/helm/wts/templates/wts-oidc.yaml index 769a3c47..9955e5e2 100644 --- a/helm/wts/templates/wts-oidc.yaml +++ b/helm/wts/templates/wts-oidc.yaml @@ -8,6 +8,7 @@ spec: labels: app: gen3job spec: + ttlSecondsAfterFinished: 100 restartPolicy: OnFailure serviceAccountName: wts-secrets volumes: From c8db5e08aa992c58f5f9694643edc22b430af41f Mon Sep 17 00:00:00 2001 From: Jawad Qureshi Date: Tue, 28 Nov 2023 18:13:57 -0600 Subject: [PATCH 18/27] set ttlSecondsAfterFinished: 10 for dbcreate jobs --- helm/common/templates/_db_setup_job.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/common/templates/_db_setup_job.tpl b/helm/common/templates/_db_setup_job.tpl index 91ebdb2c..c3ddb395 100644 --- a/helm/common/templates/_db_setup_job.tpl +++ b/helm/common/templates/_db_setup_job.tpl @@ -36,7 +36,7 @@ kind: Job metadata: name: {{ .Chart.Name }}-dbcreate spec: - ttlSecondsAfterFinished: 100 + ttlSecondsAfterFinished: 10 template: metadata: labels: From 068e0c978b99a980f17555509d6f63071ce6c5b8 Mon Sep 17 00:00:00 2001 From: Jawad Qureshi Date: Tue, 28 Nov 2023 18:20:23 -0600 Subject: [PATCH 19/27] Fix wts-oidc-job ttlSecondsAfterFinished --- helm/wts/templates/wts-oidc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/wts/templates/wts-oidc.yaml b/helm/wts/templates/wts-oidc.yaml index 9955e5e2..3b2b7d7d 100644 --- a/helm/wts/templates/wts-oidc.yaml +++ b/helm/wts/templates/wts-oidc.yaml @@ -3,12 +3,12 @@ kind: Job metadata: name: wts-oidc-job spec: + ttlSecondsAfterFinished: 100 template: metadata: labels: app: gen3job spec: - ttlSecondsAfterFinished: 100 restartPolicy: OnFailure serviceAccountName: wts-secrets volumes: From 235b8f3ace1c88e4879938c62d38f5fcb97bcde1 Mon Sep 17 00:00:00 2001 From: Jawad Qureshi Date: Tue, 28 Nov 2023 18:50:49 -0600 Subject: [PATCH 20/27] Add dev-bootstrap script --- dev-bootstrap.sh | 450 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 450 insertions(+) create mode 100755 dev-bootstrap.sh diff --git a/dev-bootstrap.sh b/dev-bootstrap.sh new file mode 100755 index 00000000..19262bf7 --- /dev/null +++ b/dev-bootstrap.sh @@ -0,0 +1,450 @@ +# install helm cli +# https://helm.sh/docs/intro/install/ +# https://helm.sh/docs/intro/quickstart/ + + +# install kubectl +function install_kubectl() { + # check if kubectl is installed + if ! command -v kubectl &> /dev/null + then + echo "kubectl could not be found" + echo "installing kubectl" + # install kubectl + # Check if uname == Darwin + if [ $(uname) = Darwin ] + then + # For AMD64 / x86_64 + [ $(uname -m) = x86_64 ] && curl -Lo ./kubectl https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/darwin/amd64/kubectl + # For ARM64 + [ $(uname -m) = aarch64 ] && curl -Lo ./kubectl https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/darwin/arm64/kubectl + chmod +x ./kubectl + sudo mv ./kubectl /usr/local/bin/kubectl + fi + + # Check if uname == Linux + if [ $(uname) = Linux ] + then + # For AMD64 / x86_64 + [ $(uname -m) = x86_64 ] && curl -Lo ./kubectl https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/amd64/kubectl + # For ARM64 + [ $(uname -m) = aarch64 ] && curl -Lo ./kubectl https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/arm64/kubectl + chmod +x ./kubectl + sudo mv ./kubectl /usr/local/bin/kubectl + fi + fi +} + + +# install helm cli +function install_helm() { + # check if helm is installed + if ! command -v helm &> /dev/null + then + echo "helm could not be found" + echo "installing helm" + # install helm + curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 + chmod 700 get_helm.sh + ./get_helm.sh --version v3.12.3 + fi + + # cleanup + rm -rf get_helm.sh +} + +# checkout gen3-helm repository +function checkout_gen3_helm() { + # checkout gen3-helm repository + if [ ! -d ~/.gen3/gen3-helm ]; then + echo "gen3-helm repository not found" + echo "cloning gen3-helm repository" + mkdir -p ~/.gen3 + git clone https://github.com/uc-cdis/gen3-helm.git ~/.gen3/gen3-helm + + # checkout branch called feat/GPE-979 without cd + git checkout -C ~/.gen3/gen3-helm feat/GPE-979 + git -C ~/.gen3/gen3-helm pull + fi +} + +function gen3_helm_repo() { + # add gen3-helm repo + helm repo add gen3 https://helm.gen3.org + helm repo update +} + +# install docker +function install_docker() { + # check if docker is installed + if ! command -v docker &> /dev/null + then + echo "docker could not be found" + echo "installing docker" + # install docker + curl -fsSL https://get.docker.com -o get-docker.sh + sh get-docker.sh + fi + + # cleanup + rm -rf get-docker.sh +} + +# install kind +function install_kind() { + # check if kind is installed + if ! command -v kind &> /dev/null + then + echo "kind could not be found" + echo "installing kind" + # check if mac + if [[ "$OSTYPE" == "darwin"* ]]; then + # For Intel Macs + [ $(uname -m) = x86_64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-darwin-amd64 + # For M1 / ARM Macs + [ $(uname -m) = arm64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-darwin-arm64 + chmod +x ./kind + mv ./kind /some-dir-in-your-PATH/kind + else + # install kind + # For AMD64 / x86_64 + [ $(uname -m) = x86_64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-amd64 + # For ARM64 + [ $(uname -m) = aarch64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-arm64 + chmod +x ./kind + sudo mv ./kind /usr/local/bin/kind + fi + fi +} + +# Create kind cluster +function create_kind_cluster() { + # Check if cluster already exists + if ! kind get clusters | grep -q "kind"; then + echo "kind cluster not found" + echo "creating Kubernetes in Docker (KIND) cluster for gen3 deployment" + # create kind cluster with port 80 and 443 exposed + cat < ~/.gen3/gen3-k8s-alias +# if (( $+commands[kubectl] )); then +# __KUBECTL_COMPLETION_FILE="${ZSH_CACHE_DIR}/kubectl_completion" + +# if [[ ! -f $__KUBECTL_COMPLETION_FILE ]]; then +# kubectl completion zsh >! $__KUBECTL_COMPLETION_FILE +# fi + +# [[ -f $__KUBECTL_COMPLETION_FILE ]] && source $__KUBECTL_COMPLETION_FILE + +# unset __KUBECTL_COMPLETION_FILE +# fi + +# This command is used a LOT both below and in daily life +alias k=kubectl + +# Execute a kubectl command against all namespaces +alias kca='f(){ kubectl "$@" --all-namespaces; unset -f f; }; f' + +# Apply a YML file +alias kaf='kubectl apply -f' + +# Drop into an interactive terminal on a container +alias keti='kubectl exec -ti' + +# Manage configuration quickly to switch contexts between local, dev ad staging. +alias kcuc='kubectl config use-context' +alias kcsc='kubectl config set-context' +alias kcdc='kubectl config delete-context' +alias kccc='kubectl config current-context' + +# List all contexts +alias kcgc='kubectl config get-contexts' + +# General aliases +alias kdel='kubectl delete' +alias kdelf='kubectl delete -f' + +# Pod management. +alias kgp='kubectl get pods' +alias kgpw='kgp --watch' +alias kgpwide='kgp -o wide' +alias kep='kubectl edit pods' +alias kdp='kubectl describe pods' +alias kdelp='kubectl delete pods' + +# get pod by label: kgpl "app=myapp" -n myns +alias kgpl='kgp -l' + +# Service management. +alias kgs='kubectl get svc' +alias kgsw='kgs --watch' +alias kgswide='kgs -o wide' +alias kes='kubectl edit svc' +alias kds='kubectl describe svc' +alias kdels='kubectl delete svc' + +# Ingress management +alias kgi='kubectl get ingress' +alias kei='kubectl edit ingress' +alias kdi='kubectl describe ingress' +alias kdeli='kubectl delete ingress' + +# Namespace management +alias kgns='kubectl get namespaces' +alias kens='kubectl edit namespace' +alias kdns='kubectl describe namespace' +alias kdelns='kubectl delete namespace' +alias kcn='kubectl config set-context $(kubectl config current-context) --namespace' + +# ConfigMap management +alias kgcm='kubectl get configmaps' +alias kecm='kubectl edit configmap' +alias kdcm='kubectl describe configmap' +alias kdelcm='kubectl delete configmap' + +# Secret management +alias kgsec='kubectl get secret' +alias kdsec='kubectl describe secret' +alias kdelsec='kubectl delete secret' + +# Deployment management. +alias kgd='kubectl get deployment' +alias kgdw='kgd --watch' +alias kgdwide='kgd -o wide' +alias ked='kubectl edit deployment' +alias kdd='kubectl describe deployment' +alias kdeld='kubectl delete deployment' +alias ksd='kubectl scale deployment' +alias krsd='kubectl rollout status deployment' +kres(){ + kubectl set env $@ REFRESHED_AT=$(date +%Y%m%d%H%M%S) +} + +# Rollout management. +alias kgrs='kubectl get rs' +alias krh='kubectl rollout history' +alias kru='kubectl rollout undo' + +# Port forwarding +alias kpf="kubectl port-forward" + +# Tools for accessing all information +alias kga='kubectl get all' +alias kgaa='kubectl get all --all-namespaces' + +# Logs +alias kl='kubectl logs' +alias klf='kubectl logs -f' + +# File copy +alias kcp='kubectl cp' + +# Node Management +alias kgno='kubectl get nodes' +alias keno='kubectl edit node' +alias kdno='kubectl describe node' +alias kdelno='kubectl delete node' +EOF + source ~/.gen3/gen3-k8s-alias + + # adding to .zshrc or .bashrc whatever exists + if [ -f ~/.zshrc ]; then + # check if gen3-k8s-alias is already in .zshrc + # if not, add it + if ! grep -q "gen3-k8s-alias" ~/.zshrc; then + echo "adding gen3-k8s-alias to .zshrc" + echo "source ~/.gen3/gen3-k8s-alias" >> ~/.zshrc + fi + elif [ -f ~/.bashrc ]; then + # check if gen3-k8s-alias is already in .bashrc + # if not, add it + if ! grep -q "gen3-k8s-alias" ~/.bashrc; then + echo "adding gen3-k8s-alias to .bashrc" + echo "source ~/.gen3/gen3-k8s-alias" >> ~/.bashrc + fi + fi + +} + + +function install_k9s() { + # check if k9s is installed + if ! command -v k9s &> /dev/null + then + # install k9s + # check if brew is installed and use it to install k9s + if command -v brew &> /dev/null + then + echo "k9s could not be found" + echo "installing k9s" + brew install k9s + fi + fi +} + + +function install_ingress() { + # chekc if ingress-nginx is installed + if kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=90s > /dev/null 2>&1; then + return + fi + echo "installing ingress-nginx" + + kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml > /dev/null 2>&1 + sleep 15 + kubectl wait --namespace ingress-nginx \ + --for=condition=ready pod \ + --selector=app.kubernetes.io/component=controller \ + --timeout=90s + echo "ingress-nginx installed" + sleep 30 +} + + + +function nuke() { + if command -v kind &> /dev/null 2>&1; + then + if kind get clusters | grep -q "kind"; then + echo "deleting kind cluster" + kind delete cluster + fi + fi + + sudo rm -rf ~/.gen3/values.yaml || true + sudo rm -rf ~/.gen3/gen3-k8s-alias || true + sudo rm -rf ~/.gen3/gen3-helm || true +} + +function install_gen3() { + # check if values file exists in ~/.gen3/values.yaml + if [ ! -f ~/.gen3/values.yaml ]; then + echo "values.yaml file not found" + echo "creating dummy values.yaml file" + echo "You should still edit this file in ~/.gen3/values.yaml to make your own changes!" + # create values.yaml file + cat < ~/.gen3/values.yaml +# values.yaml +global: + hostname: changeme.dev.planx-pla.net + dev: true + +fence: + image: + tag: master + FENCE_CONFIG: + MOCK_AUTH: "true" +EOF + fi + + # helm dependency update + echo "helm dependency update" + helm dependency update ~/.gen3/gen3-helm/helm/gen3 > /dev/null 2>&1 + kubectl delete jobs --all + helm upgrade --install gen3 ~/.gen3/gen3-helm/helm/gen3 -f ~/.gen3/values.yaml +} + +function update_hosts_file() { + hostname=$(cat ~/.gen3/values.yaml | yq -r .global.hostname) + echo $hostname + + # check if hosts file already has the hostname added + if grep -q "$hostname" /etc/hosts; then + echo "hostname already added to /etc/hosts" + return + fi + + # add hostname to /etc/hosts file and make it route to localhost + echo "adding hostname $hostname to /etc/hosts for local routing" + echo "127.0.0.1 $hostname" | sudo tee -a /etc/hosts +} + +# main function +function main() { + if [ "$1" == "-h" ]; then + echo "Usage: ./dev-bootstrap.sh [-n] [-h]" + echo "Options:" + echo " -h: help" + echo " -n: nuke everything" + echo " --hosts: Just update /etc/hosts file for your commons hostname" + return + fi + + # nuke if -n flag is passed + if [ "$1" == "-n" ]; then + nuke + return + fi + + # update hosts file only if --host flag is passed + if [ "$1" == "--hosts" ]; then + update_hosts_file + return + fi + + # accept a -y to skip the confirmation prompt + if [ "$1" == "-y" ]; then + echo "Skipping confirmation prompt" + else + # prompt user to continue + echo "This script will install (if not already installed) kubectl, helm, docker, kind, k9s, ingress-nginx, and gen3. " + echo "" + echo "It will also update your hosts file to route your commons hostname to your computer (localhost)" + echo "" + read -p "Continue? (y/n) " -n 1 -r + if [[ ! $REPLY =~ ^[Yy]$ ]] + then + echo "Exiting" + return + fi + fi + + install_kubectl + apply_k8_alias + install_helm + install_docker + install_kind + create_kind_cluster + install_k9s + checkout_gen3_helm + install_ingress + install_gen3 + update_hosts_file +} + +# run main function +main $@ + From a763e7d8cfcdff9cd6f928c4789c3ff9e8dbd0d0 Mon Sep 17 00:00:00 2001 From: EliseCastle23 <109446148+EliseCastle23@users.noreply.github.com> Date: Wed, 10 Jul 2024 11:30:48 -0600 Subject: [PATCH 21/27] updating audit service to enable use of slim image conditionally --- .secrets.baseline | 6 +++--- helm/audit/Chart.yaml | 4 ++-- helm/audit/README.md | 15 +++++++------ helm/audit/templates/deployment.yaml | 32 +++++++++++++++++++++++++--- helm/audit/values.yaml | 23 ++++++++++++-------- helm/common/Chart.yaml | 2 +- helm/common/README.md | 2 +- helm/fence/Chart.yaml | 2 +- helm/fence/README.md | 8 +++---- helm/indexd/Chart.yaml | 2 +- helm/indexd/README.md | 3 ++- helm/manifestservice/Chart.yaml | 2 +- helm/manifestservice/README.md | 2 +- helm/metadata/Chart.yaml | 2 +- helm/metadata/README.md | 2 +- helm/peregrine/Chart.yaml | 2 +- helm/peregrine/README.md | 2 +- helm/requestor/Chart.yaml | 2 +- helm/requestor/README.md | 2 +- helm/sheepdog/Chart.yaml | 2 +- helm/sheepdog/README.md | 2 +- helm/wts/Chart.yaml | 2 +- helm/wts/README.md | 2 +- 23 files changed, 79 insertions(+), 44 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index 2f758ae1..dbf63cb7 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "^.secrets.baseline$", "lines": null }, - "generated_at": "2024-07-02T16:36:02Z", + "generated_at": "2024-07-10T17:29:48Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -426,7 +426,7 @@ "hashed_secret": "44cb746036385723dde2ac36e53da8932a69bfe2", "is_secret": false, "is_verified": false, - "line_number": 108, + "line_number": 112, "type": "Secret Keyword" } ], @@ -506,7 +506,7 @@ "hashed_secret": "489e396b7c68f95c6018f7b98ef7b1b94587ef29", "is_secret": false, "is_verified": false, - "line_number": 103, + "line_number": 107, "type": "Secret Keyword" } ], diff --git a/helm/audit/Chart.yaml b/helm/audit/Chart.yaml index 2295c602..6504dab2 100644 --- a/helm/audit/Chart.yaml +++ b/helm/audit/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.12 +version: 0.1.13 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to @@ -24,7 +24,7 @@ appVersion: "master" dependencies: - name: common - version: 0.1.10 + version: 0.1.11 repository: file://../common - name: postgresql version: 11.9.13 diff --git a/helm/audit/README.md b/helm/audit/README.md index 43885245..b59860c2 100644 --- a/helm/audit/README.md +++ b/helm/audit/README.md @@ -1,6 +1,6 @@ # audit -![Version: 0.1.12](https://img.shields.io/badge/Version-0.1.12-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.13](https://img.shields.io/badge/Version-0.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for Kubernetes @@ -8,7 +8,7 @@ A Helm chart for Kubernetes | Repository | Name | Version | |------------|------|---------| -| file://../common | common | 0.1.10 | +| file://../common | common | 0.1.11 | | https://charts.bitnami.com/bitnami | postgresql | 11.9.13 | ## Values @@ -119,10 +119,13 @@ A Helm chart for Kubernetes | serviceAccount.annotations."eks.amazonaws.com/role-arn" | string | `nil` | The Amazon Resource Name (ARN) of the role to associate with the service account | | serviceAccount.create | bool | `true` | Whether to create a service account | | serviceAccount.name | string | `"audit-service-sa"` | The name of the service account | -| sidecar | map | `{"enabled":true,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | -| sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx | -| sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | -| sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. | +| slimImage | map | `{"enabled":false,"sidecar":{"enabled":false,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}}` | Configuration settings for the slim AL2 based image. | +| slimImage.enabled | bool | `false` | Enable the use of the slim AL2 based image. | +| slimImage.sidecar | map | `{"enabled":false,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | +| slimImage.sidecar.enabled | bool | `false` | Enable the Nginx sidecar container. | +| slimImage.sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx | +| slimImage.sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | +| slimImage.sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. | | tolerations | list | `[]` | Tolerations for the pods | | volumeMounts | list | `[]` | Volumes to mount to the container. | | volumes | list | `[]` | Volumes to attach to the container. | diff --git a/helm/audit/templates/deployment.yaml b/helm/audit/templates/deployment.yaml index b6b1e28b..dc4a0e35 100644 --- a/helm/audit/templates/deployment.yaml +++ b/helm/audit/templates/deployment.yaml @@ -26,43 +26,63 @@ spec: {{- include "common.datadogLabels" . | nindent 8 }} {{- end }} spec: + {{- if .Values.slimImage.enabled }} securityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 + {{- end }} serviceAccountName: {{ include "audit.serviceAccountName" . }} volumes: - name: config-volume secret: secretName: "audit-g3auto" + {{- if .Values.slimImage.enabled }} - name: wsgi-config configMap: name: audit-wsgi - name: nginx-config configMap: name: audit-nginx-configmap + {{- end }} {{- with .Values.volumes }} {{- toYaml . | nindent 8 }} {{- end }} containers: - name: audit + {{- if .Values.slimImage.enabled }} + image: "quay.io/cdis/audit-service:feat_GPE-1113" + {{- else }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} ports: + {{- if .Values.slimImage.enabled }} - containerPort: 8000 + {{- else }} + - containerPort: 80 + {{- end }} name: http protocol: TCP livenessProbe: httpGet: path: /_status + {{- if .Values.slimImage.enabled }} port: 8000 + {{- else }} + port: 80 + {{- end }} initialDelaySeconds: 30 periodSeconds: 60 timeoutSeconds: 30 readinessProbe: httpGet: path: /_status + {{- if .Values.slimImage.enabled }} port: 8000 + {{- else }} + port: 80 + {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} env: @@ -105,16 +125,18 @@ spec: readOnly: true mountPath: "/src/audit-service-config.yaml" subPath: "audit-service-config.yaml" + {{- if .Values.slimImage.enabled }} - name: "wsgi-config" mountPath: "/audit-service/deployment/wsgi/gunicorn.conf.py" subPath: gunicorn.conf.py + {{- end }} {{- with .Values.volumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} - {{- if .Values.sidecar.enabled }} + {{- if .Values.slimImage.sidecar.enabled }} - name: sidecar-nginx - image: {{ .Values.sidecar.image }}:{{ .Values.sidecar.tag }} - imagePullPolicy: {{ .Values.sidecar.pullPolicy }} + image: {{ .Values.slimImage.sidecar.image }}:{{ .Values.slimImage.sidecar.tag }} + imagePullPolicy: {{ .Values.slimImage.sidecar.pullPolicy }} ports: - name: http containerPort: 8080 @@ -129,7 +151,11 @@ spec: {{- end }} initContainers: - name: audit-init + {{- if .Values.slimImage.enabled }} + image: "quay.io/cdis/audit-service:feat_GPE-1113" + {{- else }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} env: - name: DB_HOST diff --git a/helm/audit/values.yaml b/helm/audit/values.yaml index bba64501..1e069c66 100644 --- a/helm/audit/values.yaml +++ b/helm/audit/values.yaml @@ -117,15 +117,20 @@ image: # -- (string) Overrides the image tag whose default is the chart appVersion. tag: "master" -# -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. -sidecar: - enabled: true - # -- (string) The Docker image repository for nginx - image: quay.io/cdis/nginx-sidecar - # -- (string) When to pull the image. - pullPolicy: IfNotPresent - # -- (string) Image tag. - tag: "nginx-sidecar-feat_nginx-sidecar" +# -- (map) Configuration settings for the slim AL2 based image. +slimImage: + # -- (bool) Enable the use of the slim AL2 based image. + enabled: false + # -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. + sidecar: + # -- (bool) Enable the Nginx sidecar container. + enabled: false + # -- (string) The Docker image repository for nginx + image: quay.io/cdis/nginx-sidecar + # -- (string) When to pull the image. + pullPolicy: IfNotPresent + # -- (string) Image tag. + tag: "nginx-sidecar-feat_nginx-sidecar" # -- (list) Docker image pull secrets. imagePullSecrets: [] diff --git a/helm/common/Chart.yaml b/helm/common/Chart.yaml index 11151e9d..768bff1f 100644 --- a/helm/common/Chart.yaml +++ b/helm/common/Chart.yaml @@ -15,7 +15,7 @@ type: library # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.11 +version: 0.1.12 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/common/README.md b/helm/common/README.md index 1fe4bdf7..64833c45 100644 --- a/helm/common/README.md +++ b/helm/common/README.md @@ -1,6 +1,6 @@ # common -![Version: 0.1.11](https://img.shields.io/badge/Version-0.1.11-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.12](https://img.shields.io/badge/Version-0.1.12-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for provisioning databases in gen3 diff --git a/helm/fence/Chart.yaml b/helm/fence/Chart.yaml index b4bd4825..d7cf0ccf 100644 --- a/helm/fence/Chart.yaml +++ b/helm/fence/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.19 +version: 0.1.20 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/fence/README.md b/helm/fence/README.md index 796755f5..3836df6f 100644 --- a/helm/fence/README.md +++ b/helm/fence/README.md @@ -1,6 +1,6 @@ # fence -![Version: 0.1.19](https://img.shields.io/badge/Version-0.1.19-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.20](https://img.shields.io/badge/Version-0.1.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 Fence @@ -135,7 +135,7 @@ A Helm chart for gen3 Fence | global.syncFromDbgap | bool | `false` | Whether to sync data from dbGaP. | | global.tierAccessLevel | string | `"libre"` | Access level for tiers. acceptable values for `tier_access_level` are: `libre`, `regular` and `private`. If omitted, by default common will be treated as `private` | | global.tierAccessLimit | int | `"1000"` | Only relevant if tireAccessLevel is set to "regular". Summary charts below this limit will not appear for aggregated data. | -| image.pullPolicy | string | `"Always"` | When to pull the image. This value should be "Always" to ensure the latest image is used. | +| image.pullPolicy | string | `"IfNotPresent"` | When to pull the image. This value should be "Always" to ensure the latest image is used. | | image.repository | string | `"quay.io/cdis/fence"` | The Docker image repository for the fence service | | image.tag | string | `"master"` | Overrides the image tag whose default is the chart appVersion. | | imagePullSecrets | list | `[]` | Docker image pull secrets. | @@ -201,6 +201,6 @@ A Helm chart for gen3 Fence | usersync.syncFromDbgap | bool | `false` | Whether to sync data from dbGaP. | | usersync.userYamlS3Path | string | `"s3://cdis-gen3-users/helm-test/user.yaml"` | Path to the user.yaml file in S3. | | usersync.usersync | bool | `true` | Whether to run Fence usersync or not. | -| volumeMounts | list | `[{"mountPath":"/var/www/fence/local_settings.py","name":"old-config-volume","readOnly":true,"subPath":"local_settings.py"},{"mountPath":"/var/www/fence/fence_credentials.json","name":"json-secret-volume","readOnly":true,"subPath":"fence_credentials.json"},{"mountPath":"/var/www/fence/creds.json","name":"creds-volume","readOnly":true,"subPath":"creds.json"},{"mountPath":"/var/www/fence/config_helper.py","name":"config-helper","readOnly":true,"subPath":"config_helper.py"},{"mountPath":"/fence/fence/static/img/logo.svg","name":"logo-volume","readOnly":true,"subPath":"logo.svg"},{"mountPath":"/fence/fence/static/privacy_policy.md","name":"privacy-policy","readOnly":true,"subPath":"privacy_policy.md"},{"mountPath":"/var/www/fence/fence-config-secret.yaml","name":"config-volume","readOnly":true,"subPath":"fence-config.yaml"},{"mountPath":"/var/www/fence/yaml_merge.py","name":"yaml-merge","readOnly":true,"subPath":"yaml_merge.py"},{"mountPath":"/var/www/fence/fence_google_app_creds_secret.json","name":"fence-google-app-creds-secret-volume","readOnly":true,"subPath":"fence_google_app_creds_secret.json"},{"mountPath":"/var/www/fence/fence_google_storage_creds_secret.json","name":"fence-google-storage-creds-secret-volume","readOnly":true,"subPath":"fence_google_storage_creds_secret.json"},{"mountPath":"/fence/keys/key/jwt_private_key.pem","name":"fence-jwt-keys","readOnly":true,"subPath":"jwt_private_key.pem"},{"mountPath":"/var/www/fence/fence-config-public.yaml","name":"config-volume-public","readOnly":true,"subPath":"fence-config-public.yaml"}]` | Volumes to mount to the container. | -| volumes | list | `[{"name":"old-config-volume","secret":{"secretName":"fence-secret"}},{"name":"json-secret-volume","secret":{"optional":true,"secretName":"fence-json-secret"}},{"name":"creds-volume","secret":{"secretName":"fence-creds"}},{"configMap":{"name":"config-helper","optional":true},"name":"config-helper"},{"configMap":{"name":"logo-config"},"name":"logo-volume"},{"name":"config-volume","secret":{"secretName":"fence-config"}},{"name":"fence-google-app-creds-secret-volume","secret":{"secretName":"fence-google-app-creds-secret"}},{"name":"fence-google-storage-creds-secret-volume","secret":{"secretName":"fence-google-storage-creds-secret"}},{"name":"fence-jwt-keys","secret":{"secretName":"fence-jwt-keys"}},{"configMap":{"name":"privacy-policy"},"name":"privacy-policy"},{"configMap":{"name":"fence-yaml-merge","optional":false},"name":"yaml-merge"},{"configMap":{"name":"manifest-fence","optional":true},"name":"config-volume-public"}]` | Volumes to attach to the container. | +| volumeMounts | list | `[{"mountPath":"/var/www/fence/local_settings.py","name":"old-config-volume","readOnly":true,"subPath":"local_settings.py"},{"mountPath":"/var/www/fence/fence_credentials.json","name":"json-secret-volume","readOnly":true,"subPath":"fence_credentials.json"},{"mountPath":"/var/www/fence/creds.json","name":"creds-volume","readOnly":true,"subPath":"creds.json"},{"mountPath":"/var/www/fence/config_helper.py","name":"config-helper","readOnly":true,"subPath":"config_helper.py"},{"mountPath":"/fence/fence/static/img/logo.svg","name":"logo-volume","readOnly":true,"subPath":"logo.svg"},{"mountPath":"/fence/fence/static/privacy_policy.md","name":"privacy-policy","readOnly":true,"subPath":"privacy_policy.md"},{"mountPath":"/var/www/fence/fence-config-secret.yaml","name":"config-volume","readOnly":true,"subPath":"fence-config.yaml"},{"mountPath":"/var/www/fence/yaml_merge.py","name":"yaml-merge","readOnly":true,"subPath":"yaml_merge.py"},{"mountPath":"/var/www/fence/fence_google_app_creds_secret.json","name":"fence-google-app-creds-secret-volume","readOnly":true,"subPath":"fence_google_app_creds_secret.json"},{"mountPath":"/var/www/fence/fence_google_storage_creds_secret.json","name":"fence-google-storage-creds-secret-volume","readOnly":true,"subPath":"fence_google_storage_creds_secret.json"},{"mountPath":"/fence/keys/key/jwt_private_key.pem","name":"fence-jwt-keys","readOnly":false,"subPath":"jwt_private_key.pem"},{"mountPath":"/var/www/fence/fence-config-public.yaml","name":"config-volume-public","readOnly":true,"subPath":"fence-config-public.yaml"}]` | Volumes to mount to the container. | +| volumes | list | `[{"name":"old-config-volume","secret":{"secretName":"fence-secret"}},{"name":"json-secret-volume","secret":{"optional":true,"secretName":"fence-json-secret"}},{"name":"creds-volume","secret":{"secretName":"fence-creds"}},{"configMap":{"name":"config-helper","optional":true},"name":"config-helper"},{"configMap":{"name":"logo-config"},"name":"logo-volume"},{"name":"config-volume","secret":{"secretName":"fence-config"}},{"name":"fence-google-app-creds-secret-volume","secret":{"secretName":"fence-google-app-creds-secret"}},{"name":"fence-google-storage-creds-secret-volume","secret":{"secretName":"fence-google-storage-creds-secret"}},{"name":"fence-jwt-keys","secret":{"secretName":"fence-jwt-keys"}},{"configMap":{"name":"privacy-policy"},"name":"privacy-policy"},{"configMap":{"name":"fence-yaml-merge","optional":false},"name":"yaml-merge"},{"configMap":{"name":"manifest-fence","optional":true},"name":"config-volume-public"},{"configMap":{"name":"fence-wsgi"},"name":"wsgi-config"},{"configMap":{"name":"fence-nginx-configmap"},"name":"nginx-config"}]` | Volumes to attach to the container. | diff --git a/helm/indexd/Chart.yaml b/helm/indexd/Chart.yaml index 19e78126..da9e5989 100644 --- a/helm/indexd/Chart.yaml +++ b/helm/indexd/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.14 +version: 0.1.15 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/indexd/README.md b/helm/indexd/README.md index b4e5ff79..ebffc843 100644 --- a/helm/indexd/README.md +++ b/helm/indexd/README.md @@ -1,6 +1,6 @@ # indexd -![Version: 0.1.14](https://img.shields.io/badge/Version-0.1.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.15](https://img.shields.io/badge/Version-0.1.15-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 indexd @@ -107,6 +107,7 @@ A Helm chart for gen3 indexd | sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | | sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. | | tolerations | list | `[]` | Tolerations for the pods | +| uwsgi | map | `{"listen":1024}` | Values for overriding uwsgi settings | | volumeMounts | list | `[{"mountPath":"/var/www/indexd/local_settings.py","name":"config-volume","readOnly":true,"subPath":"local_settings.py"}]` | Volumes to mount to the container. | | volumes | list | `[{"configMap":{"name":"indexd-wsgi"},"name":"wsgi-config"},{"name":"config-volume","secret":{"secretName":"indexd-settings"}},{"configMap":{"name":"indexd-nginx-configmap"},"name":"nginx-config"}]` | Volumes to attach to the pod | diff --git a/helm/manifestservice/Chart.yaml b/helm/manifestservice/Chart.yaml index 382e0165..ead7c837 100644 --- a/helm/manifestservice/Chart.yaml +++ b/helm/manifestservice/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.14 +version: 0.1.15 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/manifestservice/README.md b/helm/manifestservice/README.md index 9e7df7f5..39794bbe 100644 --- a/helm/manifestservice/README.md +++ b/helm/manifestservice/README.md @@ -1,6 +1,6 @@ # manifestservice -![Version: 0.1.14](https://img.shields.io/badge/Version-0.1.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.15](https://img.shields.io/badge/Version-0.1.15-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for Kubernetes diff --git a/helm/metadata/Chart.yaml b/helm/metadata/Chart.yaml index d38d06e5..cc38c640 100644 --- a/helm/metadata/Chart.yaml +++ b/helm/metadata/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.12 +version: 0.1.13 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/metadata/README.md b/helm/metadata/README.md index 7fe7be69..4fc1f756 100644 --- a/helm/metadata/README.md +++ b/helm/metadata/README.md @@ -1,6 +1,6 @@ # metadata -![Version: 0.1.12](https://img.shields.io/badge/Version-0.1.12-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.13](https://img.shields.io/badge/Version-0.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 Metadata Service diff --git a/helm/peregrine/Chart.yaml b/helm/peregrine/Chart.yaml index 10f79b5d..fe934b49 100644 --- a/helm/peregrine/Chart.yaml +++ b/helm/peregrine/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.13 +version: 0.1.14 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/peregrine/README.md b/helm/peregrine/README.md index 12776689..63beb122 100644 --- a/helm/peregrine/README.md +++ b/helm/peregrine/README.md @@ -1,6 +1,6 @@ # peregrine -![Version: 0.1.13](https://img.shields.io/badge/Version-0.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.14](https://img.shields.io/badge/Version-0.1.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 Peregrine service diff --git a/helm/requestor/Chart.yaml b/helm/requestor/Chart.yaml index e0c06a88..f434c773 100644 --- a/helm/requestor/Chart.yaml +++ b/helm/requestor/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.11 +version: 0.1.12 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/requestor/README.md b/helm/requestor/README.md index 2e3cc416..0f55846a 100644 --- a/helm/requestor/README.md +++ b/helm/requestor/README.md @@ -1,6 +1,6 @@ # requestor -![Version: 0.1.11](https://img.shields.io/badge/Version-0.1.11-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.12](https://img.shields.io/badge/Version-0.1.12-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 Requestor Service diff --git a/helm/sheepdog/Chart.yaml b/helm/sheepdog/Chart.yaml index ea4bcc32..30c9dbda 100644 --- a/helm/sheepdog/Chart.yaml +++ b/helm/sheepdog/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.14 +version: 0.1.15 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/sheepdog/README.md b/helm/sheepdog/README.md index 10e73e44..cc4817e5 100644 --- a/helm/sheepdog/README.md +++ b/helm/sheepdog/README.md @@ -1,6 +1,6 @@ # sheepdog -![Version: 0.1.14](https://img.shields.io/badge/Version-0.1.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.15](https://img.shields.io/badge/Version-0.1.15-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 Sheepdog Service diff --git a/helm/wts/Chart.yaml b/helm/wts/Chart.yaml index 6d9533e4..8799591c 100644 --- a/helm/wts/Chart.yaml +++ b/helm/wts/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.13 +version: 0.1.14 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/wts/README.md b/helm/wts/README.md index da26c055..792bc364 100644 --- a/helm/wts/README.md +++ b/helm/wts/README.md @@ -1,6 +1,6 @@ # wts -![Version: 0.1.13](https://img.shields.io/badge/Version-0.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.14](https://img.shields.io/badge/Version-0.1.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 workspace token service From 40fe2bc5515deafa44385e824edf946bcb0d6e15 Mon Sep 17 00:00:00 2001 From: EliseCastle23 <109446148+EliseCastle23@users.noreply.github.com> Date: Wed, 10 Jul 2024 11:38:27 -0600 Subject: [PATCH 22/27] adding changes to alembic command depending on slim image --- helm/audit/templates/deployment.yaml | 7 +++++++ helm/gen3/Chart.yaml | 22 +++++++++++----------- helm/gen3/README.md | 22 +++++++++++----------- 3 files changed, 29 insertions(+), 22 deletions(-) diff --git a/helm/audit/templates/deployment.yaml b/helm/audit/templates/deployment.yaml index dc4a0e35..3fbe7f10 100644 --- a/helm/audit/templates/deployment.yaml +++ b/helm/audit/templates/deployment.yaml @@ -191,10 +191,17 @@ spec: resources: {{- toYaml .Values.resources | nindent 12 }} command: ["/bin/bash"] + {{- if .Values.slimImage.enabled }} args: - "-c" - | alembic upgrade head + {{- else }} + args: + - "-c" + - | + /env/bin/alembic upgrade head + {{- end }} volumeMounts: - name: "config-volume" readOnly: true diff --git a/helm/gen3/Chart.yaml b/helm/gen3/Chart.yaml index ccedae64..e47684c1 100644 --- a/helm/gen3/Chart.yaml +++ b/helm/gen3/Chart.yaml @@ -17,7 +17,7 @@ dependencies: repository: "file://../argo-wrapper" condition: argo-wrapper.enabled - name: audit - version: 0.1.12 + version: 0.1.13 repository: "file://../audit" condition: audit.enabled - name: aws-es-proxy @@ -25,7 +25,7 @@ dependencies: repository: "file://../aws-es-proxy" condition: aws-es-proxy.enabled - name: common - version: 0.1.11 + version: 0.1.12 repository: file://../common - name: etl version: 0.1.1 @@ -36,7 +36,7 @@ dependencies: repository: "file://../frontend-framework" condition: frontend-framework.enabled - name: fence - version: 0.1.19 + version: 0.1.20 repository: "file://../fence" condition: fence.enabled - name: guppy @@ -48,19 +48,19 @@ dependencies: repository: "file://../hatchery" condition: hatchery.enabled - name: indexd - version: 0.1.14 + version: 0.1.15 repository: "file://../indexd" condition: indexd.enabled - name: manifestservice - version: 0.1.14 + version: 0.1.15 repository: "file://../manifestservice" condition: manifestservice.enabled - name: metadata - version: 0.1.12 + version: 0.1.13 repository: "file://../metadata" condition: metadata.enabled - name: peregrine - version: 0.1.13 + version: 0.1.14 repository: "file://../peregrine" condition: peregrine.enabled - name: pidgin @@ -72,7 +72,7 @@ dependencies: repository: "file://../portal" condition: portal.enabled - name: requestor - version: 0.1.11 + version: 0.1.12 repository: "file://../requestor" condition: requestor.enabled - name: revproxy @@ -80,7 +80,7 @@ dependencies: repository: "file://../revproxy" condition: revproxy.enabled - name: sheepdog - version: 0.1.14 + version: 0.1.15 repository: "file://../sheepdog" condition: sheepdog.enabled - name: ssjdispatcher @@ -92,7 +92,7 @@ dependencies: condition: sower.enabled repository: "file://../sower" - name: wts - version: 0.1.13 + version: 0.1.14 repository: "file://../wts" condition: wts.enabled @@ -128,7 +128,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.38 +version: 0.1.39 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/gen3/README.md b/helm/gen3/README.md index fa6ed288..c741b5ef 100644 --- a/helm/gen3/README.md +++ b/helm/gen3/README.md @@ -1,6 +1,6 @@ # gen3 -![Version: 0.1.38](https://img.shields.io/badge/Version-0.1.38-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.39](https://img.shields.io/badge/Version-0.1.39-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) Helm chart to deploy Gen3 Data Commons @@ -21,27 +21,27 @@ Helm chart to deploy Gen3 Data Commons | file://../ambassador | ambassador | 0.1.11 | | file://../arborist | arborist | 0.1.11 | | file://../argo-wrapper | argo-wrapper | 0.1.7 | -| file://../audit | audit | 0.1.12 | +| file://../audit | audit | 0.1.13 | | file://../aws-es-proxy | aws-es-proxy | 0.1.9 | -| file://../common | common | 0.1.11 | +| file://../common | common | 0.1.12 | | file://../etl | etl | 0.1.1 | -| file://../fence | fence | 0.1.19 | +| file://../fence | fence | 0.1.20 | | file://../frontend-framework | frontend-framework | 0.1.1 | | file://../guppy | guppy | 0.1.12 | | file://../hatchery | hatchery | 0.1.9 | -| file://../indexd | indexd | 0.1.14 | -| file://../manifestservice | manifestservice | 0.1.14 | -| file://../metadata | metadata | 0.1.12 | +| file://../indexd | indexd | 0.1.15 | +| file://../manifestservice | manifestservice | 0.1.15 | +| file://../metadata | metadata | 0.1.13 | | file://../neuvector | neuvector | 0.1.0 | -| file://../peregrine | peregrine | 0.1.13 | +| file://../peregrine | peregrine | 0.1.14 | | file://../pidgin | pidgin | 0.1.10 | | file://../portal | portal | 0.1.15 | -| file://../requestor | requestor | 0.1.11 | +| file://../requestor | requestor | 0.1.12 | | file://../revproxy | revproxy | 0.1.16 | -| file://../sheepdog | sheepdog | 0.1.14 | +| file://../sheepdog | sheepdog | 0.1.15 | | file://../sower | sower | 0.1.11 | | file://../ssjdispatcher | ssjdispatcher | 0.1.9 | -| file://../wts | wts | 0.1.13 | +| file://../wts | wts | 0.1.14 | | https://charts.bitnami.com/bitnami | postgresql | 11.9.13 | | https://helm.elastic.co | elasticsearch | 7.10.2 | From 29bc8e6bdda843f41536f89fb4cd02ec249d1e2b Mon Sep 17 00:00:00 2001 From: EliseCastle23 <109446148+EliseCastle23@users.noreply.github.com> Date: Thu, 11 Jul 2024 14:54:19 -0600 Subject: [PATCH 23/27] Making changes to optionally enable Al2 secure images --- .secrets.baseline | 16 ++--- helm/audit/README.md | 23 ++++--- helm/audit/templates/deployment.yaml | 50 ++++++++-------- helm/audit/templates/nginx_config.yaml | 4 +- helm/audit/templates/service.yaml | 16 +++-- helm/audit/templates/wsgi.yaml | 4 +- helm/audit/values.yaml | 20 +++++-- helm/fence/README.md | 19 ++++-- helm/fence/templates/fence-deployment.yaml | 54 ++++++++++++++--- helm/fence/templates/nginx-config.yaml | 4 +- helm/fence/templates/presigned-url-fence.yaml | 37 ++++++++++-- helm/fence/templates/service.yaml | 32 +++++++--- helm/fence/templates/wsgi.yaml | 2 + helm/fence/values.yaml | 35 +++++++---- helm/indexd/README.md | 21 ++++--- helm/indexd/templates/deployment.yaml | 42 ++++++++++--- helm/indexd/templates/nginx_config.yaml | 2 + helm/indexd/templates/pre-install.yaml | 8 +++ helm/indexd/templates/service.yaml | 16 +++-- helm/indexd/templates/uwsgi.yaml | 44 ++++++++++++++ helm/indexd/templates/wsgi.yaml | 2 + helm/indexd/values.yaml | 44 +++++++++----- helm/manifestservice/README.md | 21 ++++--- .../manifestservice/templates/deployment.yaml | 43 ++++++++++--- .../templates/nginx_config.yaml | 4 +- helm/manifestservice/templates/service.yaml | 16 +++-- helm/manifestservice/templates/wsgi.yaml | 4 +- helm/manifestservice/values.yaml | 38 +++++++----- helm/metadata/README.md | 22 ++++--- helm/metadata/templates/deployment.yaml | 60 +++++++++++++++---- helm/metadata/templates/nginx_config.yaml | 4 +- helm/metadata/templates/service.yaml | 9 +++ helm/metadata/templates/wsgi.yaml | 4 +- helm/metadata/values.yaml | 47 ++++++++------- helm/peregrine/README.md | 21 ++++--- helm/peregrine/templates/deployment.yaml | 45 +++++++++++--- helm/peregrine/templates/nginx_config.yaml | 4 +- helm/peregrine/templates/service.yaml | 16 +++-- helm/peregrine/templates/wsgi.yaml | 4 +- helm/peregrine/values.yaml | 38 +++++++----- helm/requestor/README.md | 22 ++++--- helm/requestor/templates/deployment.yaml | 56 +++++++++++++---- helm/requestor/templates/nginx_config.yaml | 4 +- helm/requestor/templates/service.yaml | 9 +++ helm/requestor/templates/wsgi.yaml | 4 +- helm/requestor/values.yaml | 49 +++++++-------- helm/sheepdog/README.md | 21 ++++--- helm/sheepdog/templates/deployment.yaml | 56 ++++++++++++++--- helm/sheepdog/templates/nginx_config.yaml | 4 +- helm/sheepdog/templates/service.yaml | 16 +++-- helm/sheepdog/templates/wsgi.yaml | 4 +- helm/sheepdog/values.yaml | 44 ++++++++------ helm/wts/README.md | 22 ++++--- helm/wts/templates/deployment.yaml | 47 +++++++++++---- helm/wts/templates/nginx_config.yaml | 3 +- helm/wts/templates/service.yaml | 20 ++++--- helm/wts/templates/wsgi.yaml | 4 +- helm/wts/values.yaml | 40 ++++++++----- 58 files changed, 951 insertions(+), 369 deletions(-) create mode 100644 helm/indexd/templates/uwsgi.yaml diff --git a/.secrets.baseline b/.secrets.baseline index dbf63cb7..8a332751 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "^.secrets.baseline$", "lines": null }, - "generated_at": "2024-07-10T17:29:48Z", + "generated_at": "2024-07-11T20:52:08Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -321,7 +321,7 @@ "hashed_secret": "5d07e1b80e448a213b392049888111e1779a52db", "is_secret": false, "is_verified": false, - "line_number": 1963, + "line_number": 1992, "type": "Secret Keyword" } ], @@ -499,14 +499,14 @@ "hashed_secret": "f09dd6e359833a12f48c4c4255d6e87a6e55cfe9", "is_secret": false, "is_verified": false, - "line_number": 71, + "line_number": 75, "type": "Secret Keyword" }, { "hashed_secret": "489e396b7c68f95c6018f7b98ef7b1b94587ef29", "is_secret": false, "is_verified": false, - "line_number": 107, + "line_number": 114, "type": "Secret Keyword" } ], @@ -586,14 +586,14 @@ "hashed_secret": "d84ce25b0f9bc2cc263006ae39453efb22cc2900", "is_secret": false, "is_verified": false, - "line_number": 64, + "line_number": 63, "type": "Secret Keyword" }, { "hashed_secret": "f09dd6e359833a12f48c4c4255d6e87a6e55cfe9", "is_secret": false, "is_verified": false, - "line_number": 87, + "line_number": 90, "type": "Secret Keyword" } ], @@ -634,7 +634,7 @@ "hashed_secret": "f09dd6e359833a12f48c4c4255d6e87a6e55cfe9", "is_secret": false, "is_verified": false, - "line_number": 79, + "line_number": 83, "type": "Secret Keyword" } ], @@ -727,7 +727,7 @@ "hashed_secret": "f09dd6e359833a12f48c4c4255d6e87a6e55cfe9", "is_secret": false, "is_verified": false, - "line_number": 74, + "line_number": 78, "type": "Secret Keyword" } ], diff --git a/helm/audit/README.md b/helm/audit/README.md index b59860c2..7501e8a1 100644 --- a/helm/audit/README.md +++ b/helm/audit/README.md @@ -69,7 +69,12 @@ A Helm chart for Kubernetes | global.postgres.master.username | string | `"postgres"` | username of superuser in postgres. This is used to create or restore databases | | global.publicDataSets | bool | `true` | Whether public datasets are enabled. | | global.revproxyArn | string | `"arn:aws:acm:us-east-1:123456:certificate"` | ARN of the reverse proxy certificate. | +| global.secureImage | map | `{"enabled":false,"sidecar":{"enabled":false}}` | Configuration settings for the secure AL2 based image. | +| global.secureImage.enabled | bool | `false` | Enable the use of the secure AL2 based image. | +| global.secureImage.sidecar | map | `{"enabled":false}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | +| global.secureImage.sidecar.enabled | bool | `false` | Enable the Nginx sidecar container. | | global.tierAccessLevel | string | `"libre"` | Access level for tiers. acceptable values for `tier_access_level` are: `libre`, `regular` and `private`. If omitted, by default common will be treated as `private` | +| global.tierAccessLimit | int | `"1000"` | Only relevant if tireAccessLevel is set to "regular". Summary charts below this limit will not appear for aggregated data. | | image | map | `{"pullPolicy":"Always","repository":"quay.io/cdis/audit-service","tag":"master"}` | Docker image information. | | image.pullPolicy | string | `"Always"` | When to pull the image. This value should be "Always" to ensure the latest image is used. | | image.repository | string | `"quay.io/cdis/audit-service"` | The Docker image repository for the audit service | @@ -104,6 +109,13 @@ A Helm chart for Kubernetes | secrets | map | `{"awsAccessKeyId":null,"awsSecretAccessKey":null}` | Secret information for External Secrets. | | secrets.awsAccessKeyId | str | `nil` | AWS access key ID. Overrides global key. | | secrets.awsSecretAccessKey | str | `nil` | AWS secret access key ID. Overrides global key. | +| secureImage | map | `{"enabled":false,"sidecar":{"enabled":false,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}}` | Configuration settings for the secure AL2 based image. | +| secureImage.enabled | bool | `false` | Enable the use of the secure AL2 based image. | +| secureImage.sidecar | map | `{"enabled":false,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | +| secureImage.sidecar.enabled | bool | `false` | Enable the Nginx sidecar container. | +| secureImage.sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx | +| secureImage.sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | +| secureImage.sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. | | securityContext | map | `{}` | Security context for the containers in the pod | | selectorLabels | map | `nil` | Will completely override the selectorLabels defined in the common chart's _label_setup.tpl | | server.AWS_CREDENTIALS | map | `{}` | AWS credentials to access SQS queue. | @@ -112,20 +124,13 @@ A Helm chart for Kubernetes | server.sqs | map | `{"region":"us-east-1","url":"http://sqs.com"}` | AWS SQS queue information. | | server.sqs.region | string | `"us-east-1"` | SQS queue AWS region. | | server.sqs.url | string | `"http://sqs.com"` | The URL for the SQS queue. | -| service | map | `{"port":80,"type":"ClusterIP"}` | Configuration for the service | -| service.port | int | `80` | Port on which the service is exposed | +| service | map | `{"port":[],"type":"ClusterIP"}` | Configuration for the service | +| service.port | list | `[]` | Port on which the service is exposed | | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". | | serviceAccount | map | `{"annotations":{"eks.amazonaws.com/role-arn":null},"create":true,"name":"audit-service-sa"}` | Service account to use or create. | | serviceAccount.annotations."eks.amazonaws.com/role-arn" | string | `nil` | The Amazon Resource Name (ARN) of the role to associate with the service account | | serviceAccount.create | bool | `true` | Whether to create a service account | | serviceAccount.name | string | `"audit-service-sa"` | The name of the service account | -| slimImage | map | `{"enabled":false,"sidecar":{"enabled":false,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}}` | Configuration settings for the slim AL2 based image. | -| slimImage.enabled | bool | `false` | Enable the use of the slim AL2 based image. | -| slimImage.sidecar | map | `{"enabled":false,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | -| slimImage.sidecar.enabled | bool | `false` | Enable the Nginx sidecar container. | -| slimImage.sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx | -| slimImage.sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | -| slimImage.sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. | | tolerations | list | `[]` | Tolerations for the pods | | volumeMounts | list | `[]` | Volumes to mount to the container. | | volumes | list | `[]` | Volumes to attach to the container. | diff --git a/helm/audit/templates/deployment.yaml b/helm/audit/templates/deployment.yaml index 3fbe7f10..c7078e5f 100644 --- a/helm/audit/templates/deployment.yaml +++ b/helm/audit/templates/deployment.yaml @@ -26,7 +26,7 @@ spec: {{- include "common.datadogLabels" . | nindent 8 }} {{- end }} spec: - {{- if .Values.slimImage.enabled }} + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} securityContext: runAsUser: 1000 runAsGroup: 1000 @@ -37,40 +37,40 @@ spec: - name: config-volume secret: secretName: "audit-g3auto" - {{- if .Values.slimImage.enabled }} - name: wsgi-config configMap: name: audit-wsgi - name: nginx-config configMap: name: audit-nginx-configmap - {{- end }} {{- with .Values.volumes }} {{- toYaml . | nindent 8 }} {{- end }} containers: - name: audit - {{- if .Values.slimImage.enabled }} + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} image: "quay.io/cdis/audit-service:feat_GPE-1113" {{- else }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - {{- if .Values.slimImage.enabled }} - - containerPort: 8000 - {{- else }} - - containerPort: 80 - {{- end }} - name: http - protocol: TCP + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + - name: app + containerPort: 8000 + protocol: TCP + {{- else }} + - name: http + containerPort: 80 + protocol: TCP + {{- end }} livenessProbe: httpGet: path: /_status - {{- if .Values.slimImage.enabled }} - port: 8000 + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + port: app {{- else }} - port: 80 + port: http {{- end }} initialDelaySeconds: 30 periodSeconds: 60 @@ -78,10 +78,10 @@ spec: readinessProbe: httpGet: path: /_status - {{- if .Values.slimImage.enabled }} - port: 8000 + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + port: app {{- else }} - port: 80 + port: http {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} @@ -125,7 +125,7 @@ spec: readOnly: true mountPath: "/src/audit-service-config.yaml" subPath: "audit-service-config.yaml" - {{- if .Values.slimImage.enabled }} + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} - name: "wsgi-config" mountPath: "/audit-service/deployment/wsgi/gunicorn.conf.py" subPath: gunicorn.conf.py @@ -133,17 +133,17 @@ spec: {{- with .Values.volumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} - {{- if .Values.slimImage.sidecar.enabled }} + {{- if .Values.secureImage.sidecar.enabled | default .Values.global.secureImage.sidecar.enabled }} - name: sidecar-nginx - image: {{ .Values.slimImage.sidecar.image }}:{{ .Values.slimImage.sidecar.tag }} - imagePullPolicy: {{ .Values.slimImage.sidecar.pullPolicy }} + image: "{{ .Values.secureImage.sidecar.image }}:{{ .Values.secureImage.sidecar.tag }}" + imagePullPolicy: {{ .Values.secureImage.sidecar.pullPolicy }} ports: - - name: http + - name: app containerPort: 8080 readinessProbe: httpGet: path: /_status - port: http + port: app volumeMounts: - name: "nginx-config" mountPath: "/etc/nginx/conf.d/default.conf" @@ -151,7 +151,7 @@ spec: {{- end }} initContainers: - name: audit-init - {{- if .Values.slimImage.enabled }} + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} image: "quay.io/cdis/audit-service:feat_GPE-1113" {{- else }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" @@ -191,7 +191,7 @@ spec: resources: {{- toYaml .Values.resources | nindent 12 }} command: ["/bin/bash"] - {{- if .Values.slimImage.enabled }} + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} args: - "-c" - | diff --git a/helm/audit/templates/nginx_config.yaml b/helm/audit/templates/nginx_config.yaml index 2dbb5edb..54feeb2f 100644 --- a/helm/audit/templates/nginx_config.yaml +++ b/helm/audit/templates/nginx_config.yaml @@ -1,3 +1,4 @@ +{{- if .Values.secureImage.sidecar.enabled | default .Values.global.secureImage.sidecar.enabled }} apiVersion: v1 kind: ConfigMap metadata: @@ -11,4 +12,5 @@ data: location / { proxy_pass http://127.0.0.1:8000; # Gunicorn binds to this address } - } \ No newline at end of file + } +{{- end }} \ No newline at end of file diff --git a/helm/audit/templates/service.yaml b/helm/audit/templates/service.yaml index aeb8e725..e8cebc3b 100644 --- a/helm/audit/templates/service.yaml +++ b/helm/audit/templates/service.yaml @@ -6,10 +6,18 @@ metadata: {{- include "audit.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} + {{- with .Values.service.port }} ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + - name: app + containerPort: 8080 + protocol: TCP + {{- else }} + - name: http + containerPort: 80 + protocol: TCP + {{- end }} selector: {{- include "audit.selectorLabels" . | nindent 4 }} diff --git a/helm/audit/templates/wsgi.yaml b/helm/audit/templates/wsgi.yaml index 2acc9008..f3859045 100644 --- a/helm/audit/templates/wsgi.yaml +++ b/helm/audit/templates/wsgi.yaml @@ -1,3 +1,4 @@ +{{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} apiVersion: v1 kind: ConfigMap metadata: @@ -10,4 +11,5 @@ data: user = 'gen3' group = 'gen3' timeout = 300 - worker_class = "uvicorn.workers.UvicornWorker" \ No newline at end of file + worker_class = "uvicorn.workers.UvicornWorker" +{{- end }} \ No newline at end of file diff --git a/helm/audit/values.yaml b/helm/audit/values.yaml index 1e069c66..ec21bf12 100644 --- a/helm/audit/values.yaml +++ b/helm/audit/values.yaml @@ -48,6 +48,8 @@ global: publicDataSets: true # -- (string) Access level for tiers. acceptable values for `tier_access_level` are: `libre`, `regular` and `private`. If omitted, by default common will be treated as `private` tierAccessLevel: libre + # -- (int) Only relevant if tireAccessLevel is set to "regular". Summary charts below this limit will not appear for aggregated data. + tierAccessLimit: "1000" # -- (bool) Whether network policies are enabled. netPolicy: true # -- (int) Number of dispatcher jobs. @@ -64,6 +66,14 @@ global: deploy: false # -- (string) Will deploy a separate External Secret Store for this service. separateSecretStore: false + # -- (map) Configuration settings for the secure AL2 based image. + secureImage: + # -- (bool) Enable the use of the secure AL2 based image. + enabled: false + # -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. + sidecar: + # -- (bool) Enable the Nginx sidecar container. + enabled: false # -- (map) External Secrets settings. externalSecrets: @@ -117,9 +127,9 @@ image: # -- (string) Overrides the image tag whose default is the chart appVersion. tag: "master" -# -- (map) Configuration settings for the slim AL2 based image. -slimImage: - # -- (bool) Enable the use of the slim AL2 based image. +# -- (map) Configuration settings for the secure AL2 based image. +secureImage: + # -- (bool) Enable the use of the secure AL2 based image. enabled: false # -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. sidecar: @@ -175,8 +185,8 @@ securityContext: {} service: # -- (string) Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". type: ClusterIP - # -- (int) Port on which the service is exposed - port: 80 + # -- (list) Port on which the service is exposed + port: [] # -- (map) Resource requests and limits for the containers in the pod resources: diff --git a/helm/fence/README.md b/helm/fence/README.md index 3836df6f..f0386c8b 100644 --- a/helm/fence/README.md +++ b/helm/fence/README.md @@ -132,6 +132,10 @@ A Helm chart for gen3 Fence | global.postgres.master.username | string | `"postgres"` | username of superuser in postgres. This is used to create or restore databases | | global.publicDataSets | bool | `true` | Whether public datasets are enabled. | | global.revproxyArn | string | `"arn:aws:acm:us-east-1:123456:certificate"` | ARN of the reverse proxy certificate. | +| global.secureImage | map | `{"enabled":false,"sidecar":{"enabled":false}}` | Configuration settings for the secure AL2 based image. | +| global.secureImage.enabled | bool | `false` | Enable the use of the secure AL2 based image. | +| global.secureImage.sidecar | map | `{"enabled":false}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | +| global.secureImage.sidecar.enabled | bool | `false` | Enable the Nginx sidecar container. | | global.syncFromDbgap | bool | `false` | Whether to sync data from dbGaP. | | global.tierAccessLevel | string | `"libre"` | Access level for tiers. acceptable values for `tier_access_level` are: `libre`, `regular` and `private`. If omitted, by default common will be treated as `private` | | global.tierAccessLimit | int | `"1000"` | Only relevant if tireAccessLevel is set to "regular". Summary charts below this limit will not appear for aggregated data. | @@ -176,20 +180,23 @@ A Helm chart for gen3 Fence | secrets | map | `{"awsAccessKeyId":null,"awsSecretAccessKey":null}` | Secret information for Usersync and External Secrets. | | secrets.awsAccessKeyId | str | `nil` | AWS access key ID. Overrides global key. | | secrets.awsSecretAccessKey | str | `nil` | AWS access key ID. Overrides global key. | +| secureImage | map | `{"enabled":false,"sidecar":{"enabled":false,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}}` | Configuration settings for the secure AL2 based image. | +| secureImage.enabled | bool | `false` | Enable the use of the secure AL2 based image. | +| secureImage.sidecar | map | `{"enabled":false,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | +| secureImage.sidecar.enabled | bool | `false` | Enable the Nginx sidecar container. | +| secureImage.sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx | +| secureImage.sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | +| secureImage.sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. | | securityContext | map | `{}` | Security context for the containers in the pod | | selectorLabels | map | `nil` | Will completely override the selectorLabels defined in the common chart's _label_setup.tpl | -| service | map | `{"port":80,"type":"ClusterIP"}` | Kubernetes service information. | -| service.port | int | `80` | The port number that the service exposes. | +| service | map | `{"port":[],"type":"ClusterIP"}` | Kubernetes service information. | +| service.port | list | `[]` | The port number that the service exposes. | | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". | | serviceAccount | map | `{"annotations":{"eks.amazonaws.com/role-arn":null},"create":true,"name":"fence-sa"}` | Service account to use or create. | | serviceAccount.annotations | map | `{"eks.amazonaws.com/role-arn":null}` | Annotations to add to the service account. | | serviceAccount.annotations."eks.amazonaws.com/role-arn" | string | `nil` | The Amazon Resource Name (ARN) of the role to associate with the service account | | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. | | serviceAccount.name | string | `"fence-sa"` | The name of the service account | -| sidecar | map | `{"enabled":true,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | -| sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx | -| sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | -| sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. | | tolerations | list | `[]` | Tolerations for the pods | | usersync | map | `{"addDbgap":false,"custom_image":null,"onlyDbgap":false,"schedule":"*/30 * * * *","slack_send_dbgap":false,"slack_webhook":"None","syncFromDbgap":false,"userYamlS3Path":"s3://cdis-gen3-users/helm-test/user.yaml","usersync":true}` | Configuration options for usersync cronjob. | | usersync.addDbgap | bool | `false` | Force attempting a dbgap sync if "true", falls back on user.yaml | diff --git a/helm/fence/templates/fence-deployment.yaml b/helm/fence/templates/fence-deployment.yaml index 809b5190..bf1fc187 100644 --- a/helm/fence/templates/fence-deployment.yaml +++ b/helm/fence/templates/fence-deployment.yaml @@ -28,36 +28,53 @@ spec: spec: enableServiceLinks: false serviceAccountName: {{ include "fence.serviceAccountName" . }} + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} securityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 + {{- end }} volumes: {{- toYaml .Values.volumes | nindent 8 }} containers: - name: fence + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + image: "quay.io/cdis/fence:feat_gunicorn" + {{- else }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} ports: + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} - name: app containerPort: 8000 protocol: TCP - # - name: https - # containerPort: 443 - # protocol: TCP + {{- else }} + - name: http + containerPort: 80 + protocol: TCP + {{- end }} - name: container containerPort: 6567 livenessProbe: httpGet: path: /_status + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + port: app + {{- else }} port: http + {{- end }} initialDelaySeconds: 60 periodSeconds: 60 timeoutSeconds: 30 readinessProbe: httpGet: path: /_status + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} port: app + {{- else }} + port:http + {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} command: ["/bin/bash"] @@ -75,18 +92,23 @@ spec: {{- end }} {{- toYaml .Values.env | nindent 12 }} volumeMounts: + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + - name: wsgi-config + configMap: + name: fence-wsgi + {{- end }} {{- toYaml .Values.volumeMounts | nindent 12 }} - {{- if .Values.sidecar.enabled }} + {{- if .Values.secureImage.sidecar.enabled | default .Values.global.secureImage.sidecar.enabled }} - name: sidecar-nginx - image: {{ .Values.sidecar.image }}:{{ .Values.sidecar.tag }} - imagePullPolicy: {{ .Values.sidecar.pullPolicy }} + image: "{{ .Values.secureImage.sidecar.image }}:{{ .Values.secureImage.sidecar.tag }}" + imagePullPolicy: {{ .Values.secureImage.sidecar.pullPolicy }} ports: - - name: http + - name: app containerPort: 8080 readinessProbe: httpGet: path: /_status - port: http + port: app volumeMounts: - name: "nginx-config" mountPath: "/etc/nginx/conf.d/default.conf" @@ -94,8 +116,24 @@ spec: {{- end }} initContainers: - name: fence-init + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + image: "quay.io/cdis/fence:feat_gunicorn" + {{- else }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + - name: app + containerPort: 8000 + protocol: TCP + {{- else }} + - name: http + containerPort: 80 + protocol: TCP + {{- end }} + - name: container + containerPort: 6567 resources: {{- toYaml .Values.resources | nindent 12 }} command: ["/bin/bash"] diff --git a/helm/fence/templates/nginx-config.yaml b/helm/fence/templates/nginx-config.yaml index aeaac14f..3987d818 100644 --- a/helm/fence/templates/nginx-config.yaml +++ b/helm/fence/templates/nginx-config.yaml @@ -1,3 +1,4 @@ +{{- if .Values.secureImage.sidecar.enabled | default .Values.global.secureImage.sidecar.enabled }} apiVersion: v1 kind: ConfigMap metadata: @@ -10,4 +11,5 @@ data: location / { proxy_pass http://127.0.0.1:8000; # Gunicorn binds to this address } - } \ No newline at end of file + } +{{- end }} \ No newline at end of file diff --git a/helm/fence/templates/presigned-url-fence.yaml b/helm/fence/templates/presigned-url-fence.yaml index 72cce99a..745c457a 100644 --- a/helm/fence/templates/presigned-url-fence.yaml +++ b/helm/fence/templates/presigned-url-fence.yaml @@ -21,20 +21,32 @@ spec: app: presigned-url-fence spec: serviceAccountName: {{ include "fence.serviceAccountName" . }} + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} securityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 + {{- end }} volumes: {{- toYaml .Values.volumes | nindent 8 }} containers: - name: presigned-url-fence + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + image: "quay.io/cdis/fence:feat_gunicorn" + {{- else }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - - name: http + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + - name: app containerPort: 8000 protocol: TCP + {{- else }} + - name: http + containerPort: 80 + protocol: TCP + {{- end }} - name: https containerPort: 443 protocol: TCP @@ -44,14 +56,22 @@ spec: livenessProbe: httpGet: path: /_status + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + port: app + {{- else }} port: http + {{- end }} initialDelaySeconds: 30 periodSeconds: 60 timeoutSeconds: 30 readinessProbe: httpGet: path: /_status + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + port: app + {{- else }} port: http + {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} command: ["/bin/bash"] @@ -66,14 +86,19 @@ spec: env: {{- toYaml .Values.env | nindent 12 }} volumeMounts: + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + - name: wsgi-config + configMap: + name: fence-wsgi + {{- end }} {{- toYaml .Values.volumeMounts | nindent 12 }} - {{- if .Values.sidecar.enabled }} + {{- if .Values.secureImage.sidecar.enabled | default .Values.global.secureImage.sidecar.enabled }} - name: sidecar-nginx - image: {{ .Values.sidecar.image }}:{{ .Values.sidecar.tag }} - imagePullPolicy: {{ .Values.sidecar.pullPolicy }} + image: "{{ .Values.secureImage.sidecar.image }}:{{ .Values.secureImage.sidecar.tag }}" + imagePullPolicy: {{ .Values.secureImage.sidecar.pullPolicy }} ports: - - name: http - containerPort: 80 + - name: app + containerPort: 8080 protocol: TCP volumeMounts: - name: "nginx-config" diff --git a/helm/fence/templates/service.yaml b/helm/fence/templates/service.yaml index e5887708..9c28c33f 100644 --- a/helm/fence/templates/service.yaml +++ b/helm/fence/templates/service.yaml @@ -6,11 +6,19 @@ metadata: {{- include "fence.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} + {{- with .Values.service.port }} ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + - name: app + containerPort: 8080 + protocol: TCP + {{- else }} + - name: http + containerPort: 80 + protocol: TCP + {{- end }} selector: {{- include "fence.selectorLabels" . | nindent 4 }} --- @@ -20,11 +28,19 @@ metadata: name: presigned-url-fence-service spec: type: {{ .Values.service.type }} + {{- with .Values.service.port }} ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + - name: app + containerPort: 8080 + protocol: TCP + {{- else }} + - name: http + containerPort: 80 + protocol: TCP + {{- end }} selector: app: presigned-url-fence diff --git a/helm/fence/templates/wsgi.yaml b/helm/fence/templates/wsgi.yaml index db3bd9dc..b267502c 100644 --- a/helm/fence/templates/wsgi.yaml +++ b/helm/fence/templates/wsgi.yaml @@ -1,3 +1,4 @@ +{{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} apiVersion: v1 kind: ConfigMap metadata: @@ -9,3 +10,4 @@ data: workers = 1 user = 'gen3' group = 'gen3' +{{- end }} \ No newline at end of file diff --git a/helm/fence/values.yaml b/helm/fence/values.yaml index 777508b5..8b99b339 100644 --- a/helm/fence/values.yaml +++ b/helm/fence/values.yaml @@ -77,6 +77,14 @@ global: deploy: false # -- (string) Will deploy a separate External Secret Store for this service. separateSecretStore: false + # -- (map) Configuration settings for the secure AL2 based image. + secureImage: + # -- (bool) Enable the use of the secure AL2 based image. + enabled: false + # -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. + sidecar: + # -- (bool) Enable the Nginx sidecar container. + enabled: false # -- (map) External Secrets settings. externalSecrets: @@ -163,15 +171,20 @@ image: # -- (string) Overrides the image tag whose default is the chart appVersion. tag: "master" -# -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. -sidecar: - enabled: true - # -- (string) The Docker image repository for nginx - image: quay.io/cdis/nginx-sidecar - # -- (string) When to pull the image. - pullPolicy: IfNotPresent - # -- (string) Image tag. - tag: "nginx-sidecar-feat_nginx-sidecar" +# -- (map) Configuration settings for the secure AL2 based image. +secureImage: + # -- (bool) Enable the use of the secure AL2 based image. + enabled: false + # -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. + sidecar: + # -- (bool) Enable the Nginx sidecar container. + enabled: false + # -- (string) The Docker image repository for nginx + image: quay.io/cdis/nginx-sidecar + # -- (string) When to pull the image. + pullPolicy: IfNotPresent + # -- (string) Image tag. + tag: "nginx-sidecar-feat_nginx-sidecar" # -- (list) Docker image pull secrets. imagePullSecrets: [] @@ -214,8 +227,8 @@ securityContext: {} service: # -- (string) Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". type: ClusterIP - # -- (int) The port number that the service exposes. - port: 80 + # -- (list) The port number that the service exposes. + port: [] # -- (map) Resource requests and limits for the containers in the pod resources: diff --git a/helm/indexd/README.md b/helm/indexd/README.md index ebffc843..8939aa37 100644 --- a/helm/indexd/README.md +++ b/helm/indexd/README.md @@ -59,6 +59,10 @@ A Helm chart for gen3 indexd | global.postgres.master.username | string | `"postgres"` | username of superuser in postgres. This is used to create or restore databases | | global.publicDataSets | bool | `true` | Whether public datasets are enabled. | | global.revproxyArn | string | `"arn:aws:acm:us-east-1:123456:certificate"` | ARN of the reverse proxy certificate. | +| global.secureImage | map | `{"enabled":false,"sidecar":{"enabled":false}}` | Configuration settings for the secure AL2 based image. | +| global.secureImage.enabled | bool | `false` | Enable the use of the secure AL2 based image. | +| global.secureImage.sidecar | map | `{"enabled":false}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | +| global.secureImage.sidecar.enabled | bool | `false` | Enable the Nginx sidecar container. | | global.tierAccessLevel | string | `"libre"` | Access level for tiers. acceptable values for `tier_access_level` are: `libre`, `regular` and `private`. If omitted, by default common will be treated as `private` | | global.tierAccessLimit | int | `"1000"` | Only relevant if tireAccessLevel is set to "regular". Summary charts below this limit will not appear for aggregated data. | | image | map | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cdis/indexd","tag":""}` | Docker image information. | @@ -93,21 +97,24 @@ A Helm chart for gen3 indexd | secrets | map | `{"awsAccessKeyId":null,"awsSecretAccessKey":null,"userdb":{"fence":null,"sheepdog":null}}` | Values for indexd secret. | | secrets.awsAccessKeyId | str | `nil` | AWS access key ID to access the db restore job S3 bucket. Overrides global key. | | secrets.awsSecretAccessKey | str | `nil` | AWS secret access key ID to access the db restore job S3 bucket. Overrides global key. | +| secureImage | map | `{"enabled":false,"sidecar":{"enabled":false,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}}` | Configuration settings for the secure AL2 based image. | +| secureImage.enabled | bool | `false` | Enable the use of the secure AL2 based image. | +| secureImage.sidecar | map | `{"enabled":false,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | +| secureImage.sidecar.enabled | bool | `false` | Enable the Nginx sidecar container. | +| secureImage.sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx | +| secureImage.sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | +| secureImage.sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. | | securityContext | map | `{}` | Security context for the containers in the pod | | selectorLabels | map | `nil` | Will completely override the selectorLabels defined in the common chart's _label_setup.tpl | -| service | map | `{"port":80,"type":"ClusterIP"}` | Kubernetes service information. | -| service.port | int | `80` | The port number that the service exposes. | +| service | map | `{"port":[],"type":"ClusterIP"}` | Kubernetes service information. | +| service.port | list | `[]` | The port number that the service exposes. | | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". | | serviceAccount | map | `{"annotations":{},"create":false,"name":""}` | Service account to use or create. | | serviceAccount.annotations | map | `{}` | Annotations to add to the service account. | | serviceAccount.create | bool | `false` | Specifies whether a service account should be created. | | serviceAccount.name | string | `""` | The name of the service account | -| sidecar | map | `{"enabled":true,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | -| sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx | -| sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | -| sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. | | tolerations | list | `[]` | Tolerations for the pods | | uwsgi | map | `{"listen":1024}` | Values for overriding uwsgi settings | | volumeMounts | list | `[{"mountPath":"/var/www/indexd/local_settings.py","name":"config-volume","readOnly":true,"subPath":"local_settings.py"}]` | Volumes to mount to the container. | -| volumes | list | `[{"configMap":{"name":"indexd-wsgi"},"name":"wsgi-config"},{"name":"config-volume","secret":{"secretName":"indexd-settings"}},{"configMap":{"name":"indexd-nginx-configmap"},"name":"nginx-config"}]` | Volumes to attach to the pod | +| volumes | list | `[{"configMap":{"name":"indexd-wsgi"},"name":"wsgi-config"},{"configMap":{"name":"indexd-uwsgi"},"name":"uwsgi-config"},{"configMap":{"name":"indexd-nginx-configmap"},"name":"nginx-config"},{"name":"config-volume","secret":{"secretName":"indexd-settings"}}]` | Volumes to attach to the pod | diff --git a/helm/indexd/templates/deployment.yaml b/helm/indexd/templates/deployment.yaml index 7b86d48b..ec906800 100644 --- a/helm/indexd/templates/deployment.yaml +++ b/helm/indexd/templates/deployment.yaml @@ -26,10 +26,12 @@ spec: {{- include "common.datadogLabels" . | nindent 8 }} {{- end }} spec: + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} securityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 + {{- end }} {{- with .Values.volumes }} volumes: {{- toYaml . | nindent 8 }} @@ -45,7 +47,11 @@ spec: - name: indexd securityContext: {{- toYaml .Values.securityContext | nindent 12 }} + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + image: "quay.io/cdis/indexd:feat_GPE-788" + {{- else }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} env: {{- if .Values.global.ddEnabled }} @@ -85,40 +91,60 @@ spec: value: {{ .Values.defaultPrefix }} {{- toYaml .Values.env | nindent 12 }} volumeMounts: + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} - name: "wsgi-config" mountPath: "/indexd/deployment/wsgi/gunicorn.conf.py" subPath: gunicorn.conf.py + {{- else }} + - name: "uwsgi-config" + mountPath: "/etc/uwsgi/uwsgi.ini" + subPath: uwsgi.ini + {{- end }} - name: "config-volume" readOnly: true mountPath: "/var/www/indexd/local_settings.py" subPath: "local_settings.py" ports: - - name: http + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + - name: app containerPort: 8000 protocol: TCP + {{- else }} + - name: http + containerPort: 80 + protocol: TCP + {{- end }} livenessProbe: httpGet: path: /_status - port: 8000 + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + port: app + {{- else }} + port: http + {{- end }} initialDelaySeconds: 30 periodSeconds: 10 readinessProbe: httpGet: path: /_status - port: 8000 + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + port: app + {{- else }} + port: http + {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} - {{- if .Values.sidecar.enabled }} + {{- if .Values.secureImage.sidecar.enabled | default .Values.global.secureImage.sidecar.enabled }} - name: sidecar-nginx - image: {{ .Values.sidecar.image }}:{{ .Values.sidecar.tag }} - imagePullPolicy: {{ .Values.sidecar.pullPolicy }} + image: "{{ .Values.secureImage.sidecar.image }}:{{ .Values.secureImage.sidecar.tag }}" + imagePullPolicy: {{ .Values.secureImage.sidecar.pullPolicy }} ports: - - name: http + - name: app containerPort: 8080 readinessProbe: httpGet: path: /_status - port: http + port: app volumeMounts: - name: "nginx-config" mountPath: "/etc/nginx/conf.d/default.conf" diff --git a/helm/indexd/templates/nginx_config.yaml b/helm/indexd/templates/nginx_config.yaml index 4aeeb71c..57b03a13 100644 --- a/helm/indexd/templates/nginx_config.yaml +++ b/helm/indexd/templates/nginx_config.yaml @@ -1,3 +1,4 @@ +{{- if .Values.secureImage.sidecar.enabled | default .Values.global.secureImage.sidecar.enabled }} apiVersion: v1 kind: ConfigMap metadata: @@ -12,3 +13,4 @@ data: proxy_pass http://127.0.0.1:8000; # Gunicorn binds to this address } } +{{- end }} \ No newline at end of file diff --git a/helm/indexd/templates/pre-install.yaml b/helm/indexd/templates/pre-install.yaml index 26ab96a4..888d8367 100644 --- a/helm/indexd/templates/pre-install.yaml +++ b/helm/indexd/templates/pre-install.yaml @@ -82,10 +82,18 @@ spec: - "-c" # Script always succeeds if it runs (echo exits with 0) # indexd image does not include jq, so use python + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} - | source .venv/bin/activate echo 'python3 /indexd/bin/index_admin.py create --username "fence" --password "${FENCE_PASS}' python3 /indexd/bin/index_admin.py create --username "fence" --password "${FENCE_PASS}" echo 'python3 /indexd/bin/index_admin.py create --username "sheepdog" --password "${SHEEPDOG_PASS}' python3 /indexd/bin/index_admin.py create --username "sheepdog" --password "${SHEEPDOG_PASS}" + {{- else }} + - | + echo 'python /indexd/bin/index_admin.py create --username "fence" --password "${FENCE_PASS}' + python /indexd/bin/index_admin.py create --username "fence" --password "${FENCE_PASS}" + echo 'python /indexd/bin/index_admin.py create --username "sheepdog" --password "${SHEEPDOG_PASS}' + python /indexd/bin/index_admin.py create --username "sheepdog" --password "${SHEEPDOG_PASS}" + {{- end }} restartPolicy: Never \ No newline at end of file diff --git a/helm/indexd/templates/service.yaml b/helm/indexd/templates/service.yaml index 6fb671d1..a4ecc677 100644 --- a/helm/indexd/templates/service.yaml +++ b/helm/indexd/templates/service.yaml @@ -6,10 +6,18 @@ metadata: {{- include "indexd.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} + {{- with .Values.service.port }} ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + - name: app + containerPort: 8080 + protocol: TCP + {{- else }} + - name: http + containerPort: 80 + protocol: TCP + {{- end }} selector: {{- include "indexd.selectorLabels" . | nindent 4 }} diff --git a/helm/indexd/templates/uwsgi.yaml b/helm/indexd/templates/uwsgi.yaml new file mode 100644 index 00000000..17bbb55c --- /dev/null +++ b/helm/indexd/templates/uwsgi.yaml @@ -0,0 +1,44 @@ +{{- if not (or (.Values.secureImage.enabled | default .Values.global.secureImage.enabled)) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: indexd-uwsgi +data: + uwsgi.ini: | + [uwsgi] + protocol = uwsgi + socket = /var/run/gen3/uwsgi.sock + buffer-size = 32768 + uid = nginx + gid = nginx + chown-socket = nginx:nginx + chmod-socket = 666 + master = true + harakiri-verbose = true + # No global HARAKIRI, using only user HARAKIRI, because export overwrites it + # Cannot overwrite global HARAKIRI with user's: https://git.io/fjYuD + # harakiri = 45 + ; If VIRTUAL_ENV is set then use its value to specify the virtualenv directory + if-env = VIRTUAL_ENV + virtualenv = %(_) + endif = + http-timeout = 45 + socket-timeout = 45 + worker-reload-mercy = 45 + reload-mercy = 45 + mule-reload-mercy = 45 + disable-logging = true + wsgi-file=/indexd/wsgi.py + plugins = python3 + vacuum = true + pythonpath = /indexd/ + stats = 127.0.0.1:9191 + stats-http = true + env = prometheus_multiproc_dir=/var/tmp/uwsgi_flask_metrics + exec-asap = /indexd/clear_prometheus_multiproc /var/tmp/uwsgi_flask_metrics + # Initialize application in worker processes, not master. This prevents the + # workers from all trying to open the same database connections at startup. + lazy = true + lazy-apps = true + listen = {{ .Values.uwsgi.listen }} +{{- end }} \ No newline at end of file diff --git a/helm/indexd/templates/wsgi.yaml b/helm/indexd/templates/wsgi.yaml index 7a0b5056..c590ec39 100644 --- a/helm/indexd/templates/wsgi.yaml +++ b/helm/indexd/templates/wsgi.yaml @@ -1,3 +1,4 @@ +{{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} apiVersion: v1 kind: ConfigMap metadata: @@ -10,3 +11,4 @@ data: user = 'gen3' group = 'gen3' timeout = 300 +{{- end }} \ No newline at end of file diff --git a/helm/indexd/values.yaml b/helm/indexd/values.yaml index 6d9c63db..f9e32ff8 100644 --- a/helm/indexd/values.yaml +++ b/helm/indexd/values.yaml @@ -67,6 +67,14 @@ global: deploy: false # -- (string) Will deploy a separate External Secret Store for this service. separateSecretStore: false + # -- (map) Configuration settings for the secure AL2 based image. + secureImage: + # -- (bool) Enable the use of the secure AL2 based image. + enabled: false + # -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. + sidecar: + # -- (bool) Enable the Nginx sidecar container. + enabled: false # -- (map) External Secrets settings. externalSecrets: @@ -126,15 +134,20 @@ image: # -- (string) Overrides the image tag whose default is the chart appVersion. tag: "" -# -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. -sidecar: - enabled: true - # -- (string) The Docker image repository for nginx - image: quay.io/cdis/nginx-sidecar - # -- (string) When to pull the image. - pullPolicy: IfNotPresent - # -- (string) Image tag. - tag: "nginx-sidecar-feat_nginx-sidecar" +# -- (map) Configuration settings for the secure AL2 based image. +secureImage: + # -- (bool) Enable the use of the secure AL2 based image. + enabled: false + # -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. + sidecar: + # -- (bool) Enable the Nginx sidecar container. + enabled: false + # -- (string) The Docker image repository for nginx + image: quay.io/cdis/nginx-sidecar + # -- (string) When to pull the image. + pullPolicy: IfNotPresent + # -- (string) Image tag. + tag: "nginx-sidecar-feat_nginx-sidecar" # -- (list) Docker image pull secrets. imagePullSecrets: [] @@ -175,8 +188,8 @@ securityContext: {} service: # -- (string) Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". type: ClusterIP - # -- (int) The port number that the service exposes. - port: 80 + # -- (list) The port number that the service exposes. + port: [] # -- (map) Resource requests and limits for the containers in the pod resources: @@ -218,12 +231,15 @@ volumes: - name: wsgi-config configMap: name: indexd-wsgi -- name: config-volume - secret: - secretName: "indexd-settings" +- name: uwsgi-config + configMap: + name: indexd-uwsgi - name: nginx-config configMap: name: indexd-nginx-configmap +- name: config-volume + secret: + secretName: "indexd-settings" # -- (list) Volumes to mount to the container. volumeMounts: diff --git a/helm/manifestservice/README.md b/helm/manifestservice/README.md index 39794bbe..4bc3dd98 100644 --- a/helm/manifestservice/README.md +++ b/helm/manifestservice/README.md @@ -47,6 +47,10 @@ A Helm chart for Kubernetes | global.externalSecrets.separateSecretStore | string | `false` | Will deploy a separate External Secret Store for this service. | | global.minAvialable | int | `1` | The minimum amount of pods that are available at all times if the PDB is deployed. | | global.pdb | bool | `false` | If the service will be deployed with a Pod Disruption Budget. Note- you need to have more than 2 replicas for the pdb to be deployed. | +| global.secureImage | map | `{"enabled":false,"sidecar":{"enabled":false}}` | Configuration settings for the secure AL2 based image. | +| global.secureImage.enabled | bool | `false` | Enable the use of the secure AL2 based image. | +| global.secureImage.sidecar | map | `{"enabled":false}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | +| global.secureImage.sidecar.enabled | bool | `false` | Enable the Nginx sidecar container. | | image | map | `{"pullPolicy":"Always","repository":"quay.io/cdis/manifestservice","tag":""}` | Docker image information. | | image.pullPolicy | string | `"Always"` | Docker pull policy. | | image.repository | string | `"quay.io/cdis/manifestservice"` | Docker repository. | @@ -70,22 +74,25 @@ A Helm chart for Kubernetes | secrets | map | `{"awsAccessKeyId":null,"awsSecretAccessKey":null}` | Secret information for External Secrets. | | secrets.awsAccessKeyId | str | `nil` | AWS access key ID. Overrides global key. | | secrets.awsSecretAccessKey | str | `nil` | AWS secret access key ID. Overrides global key. | +| secureImage | map | `{"enabled":false,"sidecar":{"enabled":false,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}}` | Configuration settings for the secure AL2 based image. | +| secureImage.enabled | bool | `false` | Enable the use of the secure AL2 based image. | +| secureImage.sidecar | map | `{"enabled":false,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | +| secureImage.sidecar.enabled | bool | `false` | Enable the Nginx sidecar container. | +| secureImage.sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx | +| secureImage.sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | +| secureImage.sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. | | selectorLabels | map | `nil` | Will completely override the selectorLabels defined in the common chart's _label_setup.tpl | -| service | map | `{"port":80,"type":"ClusterIP"}` | Kubernetes service information. | -| service.port | int | `80` | The port number that the service exposes. | +| service | map | `{"port":[],"type":"ClusterIP"}` | Kubernetes service information. | +| service.port | list | `[]` | The port number that the service exposes. | | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". | | serviceAccount | map | `{"annotations":{},"create":true,"name":""}` | Service account to use or create. | | serviceAccount.annotations | map | `{}` | Annotations to add to the service account. | | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. | | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | -| sidecar | map | `{"enabled":true,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | -| sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx | -| sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | -| sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. | | strategy | map | `{"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"}` | Rolling update deployment strategy | | strategy.rollingUpdate.maxSurge | int | `1` | Number of additional replicas to add during rollout. | | strategy.rollingUpdate.maxUnavailable | int | `0` | Maximum amount of pods that can be unavailable during the update. | | terminationGracePeriodSeconds | int | `50` | Grace period that applies to the total time it takes for both the PreStop hook to execute and for the Container to stop normally. | -| volumeMounts | list | `[{"mountPath":"/manifestservice/deployment/wsgi/gunicorn.conf.py","name":"wsgi-config","subPath":"gunicorn.conf.py"},{"mountPath":"/var/gen3/config/","name":"config-volume","readOnly":true}]` | Volumes to mount to the container. | +| volumeMounts | list | `[{"mountPath":"/var/gen3/config/","name":"config-volume","readOnly":true}]` | Volumes to mount to the container. | | volumes | list | `[{"configMap":{"name":"manifestservice-wsgi"},"name":"wsgi-config"},{"name":"config-volume","secret":{"secretName":"manifestservice-g3auto"}},{"configMap":{"name":"manifestservice-nginx-configmap"},"name":"nginx-config"}]` | Volumes to attach to the container. | diff --git a/helm/manifestservice/templates/deployment.yaml b/helm/manifestservice/templates/deployment.yaml index 25f0f5da..9b902dcd 100644 --- a/helm/manifestservice/templates/deployment.yaml +++ b/helm/manifestservice/templates/deployment.yaml @@ -28,10 +28,12 @@ spec: {{- include "common.datadogLabels" . | nindent 8 }} {{- end }} spec: + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} securityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 + {{- end }} {{- with .Values.affinity }} affinity: {{- toYaml . | nindent 8 }} @@ -42,7 +44,11 @@ spec: terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds}} containers: - name: manifestservice + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + image: "quay.io/cdis/manifestservice:feat_GPE-1108" + {{- else }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} env: {{- if .Values.global.ddEnabled }} @@ -50,33 +56,54 @@ spec: {{- end }} {{- toYaml .Values.env | nindent 12 }} volumeMounts: + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + - name: "wsgi-config" + mountPath: "/manifestservice/deployment/wsgi/gunicorn.conf.py" + subPath: gunicorn.conf.py + {{- end }} {{- toYaml .Values.volumeMounts | nindent 12 }} resources: {{- toYaml .Values.resources | nindent 12 }} ports: - - containerPort: 8000 + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + - name: app + containerPort: 8000 + protocol: TCP + {{- else }} + - name: http + containerPort: 80 + protocol: TCP + {{- end }} livenessProbe: httpGet: path: /_status - port: 8000 + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + port: app + {{- else }} + port: http + {{- end }} initialDelaySeconds: 10 periodSeconds: 60 timeoutSeconds: 30 readinessProbe: httpGet: path: /_status - port: 8000 - {{- if .Values.sidecar.enabled }} + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + port: app + {{- else }} + port: http + {{- end }} + {{- if .Values.secureImage.sidecar.enabled | default .Values.global.secureImage.sidecar.enabled }} - name: sidecar-nginx - image: {{ .Values.sidecar.image }}:{{ .Values.sidecar.tag }} - imagePullPolicy: {{ .Values.sidecar.pullPolicy }} + image: "{{ .Values.secureImage.sidecar.image }}:{{ .Values.secureImage.sidecar.tag }}" + imagePullPolicy: {{ .Values.secureImage.sidecar.pullPolicy }} ports: - - name: http + - name: app containerPort: 8080 readinessProbe: httpGet: path: /_status - port: http + port: app volumeMounts: - name: "nginx-config" mountPath: "/etc/nginx/conf.d/default.conf" diff --git a/helm/manifestservice/templates/nginx_config.yaml b/helm/manifestservice/templates/nginx_config.yaml index 473061ff..c2b114c1 100644 --- a/helm/manifestservice/templates/nginx_config.yaml +++ b/helm/manifestservice/templates/nginx_config.yaml @@ -1,3 +1,4 @@ +{{- if .Values.secureImage.sidecar.enabled | default .Values.global.secureImage.sidecar.enabled }} apiVersion: v1 kind: ConfigMap metadata: @@ -11,4 +12,5 @@ data: location / { proxy_pass http://127.0.0.1:8000; # Gunicorn binds to this address } - } \ No newline at end of file + } +{{- end }} \ No newline at end of file diff --git a/helm/manifestservice/templates/service.yaml b/helm/manifestservice/templates/service.yaml index 173ba48c..0f246fd1 100644 --- a/helm/manifestservice/templates/service.yaml +++ b/helm/manifestservice/templates/service.yaml @@ -6,10 +6,18 @@ metadata: {{- include "manifestservice.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} + {{- with .Values.service.port }} ports: - - port: {{ .Values.service.port }} - targetPort: 80 - protocol: TCP - name: http + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + - name: app + containerPort: 8080 + protocol: TCP + {{- else }} + - name: http + containerPort: 80 + protocol: TCP + {{- end }} selector: {{- include "manifestservice.selectorLabels" . | nindent 4 }} diff --git a/helm/manifestservice/templates/wsgi.yaml b/helm/manifestservice/templates/wsgi.yaml index da55efe7..f0c867d1 100644 --- a/helm/manifestservice/templates/wsgi.yaml +++ b/helm/manifestservice/templates/wsgi.yaml @@ -1,3 +1,4 @@ +{{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} apiVersion: v1 kind: ConfigMap metadata: @@ -9,4 +10,5 @@ data: workers = 1 user = 'gen3' group = 'gen3' - timeout = 300 \ No newline at end of file + timeout = 300 +{{- end }} \ No newline at end of file diff --git a/helm/manifestservice/values.yaml b/helm/manifestservice/values.yaml index 2ecd86cf..b048bbee 100644 --- a/helm/manifestservice/values.yaml +++ b/helm/manifestservice/values.yaml @@ -27,6 +27,14 @@ global: deploy: false # -- (string) Will deploy a separate External Secret Store for this service. separateSecretStore: false + # -- (map) Configuration settings for the secure AL2 based image. + secureImage: + # -- (bool) Enable the use of the secure AL2 based image. + enabled: false + # -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. + sidecar: + # -- (bool) Enable the Nginx sidecar container. + enabled: false # -- (map) External Secrets settings. externalSecrets: @@ -56,22 +64,27 @@ image: # -- (string) Overrides the image tag whose default is the chart appVersion. tag: "" -# -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. -sidecar: - enabled: true - # -- (string) The Docker image repository for nginx - image: quay.io/cdis/nginx-sidecar - # -- (string) When to pull the image. - pullPolicy: IfNotPresent - # -- (string) Image tag. - tag: "nginx-sidecar-feat_nginx-sidecar" +# -- (map) Configuration settings for the secure AL2 based image. +secureImage: + # -- (bool) Enable the use of the secure AL2 based image. + enabled: false + # -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. + sidecar: + # -- (bool) Enable the Nginx sidecar container. + enabled: false + # -- (string) The Docker image repository for nginx + image: quay.io/cdis/nginx-sidecar + # -- (string) When to pull the image. + pullPolicy: IfNotPresent + # -- (string) Image tag. + tag: "nginx-sidecar-feat_nginx-sidecar" # -- (map) Kubernetes service information. service: # -- (string) Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". type: ClusterIP - # -- (int) The port number that the service exposes. - port: 80 + # -- (list) The port number that the service exposes. + port: [] # -- (map) Service account to use or create. serviceAccount: @@ -152,9 +165,6 @@ env: # -- (list) Volumes to mount to the container. volumeMounts: - - name: "wsgi-config" - mountPath: "/manifestservice/deployment/wsgi/gunicorn.conf.py" - subPath: gunicorn.conf.py - name: "config-volume" readOnly: true mountPath: "/var/gen3/config/" diff --git a/helm/metadata/README.md b/helm/metadata/README.md index 4fc1f756..f371bceb 100644 --- a/helm/metadata/README.md +++ b/helm/metadata/README.md @@ -25,7 +25,6 @@ A Helm chart for gen3 Metadata Service | affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.topologyKey | string | `"kubernetes.io/hostname"` | Value for topology key label. | | aggMdsConfig | string | `"{\n \"configuration\": {\n \"schema\": {\n \"_subjects_count\": {\n \"type\": \"integer\"\n },\n \"__manifest\": {\n \"description\": \"an array of filename (usually DRS ids and its size\",\n \"type\": \"array\",\n \"properties\": {\n \"file_name\": {\n \"type\": \"string\"\n },\n \"file_size\": {\n \"type\": \"integer\"\n }\n }\n },\n \"tags\": {\n \"type\": \"array\"\n },\n \"_unique_id\": {},\n \"study_description\": {},\n \"study_id\": {},\n \"study_url\": {},\n \"project_id\": {},\n \"short_name\": {\n \"default\": \"not_set\"\n },\n \"year\": {\n \"default\": \"not_set\"\n },\n \"full_name\": {},\n \"commons_url\": {},\n \"commons\": {}\n },\n \"settings\": {\n \"cache_drs\": true\n }\n },\n \"adapter_commons\": {\n \"Gen3\": {\n \"mds_url\": \"https://gen3.datacommons.io/\",\n \"commons_url\": \"gen3.datacommons.io/\",\n \"adapter\": \"gen3\",\n \"config\": {\n \"guid_type\": \"discovery_metadata\",\n \"study_field\": \"gen3_discovery\"\n },\n \"keep_original_fields\": false,\n \"field_mappings\": {\n \"tags\": \"path:tags\",\n \"_unique_id\": \"path:_unique_id\",\n \"study_description\": \"path:summary\",\n \"full_name\": \"path:study_title\",\n \"short_name\": \"path:short_name\",\n \"year\": \"path:year\",\n \"accession_number\": \"path:accession_number\",\n \"commons\": \"Gen3 Data Commons\",\n \"study_url\": {\n \"path\": \"link\",\n \"default\": \"unknown\"\n }\n }\n }\n }\n}\n"` | | | aggMdsNamespace | string | `"default"` | Namespae to use if AggMds is enabled. | -| args | list | `["-c","alembic upgrade head\n"]` | Arguments to pass to the init container. | | automountServiceAccountToken | bool | `false` | Automount the default service account token | | autoscaling | map | `{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80}` | Configuration for autoscaling the number of replicas | | autoscaling.enabled | bool | `false` | Whether autoscaling is enabled | @@ -78,6 +77,10 @@ A Helm chart for gen3 Metadata Service | global.postgres.master.username | string | `"postgres"` | username of superuser in postgres. This is used to create or restore databases | | global.publicDataSets | bool | `true` | Whether public datasets are enabled. | | global.revproxyArn | string | `"arn:aws:acm:us-east-1:123456:certificate"` | ARN of the reverse proxy certificate. | +| global.secureImage | map | `{"enabled":false,"sidecar":{"enabled":false}}` | Configuration settings for the secure AL2 based image. | +| global.secureImage.enabled | bool | `false` | Enable the use of the secure AL2 based image. | +| global.secureImage.sidecar | map | `{"enabled":false}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | +| global.secureImage.sidecar.enabled | bool | `false` | Enable the Nginx sidecar container. | | global.tierAccessLevel | string | `"libre"` | Access level for tiers. acceptable values for `tier_access_level` are: `libre`, `regular` and `private`. If omitted, by default common will be treated as `private` | | image | map | `{"pullPolicy":"Always","repository":"quay.io/cdis/metadata-service","tag":"feat_es-7"}` | Docker image information. | | image.pullPolicy | string | `"Always"` | Docker pull policy. | @@ -113,18 +116,21 @@ A Helm chart for gen3 Metadata Service | secrets | map | `{"awsAccessKeyId":null,"awsSecretAccessKey":null}` | Secret information to access the db restore job S3 bucket. | | secrets.awsAccessKeyId | str | `nil` | AWS access key ID. Overrides global key. | | secrets.awsSecretAccessKey | str | `nil` | AWS secret access key ID. Overrides global key. | +| secureImage | map | `{"enabled":false,"sidecar":{"enabled":false,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}}` | Configuration settings for the secure AL2 based image. | +| secureImage.enabled | bool | `false` | Enable the use of the secure AL2 based image. | +| secureImage.sidecar | map | `{"enabled":false,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | +| secureImage.sidecar.enabled | bool | `false` | Enable the Nginx sidecar container. | +| secureImage.sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx | +| secureImage.sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | +| secureImage.sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. | | selectorLabels | map | `nil` | Will completely override the selectorLabels defined in the common chart's _label_setup.tpl | -| service | map | `{"port":[{"name":"http","port":80,"protocol":"TCP","targetPort":8000}],"type":"ClusterIP"}` | Kubernetes service information. | -| service.port | int | `[{"name":"http","port":80,"protocol":"TCP","targetPort":8000}]` | The port number that the service exposes. | +| service | map | `{"port":[],"type":"ClusterIP"}` | Kubernetes service information. | +| service.port | list | `[]` | The port number that the service exposes. | | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". | | serviceAnnotations."getambassador.io/config" | string | `"---\napiVersion: ambassador/v1\nambassador_id: \"gen3\"\nkind: Mapping\nname: metadata_mapping\nprefix: /index/\nservice: http://metadata-service:80\n"` | | -| sidecar | map | `{"enabled":true,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | -| sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx | -| sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | -| sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. | | strategy | map | `{"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"}` | Rolling update deployment strategy | | strategy.rollingUpdate.maxSurge | int | `1` | Number of additional replicas to add during rollout. | | strategy.rollingUpdate.maxUnavailable | int | `0` | Maximum amount of pods that can be unavailable during the update. | | useAggMds | bool | `"True"` | Set to true to aggregate metadata from multiple other Metadata Service instances. | -| volumeMounts | list | `[{"mountPath":"/metadata-service/deployment/wsgi/gunicorn.conf.py","name":"wsgi-config","subPath":"gunicorn.conf.py"},{"mountPath":"/src/.env","name":"config-volume-g3auto","readOnly":true,"subPath":"metadata.env"},{"mountPath":"/aggregate_config.json","name":"config-volume","readOnly":true,"subPath":"aggregate_config.json"},{"mountPath":"/metadata.json","name":"config-manifest","readOnly":true,"subPath":"json"}]` | Volumes to mount to the container. | +| volumeMounts | list | `[{"mountPath":"/src/.env","name":"config-volume-g3auto","readOnly":true,"subPath":"metadata.env"},{"mountPath":"/aggregate_config.json","name":"config-volume","readOnly":true,"subPath":"aggregate_config.json"},{"mountPath":"/metadata.json","name":"config-manifest","readOnly":true,"subPath":"json"}]` | Volumes to mount to the container. | diff --git a/helm/metadata/templates/deployment.yaml b/helm/metadata/templates/deployment.yaml index 41195ce7..8affc675 100644 --- a/helm/metadata/templates/deployment.yaml +++ b/helm/metadata/templates/deployment.yaml @@ -31,10 +31,12 @@ spec: {{- include "common.datadogLabels" . | nindent 8 }} {{- end }} spec: + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} securityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 + {{- end }} {{- with .Values.affinity }} affinity: {{- toYaml . | nindent 8 }} @@ -60,7 +62,11 @@ spec: name: metadata-nginx-configmap containers: - name: {{ .Chart.Name }} + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + image: "quay.io/cdis/metadata-service:feat_GPE-1115" + {{- else }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + {{- end }} env: {{- if .Values.global.ddEnabled }} {{- include "common.datadogEnvVar" . | nindent 12 }} @@ -111,35 +117,56 @@ spec: livenessProbe: httpGet: path: /_status - port: 8000 + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + port: app + {{- else }} + port: http + {{- end }} initialDelaySeconds: 30 periodSeconds: 60 timeoutSeconds: 30 readinessProbe: httpGet: path: /_status - port: 8000 + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + port: app + {{- else }} + port: http + {{- end }} ports: - - containerPort: 8000 + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + - name: app + containerPort: 8000 + protocol: TCP + {{- else }} + - name: http + containerPort: 80 + protocol: TCP + {{- end }} {{- with .Values.volumeMounts }} volumeMounts: {{- toYaml . | nindent 10 }} {{- end }} + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + - name: "wsgi-config" + mountPath: "/metadata-service/deployment/wsgi/gunicorn.conf.py" + subPath: gunicorn.conf.py + {{- end }} {{- with .Values.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} - {{- if .Values.sidecar.enabled }} + {{- if .Values.secureImage.sidecar.enabled | default .Values.global.secureImage.sidecar.enabled }} - name: sidecar-nginx - image: {{ .Values.sidecar.image }}:{{ .Values.sidecar.tag }} - imagePullPolicy: {{ .Values.sidecar.pullPolicy }} + image: {{- if .Values.secureImage.sidecar.enabled | default .Values.global.secureImage.sidecar.enabled }} + imagePullPolicy: {{ .Values.secureImage.sidecar.pullPolicy }} ports: - - name: http + - name: app containerPort: 8080 readinessProbe: httpGet: path: /_status - port: http + port: app volumeMounts: - name: "nginx-config" mountPath: "/etc/nginx/conf.d/default.conf" @@ -147,7 +174,11 @@ spec: {{- end }} initContainers: - name: {{ .Values.initContainerName }} + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + image: "quay.io/cdis/metadata-service:feat_GPE-1115" + {{- else }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} {{- with .Values.initVolumeMounts }} env: @@ -181,6 +212,7 @@ spec: name: metadata-dbcreds key: dbcreated optional: false + {{- with .Values.volumeMounts }} volumeMounts: {{- toYaml . | nindent 10 }} {{- end }} @@ -189,7 +221,13 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} command: {{ .Values.command }} - {{- with .Values.args }} - args: - {{- toYaml . | nindent 12}} + args: + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + - "-c" + - | + alembic upgrade head + {{- else }} + - "-c" + - | + /env/bin/alembic upgrade head {{- end }} \ No newline at end of file diff --git a/helm/metadata/templates/nginx_config.yaml b/helm/metadata/templates/nginx_config.yaml index afbfe026..524b8782 100644 --- a/helm/metadata/templates/nginx_config.yaml +++ b/helm/metadata/templates/nginx_config.yaml @@ -1,3 +1,4 @@ +{{- if .Values.secureImage.sidecar.enabled | default .Values.global.secureImage.sidecar.enabled }} apiVersion: v1 kind: ConfigMap metadata: @@ -11,4 +12,5 @@ data: location / { proxy_pass http://127.0.0.1:8000; # Gunicorn binds to this address } - } \ No newline at end of file + } +{{- end }} \ No newline at end of file diff --git a/helm/metadata/templates/service.yaml b/helm/metadata/templates/service.yaml index 0cc0cb06..9c52e91b 100644 --- a/helm/metadata/templates/service.yaml +++ b/helm/metadata/templates/service.yaml @@ -15,4 +15,13 @@ spec: ports: {{- toYaml . | nindent 8 }} {{- end }} + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + - name: app + containerPort: 8080 + protocol: TCP + {{- else }} + - name: http + containerPort: 80 + protocol: TCP + {{- end }} type: {{ .Values.service.type }} \ No newline at end of file diff --git a/helm/metadata/templates/wsgi.yaml b/helm/metadata/templates/wsgi.yaml index 9a71581b..be57e7dc 100644 --- a/helm/metadata/templates/wsgi.yaml +++ b/helm/metadata/templates/wsgi.yaml @@ -1,3 +1,4 @@ +{{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} apiVersion: v1 kind: ConfigMap metadata: @@ -10,4 +11,5 @@ data: user = 'gen3' group = 'gen3' timeout = 300 - worker_class = "uvicorn.workers.UvicornWorker" \ No newline at end of file + worker_class = "uvicorn.workers.UvicornWorker" +{{- end }} \ No newline at end of file diff --git a/helm/metadata/values.yaml b/helm/metadata/values.yaml index abf55d69..7364cb3a 100644 --- a/helm/metadata/values.yaml +++ b/helm/metadata/values.yaml @@ -65,6 +65,14 @@ global: deploy: false # -- (string) Will deploy a separate External Secret Store for this service. separateSecretStore: false + # -- (map) Configuration settings for the secure AL2 based image. + secureImage: + # -- (bool) Enable the use of the secure AL2 based image. + enabled: false + # -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. + sidecar: + # -- (bool) Enable the Nginx sidecar container. + enabled: false # -- (map) External Secrets settings. externalSecrets: @@ -168,15 +176,20 @@ image: debug: false -# -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. -sidecar: - enabled: true - # -- (string) The Docker image repository for nginx - image: quay.io/cdis/nginx-sidecar - # -- (string) When to pull the image. - pullPolicy: IfNotPresent - # -- (string) Image tag. - tag: "nginx-sidecar-feat_nginx-sidecar" +# -- (map) Configuration settings for the secure AL2 based image. +secureImage: + # -- (bool) Enable the use of the secure AL2 based image. + enabled: false + # -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. + sidecar: + # -- (bool) Enable the Nginx sidecar container. + enabled: false + # -- (string) The Docker image repository for nginx + image: quay.io/cdis/nginx-sidecar + # -- (string) When to pull the image. + pullPolicy: IfNotPresent + # -- (string) Image tag. + tag: "nginx-sidecar-feat_nginx-sidecar" # Environment Variables # -- (string) Elasticsearch endpoint. @@ -258,9 +271,6 @@ aggMdsConfig: | # -- (list) Volumes to mount to the container. volumeMounts: - - name: "wsgi-config" - mountPath: "/metadata-service/deployment/wsgi/gunicorn.conf.py" - subPath: gunicorn.conf.py - name: config-volume-g3auto readOnly: true mountPath: /src/.env @@ -308,11 +318,6 @@ initResources: memory: 512Mi # -- (list) Command to run for the init container. command: ["/bin/sh"] -# -- (list) Arguments to pass to the init container. -args: - - "-c" - - | - alembic upgrade head # Service and Pod serviceAnnotations: @@ -329,12 +334,8 @@ serviceAnnotations: service: # -- (string) Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". type: ClusterIP - # -- (int) The port number that the service exposes. - port: - - protocol: TCP - port: 80 - targetPort: 8000 - name: http + # -- (list) The port number that the service exposes. + port: [] # Values to determine the labels that are used for the deployment, pod, etc. # -- (string) Valid options are "production" or "dev". If invalid option is set- the value will default to "dev". diff --git a/helm/peregrine/README.md b/helm/peregrine/README.md index 63beb122..b5b1aa58 100644 --- a/helm/peregrine/README.md +++ b/helm/peregrine/README.md @@ -58,6 +58,10 @@ A Helm chart for gen3 Peregrine service | global.postgres.master.port | string | `"5432"` | Port for Postgres. | | global.postgres.master.username | string | `"postgres"` | username of superuser in postgres. This is used to create or restore databases | | global.revproxyArn | string | `"arn:aws:acm:us-east-1:123456:certificate"` | ARN of the reverse proxy certificate. | +| global.secureImage | map | `{"enabled":false,"sidecar":{"enabled":false}}` | Configuration settings for the secure AL2 based image. | +| global.secureImage.enabled | bool | `false` | Enable the use of the secure AL2 based image. | +| global.secureImage.sidecar | map | `{"enabled":false}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | +| global.secureImage.sidecar.enabled | bool | `false` | Enable the Nginx sidecar container. | | global.tierAccessLevel | string | `"libre"` | Access level for tiers. acceptable values for `tier_access_level` are: `libre`, `regular` and `private`. If omitted, by default common will be treated as `private` | | image.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | | image.repository | string | `"quay.io/cdis/peregrine"` | The Docker image repository for the fence service | @@ -89,20 +93,23 @@ A Helm chart for gen3 Peregrine service | secrets | map | `{"awsAccessKeyId":null,"awsSecretAccessKey":null}` | Secret information for External Secrets. | | secrets.awsAccessKeyId | str | `nil` | AWS access key ID. Overrides global key. | | secrets.awsSecretAccessKey | str | `nil` | AWS secret access key ID. Overrides global key. | +| secureImage | map | `{"enabled":false,"sidecar":{"enabled":false,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}}` | Configuration settings for the secure AL2 based image. | +| secureImage.enabled | bool | `false` | Enable the use of the secure AL2 based image. | +| secureImage.sidecar | map | `{"enabled":false,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | +| secureImage.sidecar.enabled | bool | `false` | Enable the Nginx sidecar container. | +| secureImage.sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx | +| secureImage.sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | +| secureImage.sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. | | securityContext | map | `{}` | Security context for the containers in the pod | | selectorLabels | map | `nil` | Will completely override the selectorLabels defined in the common chart's _label_setup.tpl | -| service | map | `{"port":80,"type":"ClusterIP"}` | Kubernetes service information. | -| service.port | int | `80` | The port number that the service exposes. | +| service | map | `{"port":[],"type":"ClusterIP"}` | Kubernetes service information. | +| service.port | list | `[]` | The port number that the service exposes. | | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". | | serviceAccount | map | `{"annotations":{},"create":true,"name":""}` | Service account to use or create. | | serviceAccount.annotations | map | `{}` | Annotations to add to the service account. | | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. | | serviceAccount.name | string | `""` | The name of the service account | -| sidecar | map | `{"enabled":true,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | -| sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx | -| sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | -| sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. | | tolerations | list | `[]` | Tolerations for the pods | -| volumeMounts | list | `[{"mountPath":"/peregrine/deployment/wsgi/wsgi.py","name":"config-volume","readOnly":true,"subPath":"settings.py"},{"mountPath":"/peregrine/deployment/wsgi/gunicorn.conf.py","name":"wsgi-config","subPath":"gunicorn.conf.py"}]` | Volumes to mount to the container. | +| volumeMounts | list | `[{"mountPath":"/peregrine/deployment/wsgi/wsgi.py","name":"config-volume","readOnly":true,"subPath":"settings.py"}]` | Volumes to mount to the container. | | volumes | list | `[{"emptyDir":{},"name":"shared-data"},{"name":"config-volume","secret":{"secretName":"peregrine-secret"}},{"configMap":{"name":"peregrine-wsgi"},"name":"wsgi-config"},{"configMap":{"name":"peregrine-nginx-configmap"},"name":"nginx-config"}]` | Volumes to attach to the container. | diff --git a/helm/peregrine/templates/deployment.yaml b/helm/peregrine/templates/deployment.yaml index 9d9cc66e..34ff2459 100644 --- a/helm/peregrine/templates/deployment.yaml +++ b/helm/peregrine/templates/deployment.yaml @@ -26,10 +26,12 @@ spec: {{- include "common.datadogLabels" . | nindent 8 }} {{- end }} spec: + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} securityContext: runAsUser: 1000 runAsGroup: 1000 - fsGroup: 1000 + fsGroup: 1000 + {{- end }} {{- with .Values.volumes }} volumes: {{- toYaml . | nindent 8 }} @@ -45,7 +47,11 @@ spec: - name: {{ .Chart.Name }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + image: "quay.io/cdis/peregrine:feat_gunicorn" + {{- else }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} env: {{- if .Values.global.ddEnabled }} @@ -155,12 +161,29 @@ spec: volumeMounts: {{- toYaml . | nindent 10 }} {{- end }} + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + - name: "wsgi-config" + mountPath: "/peregrine/deployment/wsgi/gunicorn.conf.py" + subPath: gunicorn.conf.py + {{- end }} ports: - - containerPort: 8000 + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + - name: app + containerPort: 8000 + protocol: TCP + {{- else }} + - name: http + containerPort: 80 + protocol: TCP + {{- end }} livenessProbe: httpGet: path: /_status?timeout=20 - port: 8000 + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + port: app + {{- else }} + port: http + {{- end }} # peregrine can take forever to initialize initialDelaySeconds: 60 periodSeconds: 60 @@ -168,20 +191,24 @@ spec: readinessProbe: httpGet: path: /_status?timeout=2 - port: 8000 + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + port: app + {{- else }} + port: http + {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} - {{- if .Values.sidecar.enabled }} + {{- if .Values.secureImage.sidecar.enabled | default .Values.global.secureImage.sidecar.enabled }} - name: sidecar-nginx - image: {{ .Values.sidecar.image }}:{{ .Values.sidecar.tag }} - imagePullPolicy: {{ .Values.sidecar.pullPolicy }} + image: "{{ .Values.secureImage.sidecar.image }}:{{ .Values.secureImage.sidecar.tag }}" + imagePullPolicy: {{ .Values.secureImage.sidecar.pullPolicy }} ports: - - name: http + - name: app containerPort: 8080 readinessProbe: httpGet: path: /_status - port: http + port: app volumeMounts: - name: "nginx-config" mountPath: "/etc/nginx/conf.d/default.conf" diff --git a/helm/peregrine/templates/nginx_config.yaml b/helm/peregrine/templates/nginx_config.yaml index 1b65d97f..90735c92 100644 --- a/helm/peregrine/templates/nginx_config.yaml +++ b/helm/peregrine/templates/nginx_config.yaml @@ -1,3 +1,4 @@ +{{- if .Values.secureImage.sidecar.enabled | default .Values.global.secureImage.sidecar.enabled }} apiVersion: v1 kind: ConfigMap metadata: @@ -10,4 +11,5 @@ data: location / { proxy_pass http://127.0.0.1:8000; # Gunicorn binds to this address } - } \ No newline at end of file + } +{{- end }} \ No newline at end of file diff --git a/helm/peregrine/templates/service.yaml b/helm/peregrine/templates/service.yaml index afff1c22..e86e9e44 100644 --- a/helm/peregrine/templates/service.yaml +++ b/helm/peregrine/templates/service.yaml @@ -6,10 +6,18 @@ metadata: {{- include "peregrine.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} + {{- with .Values.service.port }} ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + - name: app + containerPort: 8080 + protocol: TCP + {{- else }} + - name: http + containerPort: 80 + protocol: TCP + {{- end }} selector: {{- include "peregrine.selectorLabels" . | nindent 4 }} diff --git a/helm/peregrine/templates/wsgi.yaml b/helm/peregrine/templates/wsgi.yaml index 52e4028e..3bf02e8a 100644 --- a/helm/peregrine/templates/wsgi.yaml +++ b/helm/peregrine/templates/wsgi.yaml @@ -1,3 +1,4 @@ +{{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} apiVersion: v1 kind: ConfigMap metadata: @@ -9,4 +10,5 @@ data: workers = 1 user = 'gen3' group = 'gen3' - timeout = 300 \ No newline at end of file + timeout = 300 +{{- end }} \ No newline at end of file diff --git a/helm/peregrine/values.yaml b/helm/peregrine/values.yaml index 39acc7a0..00ee4a93 100644 --- a/helm/peregrine/values.yaml +++ b/helm/peregrine/values.yaml @@ -62,6 +62,14 @@ global: deploy: false # -- (string) Will deploy a separate External Secret Store for this service. separateSecretStore: false + # -- (map) Configuration settings for the secure AL2 based image. + secureImage: + # -- (bool) Enable the use of the secure AL2 based image. + enabled: false + # -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. + sidecar: + # -- (bool) Enable the Nginx sidecar container. + enabled: false # -- (map) External Secrets settings. externalSecrets: @@ -115,15 +123,20 @@ image: # -- (string) Overrides the image tag whose default is the chart appVersion. tag: "feat_jq-audience" -# -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. -sidecar: - enabled: true - # -- (string) The Docker image repository for nginx - image: quay.io/cdis/nginx-sidecar - # -- (string) When to pull the image. - pullPolicy: IfNotPresent - # -- (string) Image tag. - tag: "nginx-sidecar-feat_nginx-sidecar" +# -- (map) Configuration settings for the secure AL2 based image. +secureImage: + # -- (bool) Enable the use of the secure AL2 based image. + enabled: false + # -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. + sidecar: + # -- (bool) Enable the Nginx sidecar container. + enabled: false + # -- (string) The Docker image repository for nginx + image: quay.io/cdis/nginx-sidecar + # -- (string) When to pull the image. + pullPolicy: IfNotPresent + # -- (string) Image tag. + tag: "nginx-sidecar-feat_nginx-sidecar" # -- (list) Docker image pull secrets. imagePullSecrets: [] @@ -164,8 +177,8 @@ securityContext: {} service: # -- (string) Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". type: ClusterIP - # -- (int) The port number that the service exposes. - port: 80 + # -- (list) The port number that the service exposes. + port: [] # -- (map) Resource requests and limits for the containers in the pod resources: @@ -226,9 +239,6 @@ volumeMounts: readOnly: true mountPath: "/peregrine/deployment/wsgi/wsgi.py" subPath: "settings.py" - - name: "wsgi-config" - mountPath: "/peregrine/deployment/wsgi/gunicorn.conf.py" - subPath: gunicorn.conf.py # Values to determine the labels that are used for the deployment, pod, etc. # -- (string) Valid options are "production" or "dev". If invalid option is set- the value will default to "dev". diff --git a/helm/requestor/README.md b/helm/requestor/README.md index 0f55846a..f9ebf221 100644 --- a/helm/requestor/README.md +++ b/helm/requestor/README.md @@ -23,7 +23,6 @@ A Helm chart for gen3 Requestor Service | affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].values | list | `["requestor"]` | Value for the match expression key. | | affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.topologyKey | string | `"kubernetes.io/hostname"` | Value for topology key label. | | arboristUrl | string | `"http://arborist-service"` | Arborist service URL. | -| args | list | `["-c","/env/bin/alembic upgrade head\n"]` | Arguments to pass to the init container. | | automountServiceAccountToken | bool | `false` | Automount the default service account token | | autoscaling | map | `{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80}` | Configuration for autoscaling the number of replicas | | autoscaling.enabled | bool | `false` | Whether autoscaling is enabled | @@ -68,6 +67,10 @@ A Helm chart for gen3 Requestor Service | global.postgres.master.username | string | `"postgres"` | username of superuser in postgres. This is used to create or restore databases | | global.publicDataSets | bool | `true` | Whether public datasets are enabled. | | global.revproxyArn | string | `"arn:aws:acm:us-east-1:123456:certificate"` | ARN of the reverse proxy certificate. | +| global.secureImage | map | `{"enabled":false,"sidecar":{"enabled":false}}` | Configuration settings for the secure AL2 based image. | +| global.secureImage.enabled | bool | `false` | Enable the use of the secure AL2 based image. | +| global.secureImage.sidecar | map | `{"enabled":false}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | +| global.secureImage.sidecar.enabled | bool | `false` | Enable the Nginx sidecar container. | | global.slack_send_dbgap | bool | `false` | Will echo what files we are seeing on dbgap ftp to Slack. | | global.slack_webhook | string | `"None"` | Slack webhook endpoint used with certain jobs. | | global.syncFromDbgap | bool | `false` | Whether to sync data from dbGaP. | @@ -108,16 +111,19 @@ A Helm chart for gen3 Requestor Service | secrets | map | `{"awsAccessKeyId":null,"awsSecretAccessKey":null}` | Secret information for External Secrets. | | secrets.awsAccessKeyId | str | `nil` | AWS access key ID. Overrides global key. | | secrets.awsSecretAccessKey | str | `nil` | AWS secret access key ID. Overrides global key. | +| secureImage | map | `{"enabled":false,"sidecar":{"enabled":false,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}}` | Configuration settings for the secure AL2 based image. | +| secureImage.enabled | bool | `false` | Enable the use of the secure AL2 based image. | +| secureImage.sidecar | map | `{"enabled":false,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | +| secureImage.sidecar.enabled | bool | `false` | Enable the Nginx sidecar container. | +| secureImage.sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx | +| secureImage.sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | +| secureImage.sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. | | selectorLabels | map | `nil` | Will completely override the selectorLabels defined in the common chart's _label_setup.tpl | -| service | map | `{"port":[{"name":"http","port":80,"protocol":"TCP","targetPort":80}],"type":"ClusterIP"}` | Kubernetes service information. | -| service.port | int | `[{"name":"http","port":80,"protocol":"TCP","targetPort":80}]` | The port number that the service exposes. | +| service | map | `{"port":[],"type":"ClusterIP"}` | Kubernetes service information. | +| service.port | list | `[]` | The port number that the service exposes. | | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". | -| sidecar | map | `{"enabled":true,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | -| sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx | -| sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | -| sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. | | strategy | map | `{"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"}` | Rolling update deployment strategy | | strategy.rollingUpdate.maxSurge | int | `1` | Number of additional replicas to add during rollout. | | strategy.rollingUpdate.maxUnavailable | int | `0` | Maximum amount of pods that can be unavailable during the update. | -| volumeMounts | list | `[{"mountPath":"/requestor/deployment/wsgi/gunicorn.conf.py","name":"wsgi-config","subPath":"gunicorn.conf.py"}]` | Volumes to mount to the container. | +| volumeMounts | list | `[]` | Volumes to mount to the container. | diff --git a/helm/requestor/templates/deployment.yaml b/helm/requestor/templates/deployment.yaml index 4add1707..5d2dc70e 100644 --- a/helm/requestor/templates/deployment.yaml +++ b/helm/requestor/templates/deployment.yaml @@ -31,10 +31,12 @@ spec: {{- include "common.datadogLabels" . | nindent 8 }} {{- end }} spec: + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} securityContext: runAsUser: 1000 runAsGroup: 1000 - fsGroup: 1000 + fsGroup: 1000 + {{- end }} {{- with .Values.affinity }} affinity: {{- toYaml . | nindent 8 }} @@ -52,7 +54,11 @@ spec: name: requestor-nginx-configmap containers: - name: requestor + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + image: "quay.io/cdis/requestor:feat_al2" + {{- else }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + {{- end }} env: - name: DB_PORT value: "5432" @@ -96,35 +102,55 @@ spec: livenessProbe: httpGet: path: /_status - port: 8000 + port: app + {{- else }} + port: http + {{- end }} initialDelaySeconds: 30 periodSeconds: 60 timeoutSeconds: 30 readinessProbe: httpGet: path: /_status - port: 8000 + port: app + {{- else }} + port: http + {{- end }} ports: - - containerPort: 8000 + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + - name: app + containerPort: 8000 + protocol: TCP + {{- else }} + - name: http + containerPort: 80 + protocol: TCP + {{- end }} {{- with .Values.volumeMounts }} volumeMounts: {{- toYaml . | nindent 10 }} {{- end }} + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + - name: "wsgi-config" + mountPath: "/requestor/deployment/wsgi/gunicorn.conf.py" + subPath: gunicorn.conf.py + {{- end }} {{- with .Values.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} - {{- if .Values.sidecar.enabled }} + {{- if .Values.secureImage.sidecar.enabled | default .Values.global.secureImage.sidecar.enabled }} - name: sidecar-nginx - image: {{ .Values.sidecar.image }}:{{ .Values.sidecar.tag }} - imagePullPolicy: {{ .Values.sidecar.pullPolicy }} + - name: sidecar-nginx + image: "{{ .Values.secureImage.sidecar.image }}:{{ .Values.secureImage.sidecar.tag }}" + imagePullPolicy: {{ .Values.secureImage.sidecar.pullPolicy }} ports: - - name: http + - name: app containerPort: 8080 readinessProbe: httpGet: path: /_status - port: http + port: app volumeMounts: - name: "nginx-config" mountPath: "/etc/nginx/conf.d/default.conf" @@ -132,7 +158,11 @@ spec: {{- end }} initContainers: - name: requestor-db-migrate + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + image: "quay.io/cdis/requestor:feat_al2" + {{- else }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} env: {{- if .Values.global.ddEnabled }} @@ -180,6 +210,12 @@ spec: {{- end }} command: ["/bin/sh"] args: + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + - "-c" + - | + alembic upgrade head + {{- else }} - "-c" - | - alembic upgrade head \ No newline at end of file + /env/bin/alembic upgrade head + {{- end }} \ No newline at end of file diff --git a/helm/requestor/templates/nginx_config.yaml b/helm/requestor/templates/nginx_config.yaml index 906a598e..f21d0bef 100644 --- a/helm/requestor/templates/nginx_config.yaml +++ b/helm/requestor/templates/nginx_config.yaml @@ -1,3 +1,4 @@ +{{- if .Values.secureImage.sidecar.enabled | default .Values.global.secureImage.sidecar.enabled }} apiVersion: v1 kind: ConfigMap metadata: @@ -10,4 +11,5 @@ data: location / { proxy_pass http://127.0.0.1:8000; # Gunicorn binds to this address } - } \ No newline at end of file + } +{{- end }} \ No newline at end of file diff --git a/helm/requestor/templates/service.yaml b/helm/requestor/templates/service.yaml index e71b0650..970d6aa0 100644 --- a/helm/requestor/templates/service.yaml +++ b/helm/requestor/templates/service.yaml @@ -11,4 +11,13 @@ spec: ports: {{- toYaml . | nindent 8 }} {{- end }} + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + - name: app + containerPort: 8080 + protocol: TCP + {{- else }} + - name: http + containerPort: 80 + protocol: TCP + {{- end }} type: {{ .Values.service.type }} \ No newline at end of file diff --git a/helm/requestor/templates/wsgi.yaml b/helm/requestor/templates/wsgi.yaml index ee5feac0..ad212448 100644 --- a/helm/requestor/templates/wsgi.yaml +++ b/helm/requestor/templates/wsgi.yaml @@ -1,3 +1,4 @@ +{{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} apiVersion: v1 kind: ConfigMap metadata: @@ -10,4 +11,5 @@ data: user = 'gen3' group = 'gen3' timeout = 300 - worker_class = "uvicorn.workers.UvicornWorker" \ No newline at end of file + worker_class = "uvicorn.workers.UvicornWorker" +{{- end }} \ No newline at end of file diff --git a/helm/requestor/values.yaml b/helm/requestor/values.yaml index f233cb84..606a5793 100644 --- a/helm/requestor/values.yaml +++ b/helm/requestor/values.yaml @@ -79,6 +79,14 @@ global: deploy: false # -- (string) Will deploy a separate External Secret Store for this service. separateSecretStore: false + # -- (map) Configuration settings for the secure AL2 based image. + secureImage: + # -- (bool) Enable the use of the secure AL2 based image. + enabled: false + # -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. + sidecar: + # -- (bool) Enable the Nginx sidecar container. + enabled: false # -- (map) External Secrets settings. externalSecrets: @@ -179,25 +187,27 @@ image: # -- (string) Overrides the image tag whose default is the chart appVersion. tag: "master" -# -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. -sidecar: - enabled: true - # -- (string) The Docker image repository for nginx - image: quay.io/cdis/nginx-sidecar - # -- (string) When to pull the image. - pullPolicy: IfNotPresent - # -- (string) Image tag. - tag: "nginx-sidecar-feat_nginx-sidecar" +# -- (map) Configuration settings for the secure AL2 based image. +secureImage: + # -- (bool) Enable the use of the secure AL2 based image. + enabled: false + # -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. + sidecar: + # -- (bool) Enable the Nginx sidecar container. + enabled: false + # -- (string) The Docker image repository for nginx + image: quay.io/cdis/nginx-sidecar + # -- (string) When to pull the image. + pullPolicy: IfNotPresent + # -- (string) Image tag. + tag: "nginx-sidecar-feat_nginx-sidecar" # Environment Variables # -- (string) Arborist service URL. arboristUrl: http://arborist-service # -- (list) Volumes to mount to the container. -volumeMounts: - - name: "wsgi-config" - mountPath: "/requestor/deployment/wsgi/gunicorn.conf.py" - subPath: gunicorn.conf.py +volumeMounts: [] # -- (map) Resource requests and limits for the containers in the pod resources: @@ -227,23 +237,14 @@ initResources: memory: 512Mi # -- (list) Command to run for the init container. command: ["/bin/sh"] -# -- (list) Arguments to pass to the init container. -args: - - "-c" - - | - /env/bin/alembic upgrade head # Service and Pod # -- (map) Kubernetes service information. service: # -- (string) Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". type: ClusterIP - # -- (int) The port number that the service exposes. - port: - - protocol: TCP - port: 80 - targetPort: 80 - name: http + # -- (list) The port number that the service exposes. + port: [] # Values to determine the labels that are used for the deployment, pod, etc. # -- (string) Valid options are "production" or "dev". If invalid option is set- the value will default to "dev". diff --git a/helm/sheepdog/README.md b/helm/sheepdog/README.md index cc4817e5..10a60efc 100644 --- a/helm/sheepdog/README.md +++ b/helm/sheepdog/README.md @@ -68,6 +68,10 @@ A Helm chart for gen3 Sheepdog Service | global.postgres.master.username | string | `"postgres"` | username of superuser in postgres. This is used to create or restore databases | | global.publicDataSets | bool | `true` | Whether public datasets are enabled. | | global.revproxyArn | string | `"arn:aws:acm:us-east-1:123456:certificate"` | ARN of the reverse proxy certificate. | +| global.secureImage | map | `{"enabled":false,"sidecar":{"enabled":false}}` | Configuration settings for the secure AL2 based image. | +| global.secureImage.enabled | bool | `false` | Enable the use of the secure AL2 based image. | +| global.secureImage.sidecar | map | `{"enabled":false}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | +| global.secureImage.sidecar.enabled | bool | `false` | Enable the Nginx sidecar container. | | global.tierAccessLevel | string | `"libre"` | Access level for tiers. acceptable values for `tier_access_level` are: `libre`, `regular` and `private`. If omitted, by default common will be treated as `private` | | image | map | `{"pullPolicy":"Always","repository":"quay.io/cdis/sheepdog","tag":"bug_auth-audience"}` | Docker image information. | | image.pullPolicy | string | `"Always"` | Docker pull policy. | @@ -100,17 +104,20 @@ A Helm chart for gen3 Sheepdog Service | secrets | map | `{"awsAccessKeyId":null,"awsSecretAccessKey":null}` | Values for sheepdog secret. | | secrets.awsAccessKeyId | str | `nil` | AWS access key ID to access the db restore job S3 bucket. Overrides global key. | | secrets.awsSecretAccessKey | str | `nil` | AWS secret access key ID to access the db restore job S3 bucket. Overrides global key. | +| secureImage | map | `{"enabled":false,"sidecar":{"enabled":false,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}}` | Configuration settings for the secure AL2 based image. | +| secureImage.enabled | bool | `false` | Enable the use of the secure AL2 based image. | +| secureImage.sidecar | map | `{"enabled":false,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | +| secureImage.sidecar.enabled | bool | `false` | Enable the Nginx sidecar container. | +| secureImage.sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx | +| secureImage.sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | +| secureImage.sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. | | selectorLabels | map | `nil` | Will completely override the selectorLabels defined in the common chart's _label_setup.tpl | -| service | map | `{"port":80,"type":"ClusterIP"}` | Kubernetes service information. | -| service.port | int | `80` | The port number that the service exposes. | +| service | map | `{"port":[],"type":"ClusterIP"}` | Kubernetes service information. | +| service.port | list | `[]` | The port number that the service exposes. | | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". | -| sidecar | map | `{"enabled":true,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | -| sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx | -| sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | -| sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. | | strategy | map | `{"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"}` | Rolling update deployment strategy | | strategy.rollingUpdate.maxSurge | int | `1` | Number of additional replicas to add during rollout. | | strategy.rollingUpdate.maxUnavailable | int | `0` | Maximum amount of pods that can be unavailable during the update. | | terminationGracePeriodSeconds | int | `50` | sheepdog transactions take forever - try to let the complete before termination | -| volumeMounts | list | `[{"mountPath":"/sheepdog/deployment/wsgi/wsgi.py","name":"config-volume","readOnly":true,"subPath":"wsgi.py"},{"mountPath":"/sheepdog/deployment/wsgi/gunicorn.conf.py","name":"wsgi-config","subPath":"gunicorn.conf.py"}]` | Volumes to mount to the container. | +| volumeMounts | list | `[]` | Volumes to mount to the container. | diff --git a/helm/sheepdog/templates/deployment.yaml b/helm/sheepdog/templates/deployment.yaml index b135118a..10db0fef 100644 --- a/helm/sheepdog/templates/deployment.yaml +++ b/helm/sheepdog/templates/deployment.yaml @@ -35,10 +35,12 @@ spec: {{- include "common.datadogLabels" . | nindent 8 }} {{- end }} spec: + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} securityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 + {{- end }} {{- with .Values.affinity }} affinity: {{- toYaml . | nindent 8 }} @@ -59,7 +61,11 @@ spec: name: sheepdog-nginx-configmap initContainers: - name: sheepdog-init + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + image: "quay.io/cdis/sheepdog:feat_gunicorn" + {{- else }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} env: {{- if .Values.global.ddEnabled }} @@ -115,14 +121,30 @@ spec: python /sheepdog/bin/setup_transactionlogs.py --user "${PGUSER}" --password "${PGPASSWORD}" --host "${PGHOST}" --database "${PGDB}" containers: - name: sheepdog + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + image: "quay.io/cdis/audit-service:feat_GPE-1113" + {{- else }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - - containerPort: 8000 + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + - name: app + containerPort: 8000 + protocol: TCP + {{- else }} + - name: http + containerPort: 80 + protocol: TCP + {{- end }} livenessProbe: httpGet: path: /_status?timeout=20 - port: 8000 + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + port: app + {{- else }} + port: http + {{- end }} initialDelaySeconds: 30 periodSeconds: 60 timeoutSeconds: 30 @@ -130,7 +152,11 @@ spec: initialDelaySeconds: 30 httpGet: path: /_status?timeout=2 - port: 8000 + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + port: app + {{- else }} + port: http + {{- end }} # command: ["/bin/bash" ] # args: # - "-c" @@ -245,19 +271,33 @@ spec: volumeMounts: {{- toYaml . | nindent 10 }} {{- end }} + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + - name: "config-volume" + readOnly: true + mountPath: "/sheepdog/deployment/wsgi/wsgi.py" + subPath: "wsgi.py" + - name: "wsgi-config" + mountPath: "/sheepdog/deployment/wsgi/gunicorn.conf.py" + subPath: gunicorn.conf.py + {{- else }} + - name: "config-volume" + readOnly: true + mountPath: "/var/www/sheepdog/settings.py" + subPath: "settings.py" + {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} - {{- if .Values.sidecar.enabled }} + {{- if .Values.secureImage.sidecar.enabled | default .Values.global.secureImage.sidecar.enabled }} - name: sidecar-nginx - image: {{ .Values.sidecar.image }}:{{ .Values.sidecar.tag }} - imagePullPolicy: {{ .Values.sidecar.pullPolicy }} + image: "{{ .Values.secureImage.sidecar.image }}:{{ .Values.secureImage.sidecar.tag }}" + imagePullPolicy: {{ .Values.secureImage.sidecar.pullPolicy }} ports: - - name: http + - name: app containerPort: 8080 readinessProbe: httpGet: path: /_status - port: http + port: app volumeMounts: - name: "nginx-config" mountPath: "/etc/nginx/conf.d/default.conf" diff --git a/helm/sheepdog/templates/nginx_config.yaml b/helm/sheepdog/templates/nginx_config.yaml index bf035d9d..4839cb06 100644 --- a/helm/sheepdog/templates/nginx_config.yaml +++ b/helm/sheepdog/templates/nginx_config.yaml @@ -1,3 +1,4 @@ +{{- if .Values.secureImage.sidecar.enabled | default .Values.global.secureImage.sidecar.enabled }} apiVersion: v1 kind: ConfigMap metadata: @@ -11,4 +12,5 @@ data: location / { proxy_pass http://127.0.0.1:8000; # Gunicorn binds to this address } - } \ No newline at end of file + } +{{- end }} \ No newline at end of file diff --git a/helm/sheepdog/templates/service.yaml b/helm/sheepdog/templates/service.yaml index eff84f42..2ed8b499 100644 --- a/helm/sheepdog/templates/service.yaml +++ b/helm/sheepdog/templates/service.yaml @@ -6,10 +6,18 @@ metadata: {{- include "sheepdog.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} + {{- with .Values.service.port }} ports: - - port: {{ .Values.service.port }} - targetPort: {{ .Values.service.port }} - protocol: TCP - name: http + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + - name: app + containerPort: 8080 + protocol: TCP + {{- else }} + - name: http + containerPort: 80 + protocol: TCP + {{- end }} selector: {{- include "sheepdog.selectorLabels" . | nindent 4 }} diff --git a/helm/sheepdog/templates/wsgi.yaml b/helm/sheepdog/templates/wsgi.yaml index 6905a7a2..3c12cd15 100644 --- a/helm/sheepdog/templates/wsgi.yaml +++ b/helm/sheepdog/templates/wsgi.yaml @@ -1,3 +1,4 @@ +{{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} apiVersion: v1 kind: ConfigMap metadata: @@ -9,4 +10,5 @@ data: workers = 1 user = 'gen3' group = 'gen3' - timeout = 300 \ No newline at end of file + timeout = 300 +{{- end }} \ No newline at end of file diff --git a/helm/sheepdog/values.yaml b/helm/sheepdog/values.yaml index 65be97a0..6a17850c 100644 --- a/helm/sheepdog/values.yaml +++ b/helm/sheepdog/values.yaml @@ -65,6 +65,14 @@ global: deploy: false # -- (string) Will deploy a separate External Secret Store for this service. separateSecretStore: false + # -- (map) Configuration settings for the secure AL2 based image. + secureImage: + # -- (bool) Enable the use of the secure AL2 based image. + enabled: false + # -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. + sidecar: + # -- (bool) Enable the Nginx sidecar container. + enabled: false # -- (map) External Secrets settings. externalSecrets: @@ -170,15 +178,20 @@ image: # -- (string) Overrides the image tag whose default is the chart appVersion. tag: "bug_auth-audience" -# -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. -sidecar: - enabled: true - # -- (string) The Docker image repository for nginx - image: quay.io/cdis/nginx-sidecar - # -- (string) When to pull the image. - pullPolicy: IfNotPresent - # -- (string) Image tag. - tag: "nginx-sidecar-feat_nginx-sidecar" +# -- (map) Configuration settings for the secure AL2 based image. +secureImage: + # -- (bool) Enable the use of the secure AL2 based image. + enabled: false + # -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. + sidecar: + # -- (bool) Enable the Nginx sidecar container. + enabled: false + # -- (string) The Docker image repository for nginx + image: quay.io/cdis/nginx-sidecar + # -- (string) When to pull the image. + pullPolicy: IfNotPresent + # -- (string) Image tag. + tag: "nginx-sidecar-feat_nginx-sidecar" # Environment Variables # -- (string) URL of the data dictionary. @@ -192,14 +205,7 @@ arboristUrl: http://arborist-service authNamespace: default # -- (list) Volumes to mount to the container. -volumeMounts: - - name: "config-volume" - readOnly: true - mountPath: "/sheepdog/deployment/wsgi/wsgi.py" - subPath: "wsgi.py" - - name: "wsgi-config" - mountPath: "/sheepdog/deployment/wsgi/gunicorn.conf.py" - subPath: gunicorn.conf.py +volumeMounts: [] # -- (map) Resource requests and limits for the containers in the pod resources: @@ -221,8 +227,8 @@ resources: service: # -- (string) Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". type: ClusterIP - # -- (int) The port number that the service exposes. - port: 80 + # -- (list) The port number that the service exposes. + port: [] # Secrets # -- (map) Values for sheepdog secret. diff --git a/helm/wts/README.md b/helm/wts/README.md index 792bc364..1ca35530 100644 --- a/helm/wts/README.md +++ b/helm/wts/README.md @@ -57,6 +57,10 @@ A Helm chart for gen3 workspace token service | global.postgres.master.username | string | `"postgres"` | username of superuser in postgres. This is used to create or restore databases | | global.publicDataSets | bool | `true` | Whether public datasets are enabled. | | global.revproxyArn | string | `"arn:aws:acm:us-east-1:123456:certificate"` | ARN of the reverse proxy certificate. | +| global.secureImage | map | `{"enabled":false,"sidecar":{"enabled":false}}` | Configuration settings for the secure AL2 based image. | +| global.secureImage.enabled | bool | `false` | Enable the use of the secure AL2 based image. | +| global.secureImage.sidecar | map | `{"enabled":false}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | +| global.secureImage.sidecar.enabled | bool | `false` | Enable the Nginx sidecar container. | | global.tierAccessLevel | string | `"libre"` | Access level for tiers. acceptable values for `tier_access_level` are: `libre`, `regular` and `private`. If omitted, by default common will be treated as `private` | | hostname | string | `nil` | Hostname for the deployment. | | image | map | `{"pullPolicy":"Always","repository":"quay.io/cdis/workspace-token-service","tag":"feat_wts_internalfence"}` | Docker image information. | @@ -93,20 +97,22 @@ A Helm chart for gen3 workspace token service | secrets | map | `{"awsAccessKeyId":null,"awsSecretAccessKey":null,"external_oidc":null}` | Values for wts secret and keys for External Secrets. | | secrets.awsAccessKeyId | str | `nil` | AWS access key ID. Overrides global key. | | secrets.awsSecretAccessKey | str | `nil` | AWS secret access key ID. Overrides global key. | +| secureImage | map | `{"enabled":false,"sidecar":{"enabled":false,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}}` | Configuration settings for the secure AL2 based image. | +| secureImage.enabled | bool | `false` | Enable the use of the secure AL2 based image. | +| secureImage.sidecar | map | `{"enabled":false,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | +| secureImage.sidecar.enabled | bool | `false` | Enable the Nginx sidecar container. | +| secureImage.sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx | +| secureImage.sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | +| secureImage.sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. | | securityContext | map | `{}` | Security context for the containers in the pod | | selectorLabels | map | `nil` | Will completely override the selectorLabels defined in the common chart's _label_setup.tpl | -| service | map | `{"httpPort":80,"httpsPort":443,"type":"ClusterIP"}` | Configuration for the service | -| service.httpPort | int | `80` | Port on which the service is exposed | -| service.httpsPort | int | `443` | Secure port on which the service is exposed | +| service | map | `{"port":[],"type":"ClusterIP"}` | Configuration for the service | +| service.port | list | `[]` | Port on which the service is exposed | | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". | | serviceAccount | map | `{"annotations":{},"create":true,"name":""}` | Service account to use or create. | | serviceAccount.annotations | map | `{}` | Annotations to add to the service account. | | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. | | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | -| sidecar | map | `{"enabled":true,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | -| sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx | -| sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. | -| sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. | | tolerations | list | `[]` | Tolerations for the pods | -| volumeMounts | list | `[{"mountPath":"/var/www/wts/appcreds.json","name":"wts-secret","readOnly":true,"subPath":"appcreds.json"},{"mountPath":"/wts/deployment/wsgi/gunicorn.conf.py","name":"wsgi-config","subPath":"gunicorn.conf.py"}]` | Volumes to mount to the container. | +| volumeMounts | list | `[{"mountPath":"/var/www/wts/appcreds.json","name":"wts-secret","readOnly":true,"subPath":"appcreds.json"}]` | Volumes to mount to the container. | diff --git a/helm/wts/templates/deployment.yaml b/helm/wts/templates/deployment.yaml index c2eb0b85..103f0d45 100644 --- a/helm/wts/templates/deployment.yaml +++ b/helm/wts/templates/deployment.yaml @@ -72,26 +72,49 @@ spec: serviceAccountName: workspace-token-service containers: - name: {{ .Chart.Name }} + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + image: "quay.io/cdis/workspace-token-service:feat_gunicorn" + {{- else }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} {{- with .Values.volumeMounts }} volumeMounts: {{- toYaml . | nindent 10 }} - {{- end }} + {{- end }} + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + - name: "wsgi-config" + mountPath: "/wts/deployment/wsgi/gunicorn.conf.py" + subPath: gunicorn.conf.py + {{- end }} ports: - - name: http + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + - name: app containerPort: 8000 protocol: TCP + {{- else }} + - name: http + containerPort: 80 + protocol: TCP + {{- end }} livenessProbe: httpGet: path: /_status - port: 8000 + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + port: app + {{- else }} + port: http + {{- end }} failureThreshold: 10 initialDelaySeconds: 5 readinessProbe: httpGet: path: /_status - port: 8000 + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + port: app + {{- else }} + port: http + {{- end }} env: {{- if .Values.global.ddEnabled }} {{- include "common.datadogEnvVar" . | nindent 11 }} @@ -146,17 +169,17 @@ spec: value: postgresql://$(PGUSER):$(PGPASSWORD)@$(PGHOST):5432/$(PGDB) resources: {{- toYaml .Values.resources | nindent 12 }} - {{- if .Values.sidecar.enabled }} + {{- if .Values.secureImage.sidecar.enabled | default .Values.global.secureImage.sidecar.enabled }} - name: sidecar-nginx - image: {{ .Values.sidecar.image }}:{{ .Values.sidecar.tag }} - imagePullPolicy: {{ .Values.sidecar.pullPolicy }} + image: "{{ .Values.secureImage.sidecar.image }}:{{ .Values.secureImage.sidecar.tag }}" + imagePullPolicy: {{ .Values.secureImage.sidecar.pullPolicy }} ports: - - name: http + - name: app containerPort: 8080 readinessProbe: httpGet: path: /_status - port: http + port: app volumeMounts: - name: "nginx-config" mountPath: "/etc/nginx/conf.d/default.conf" @@ -164,7 +187,11 @@ spec: {{- end }} initContainers: - name: wts-db-migrate - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + image: "quay.io/cdis/workspace-token-service:feat_gunicorn" + {{- else }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} {{- with .Values.volumeMounts }} volumeMounts: diff --git a/helm/wts/templates/nginx_config.yaml b/helm/wts/templates/nginx_config.yaml index bdf65d4f..a3acdebe 100644 --- a/helm/wts/templates/nginx_config.yaml +++ b/helm/wts/templates/nginx_config.yaml @@ -1,3 +1,4 @@ +{{- if .Values.secureImage.sidecar.enabled | default .Values.global.secureImage.sidecar.enabled }} apiVersion: v1 kind: ConfigMap metadata: @@ -10,4 +11,4 @@ data: location / { proxy_pass http://127.0.0.1:8000; # Gunicorn binds to this address } - } \ No newline at end of file + }{{- end }} \ No newline at end of file diff --git a/helm/wts/templates/service.yaml b/helm/wts/templates/service.yaml index 66efd2ce..ed41dd5e 100644 --- a/helm/wts/templates/service.yaml +++ b/helm/wts/templates/service.yaml @@ -8,12 +8,16 @@ spec: selector: app: wts type: {{ .Values.service.type }} + {{- with .Values.service.port }} ports: - - protocol: TCP - port: {{ .Values.service.httpPort }} - targetPort: {{ .Values.service.httpPort }} - name: http - - protocol: TCP - port: {{ .Values.service.httpsPort }} - targetPort: {{ .Values.service.httpsPort }} - name: https \ No newline at end of file + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + - name: app + containerPort: 8080 + protocol: TCP + {{- else }} + - name: http + containerPort: 80 + protocol: TCP + {{- end }} \ No newline at end of file diff --git a/helm/wts/templates/wsgi.yaml b/helm/wts/templates/wsgi.yaml index 55bf6e9c..952d74c5 100644 --- a/helm/wts/templates/wsgi.yaml +++ b/helm/wts/templates/wsgi.yaml @@ -1,3 +1,4 @@ +{{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} apiVersion: v1 kind: ConfigMap metadata: @@ -10,4 +11,5 @@ data: user = 'gen3' group = 'gen3' timeout = 300 - worker_class = "uvicorn.workers.UvicornWorker" \ No newline at end of file + worker_class = "uvicorn.workers.UvicornWorker" +{{- end }} \ No newline at end of file diff --git a/helm/wts/values.yaml b/helm/wts/values.yaml index 508f4a2f..0e2ce44f 100644 --- a/helm/wts/values.yaml +++ b/helm/wts/values.yaml @@ -65,6 +65,14 @@ global: deploy: false # -- (string) Will deploy a separate External Secret Store for this service. separateSecretStore: false + # -- (map) Configuration settings for the secure AL2 based image. + secureImage: + # -- (bool) Enable the use of the secure AL2 based image. + enabled: false + # -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. + sidecar: + # -- (bool) Enable the Nginx sidecar container. + enabled: false # -- (map) External Secrets settings. externalSecrets: @@ -109,15 +117,20 @@ image: # -- (string) Overrides the image tag whose default is the chart appVersion. tag: "feat_wts_internalfence" -# -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. -sidecar: - enabled: true - # -- (string) The Docker image repository for nginx - image: quay.io/cdis/nginx-sidecar - # -- (string) When to pull the image. - pullPolicy: IfNotPresent - # -- (string) Image tag. - tag: "nginx-sidecar-feat_nginx-sidecar" +# -- (map) Configuration settings for the secure AL2 based image. +secureImage: + # -- (bool) Enable the use of the secure AL2 based image. + enabled: false + # -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. + sidecar: + # -- (bool) Enable the Nginx sidecar container. + enabled: false + # -- (string) The Docker image repository for nginx + image: quay.io/cdis/nginx-sidecar + # -- (string) When to pull the image. + pullPolicy: IfNotPresent + # -- (string) Image tag. + tag: "nginx-sidecar-feat_nginx-sidecar" # -- (list) Docker image pull secrets. imagePullSecrets: [] @@ -165,10 +178,8 @@ securityContext: {} service: # -- (string) Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". type: ClusterIP - # -- (int) Port on which the service is exposed - httpPort: 80 - # -- (int) Secure port on which the service is exposed - httpsPort: 443 + # -- (list) Port on which the service is exposed + port: [] # -- (list) Volumes to mount to the container. volumeMounts: @@ -176,9 +187,6 @@ volumeMounts: readOnly: true mountPath: "/var/www/wts/appcreds.json" subPath: appcreds.json - - name: "wsgi-config" - mountPath: "/wts/deployment/wsgi/gunicorn.conf.py" - subPath: gunicorn.conf.py # -- (map) Resource requests and limits for the containers in the pod resources: From 3062e2f71a1a5b9f63342aba507aaecb8c1cb720 Mon Sep 17 00:00:00 2001 From: EliseCastle23 <109446148+EliseCastle23@users.noreply.github.com> Date: Fri, 12 Jul 2024 09:02:48 -0600 Subject: [PATCH 24/27] fixing syntax errors --- helm/audit/templates/service.yaml | 4 ++-- helm/fence/templates/fence-deployment.yaml | 3 ++- helm/fence/templates/service.yaml | 8 ++++---- helm/indexd/templates/service.yaml | 4 ++-- helm/manifestservice/templates/service.yaml | 4 ++-- helm/metadata/templates/deployment.yaml | 3 +-- helm/metadata/templates/service.yaml | 4 ++-- helm/peregrine/templates/service.yaml | 4 ++-- helm/requestor/templates/service.yaml | 4 ++-- helm/sheepdog/templates/service.yaml | 4 ++-- helm/wts/templates/service.yaml | 4 ++-- 11 files changed, 23 insertions(+), 23 deletions(-) diff --git a/helm/audit/templates/service.yaml b/helm/audit/templates/service.yaml index e8cebc3b..60574289 100644 --- a/helm/audit/templates/service.yaml +++ b/helm/audit/templates/service.yaml @@ -6,10 +6,10 @@ metadata: {{- include "audit.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} - {{- with .Values.service.port }} ports: + {{- with .Values.service.port }} {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} - name: app containerPort: 8080 diff --git a/helm/fence/templates/fence-deployment.yaml b/helm/fence/templates/fence-deployment.yaml index bf1fc187..2e9a1e13 100644 --- a/helm/fence/templates/fence-deployment.yaml +++ b/helm/fence/templates/fence-deployment.yaml @@ -56,6 +56,7 @@ spec: {{- end }} - name: container containerPort: 6567 + protocol: TCP livenessProbe: httpGet: path: /_status @@ -73,7 +74,7 @@ spec: {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} port: app {{- else }} - port:http + port: http {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} diff --git a/helm/fence/templates/service.yaml b/helm/fence/templates/service.yaml index 9c28c33f..cfb1b280 100644 --- a/helm/fence/templates/service.yaml +++ b/helm/fence/templates/service.yaml @@ -6,10 +6,10 @@ metadata: {{- include "fence.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} - {{- with .Values.service.port }} ports: + {{- with .Values.service.port }} {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} - name: app containerPort: 8080 @@ -28,10 +28,10 @@ metadata: name: presigned-url-fence-service spec: type: {{ .Values.service.type }} - {{- with .Values.service.port }} ports: + {{- with .Values.service.port }} {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} - name: app containerPort: 8080 diff --git a/helm/indexd/templates/service.yaml b/helm/indexd/templates/service.yaml index a4ecc677..d14a43da 100644 --- a/helm/indexd/templates/service.yaml +++ b/helm/indexd/templates/service.yaml @@ -6,10 +6,10 @@ metadata: {{- include "indexd.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} - {{- with .Values.service.port }} ports: + {{- with .Values.service.port }} {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} - name: app containerPort: 8080 diff --git a/helm/manifestservice/templates/service.yaml b/helm/manifestservice/templates/service.yaml index 0f246fd1..db55bbf1 100644 --- a/helm/manifestservice/templates/service.yaml +++ b/helm/manifestservice/templates/service.yaml @@ -6,10 +6,10 @@ metadata: {{- include "manifestservice.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} - {{- with .Values.service.port }} ports: + {{- with .Values.service.port }} {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} - name: app containerPort: 8080 diff --git a/helm/metadata/templates/deployment.yaml b/helm/metadata/templates/deployment.yaml index 8affc675..1d7430cb 100644 --- a/helm/metadata/templates/deployment.yaml +++ b/helm/metadata/templates/deployment.yaml @@ -158,7 +158,7 @@ spec: {{- end }} {{- if .Values.secureImage.sidecar.enabled | default .Values.global.secureImage.sidecar.enabled }} - name: sidecar-nginx - image: {{- if .Values.secureImage.sidecar.enabled | default .Values.global.secureImage.sidecar.enabled }} + image: "{{ .Values.secureImage.sidecar.image }}:{{ .Values.secureImage.sidecar.tag }}" imagePullPolicy: {{ .Values.secureImage.sidecar.pullPolicy }} ports: - name: app @@ -212,7 +212,6 @@ spec: name: metadata-dbcreds key: dbcreated optional: false - {{- with .Values.volumeMounts }} volumeMounts: {{- toYaml . | nindent 10 }} {{- end }} diff --git a/helm/metadata/templates/service.yaml b/helm/metadata/templates/service.yaml index 9c52e91b..78a35f36 100644 --- a/helm/metadata/templates/service.yaml +++ b/helm/metadata/templates/service.yaml @@ -11,10 +11,10 @@ metadata: spec: selector: {{- include "metadata.selectorLabels" . | nindent 4 }} - {{- with .Values.service.port }} ports: + {{- with .Values.service.port }} {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} - name: app containerPort: 8080 diff --git a/helm/peregrine/templates/service.yaml b/helm/peregrine/templates/service.yaml index e86e9e44..fbb48969 100644 --- a/helm/peregrine/templates/service.yaml +++ b/helm/peregrine/templates/service.yaml @@ -6,10 +6,10 @@ metadata: {{- include "peregrine.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} - {{- with .Values.service.port }} ports: + {{- with .Values.service.port }} {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} - name: app containerPort: 8080 diff --git a/helm/requestor/templates/service.yaml b/helm/requestor/templates/service.yaml index 970d6aa0..00d88d22 100644 --- a/helm/requestor/templates/service.yaml +++ b/helm/requestor/templates/service.yaml @@ -7,10 +7,10 @@ metadata: spec: selector: {{- include "requestor.selectorLabels" . | nindent 4 }} - {{- with .Values.service.port }} ports: + {{- with .Values.service.port }} {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} - name: app containerPort: 8080 diff --git a/helm/sheepdog/templates/service.yaml b/helm/sheepdog/templates/service.yaml index 2ed8b499..770b06ec 100644 --- a/helm/sheepdog/templates/service.yaml +++ b/helm/sheepdog/templates/service.yaml @@ -6,10 +6,10 @@ metadata: {{- include "sheepdog.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} - {{- with .Values.service.port }} ports: + {{- with .Values.service.port }} {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} - name: app containerPort: 8080 diff --git a/helm/wts/templates/service.yaml b/helm/wts/templates/service.yaml index ed41dd5e..fdc8eca9 100644 --- a/helm/wts/templates/service.yaml +++ b/helm/wts/templates/service.yaml @@ -8,10 +8,10 @@ spec: selector: app: wts type: {{ .Values.service.type }} - {{- with .Values.service.port }} ports: + {{- with .Values.service.port }} {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} - name: app containerPort: 8080 From cb10012d431ba32f1d942d0f9026fb947f32661b Mon Sep 17 00:00:00 2001 From: EliseCastle23 <109446148+EliseCastle23@users.noreply.github.com> Date: Fri, 12 Jul 2024 13:23:37 -0600 Subject: [PATCH 25/27] updating service files and correcting deployment.yaml issues --- .secrets.baseline | 6 ++--- helm/audit/templates/service.yaml | 13 +++++----- helm/fence/templates/service.yaml | 28 +++++++++------------ helm/gen3/README.md | 4 +++ helm/gen3/values.yaml | 8 ++++++ helm/indexd/templates/service.yaml | 14 +++++------ helm/manifestservice/templates/service.yaml | 14 +++++------ helm/metadata/templates/deployment.yaml | 8 +++--- helm/metadata/templates/service.yaml | 14 +++++------ helm/peregrine/README.md | 2 +- helm/peregrine/templates/deployment.yaml | 17 ++++++++++--- helm/peregrine/templates/service.yaml | 14 +++++------ helm/peregrine/values.yaml | 8 ++---- helm/requestor/templates/deployment.yaml | 5 ++-- helm/requestor/templates/service.yaml | 14 +++++------ helm/sheepdog/templates/deployment.yaml | 2 +- helm/sheepdog/templates/service.yaml | 14 +++++------ helm/wts/templates/deployment.yaml | 21 ++++++++-------- helm/wts/templates/nginx_config.yaml | 3 ++- helm/wts/templates/service.yaml | 14 +++++------ helm/wts/templates/wsgi.yaml | 1 - 21 files changed, 112 insertions(+), 112 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index 8a332751..58ab5f71 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "^.secrets.baseline$", "lines": null }, - "generated_at": "2024-07-11T20:52:08Z", + "generated_at": "2024-07-12T19:23:30Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -353,7 +353,7 @@ "hashed_secret": "1740c48fa3141d4851b14f97e3bc0f46f7670672", "is_secret": false, "is_verified": false, - "line_number": 122, + "line_number": 126, "type": "Secret Keyword" } ], @@ -362,7 +362,7 @@ "hashed_secret": "9b5925ea817163740dfb287a9894e8ab3aba2c18", "is_secret": false, "is_verified": false, - "line_number": 200, + "line_number": 208, "type": "Secret Keyword" } ], diff --git a/helm/audit/templates/service.yaml b/helm/audit/templates/service.yaml index 60574289..279214c2 100644 --- a/helm/audit/templates/service.yaml +++ b/helm/audit/templates/service.yaml @@ -10,14 +10,13 @@ spec: {{- with .Values.service.port }} {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} - - name: app - containerPort: 8080 - protocol: TCP - {{- else }} - name: http - containerPort: 80 + port: 80 + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + targetPort: 8080 + {{- else }} + targetPort: 80 + {{- end }} protocol: TCP - {{- end }} selector: {{- include "audit.selectorLabels" . | nindent 4 }} diff --git a/helm/fence/templates/service.yaml b/helm/fence/templates/service.yaml index cfb1b280..ec40c93e 100644 --- a/helm/fence/templates/service.yaml +++ b/helm/fence/templates/service.yaml @@ -10,15 +10,13 @@ spec: {{- with .Values.service.port }} {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} - - name: app - containerPort: 8080 - protocol: TCP - {{- else }} - name: http - containerPort: 80 - protocol: TCP - {{- end }} + port: 80 + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + targetPort: 8080 + {{- else }} + targetPort: 80 + {{- end }} selector: {{- include "fence.selectorLabels" . | nindent 4 }} --- @@ -32,15 +30,13 @@ spec: {{- with .Values.service.port }} {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} - - name: app - containerPort: 8080 - protocol: TCP - {{- else }} - name: http - containerPort: 80 - protocol: TCP - {{- end }} + port: 80 + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + targetPort: 8080 + {{- else }} + targetPort: 80 + {{- end }} selector: app: presigned-url-fence diff --git a/helm/gen3/README.md b/helm/gen3/README.md index c741b5ef..0e258a34 100644 --- a/helm/gen3/README.md +++ b/helm/gen3/README.md @@ -112,6 +112,10 @@ Helm chart to deploy Gen3 Data Commons | global.postgres.master.username | string | `"postgres"` | global postgres master username | | global.publicDataSets | bool | `true` | Whether public datasets are enabled. | | global.revproxyArn | string | `"arn:aws:acm:us-east-1:123456:certificate"` | ARN of the reverse proxy certificate. | +| global.secureImage | map | `{"enabled":false,"sidecar":{"enabled":false}}` | Configuration settings for the secure AL2 based image. | +| global.secureImage.enabled | bool | `false` | Enable the use of the secure AL2 based image. | +| global.secureImage.sidecar | map | `{"enabled":false}` | Configuration for Nginx sidecar container to be deployed with gunicorn. | +| global.secureImage.sidecar.enabled | bool | `false` | Enable the Nginx sidecar container. | | global.tierAccessLevel | string | `"libre"` | Access level for tiers. acceptable values for `tier_access_level` are: `libre`, `regular` and `private`. If omitted, by default common will be treated as `private` | | global.tierAccessLimit | int | `"1000"` | Only relevant if tireAccessLevel is set to "regular". Summary charts below this limit will not appear for aggregated data. | | guppy | map | `{"enabled":false}` | Configurations for guppy chart. | diff --git a/helm/gen3/values.yaml b/helm/gen3/values.yaml index e5f528b2..b6837952 100644 --- a/helm/gen3/values.yaml +++ b/helm/gen3/values.yaml @@ -76,6 +76,14 @@ global: deploy: false # -- (bool) Will create the databases and store the creds in Kubernetes Secrets even if externalSecrets is deployed. Useful if you want to use ExternalSecrets for other secrets besides db secrets. dbCreate: false + # -- (map) Configuration settings for the secure AL2 based image. + secureImage: + # -- (bool) Enable the use of the secure AL2 based image. + enabled: false + # -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn. + sidecar: + # -- (bool) Enable the Nginx sidecar container. + enabled: false # Dependancy Charts diff --git a/helm/indexd/templates/service.yaml b/helm/indexd/templates/service.yaml index d14a43da..98319453 100644 --- a/helm/indexd/templates/service.yaml +++ b/helm/indexd/templates/service.yaml @@ -10,14 +10,12 @@ spec: {{- with .Values.service.port }} {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} - - name: app - containerPort: 8080 - protocol: TCP - {{- else }} - name: http - containerPort: 80 - protocol: TCP - {{- end }} + port: 80 + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + targetPort: 8080 + {{- else }} + targetPort: 80 + {{- end }} selector: {{- include "indexd.selectorLabels" . | nindent 4 }} diff --git a/helm/manifestservice/templates/service.yaml b/helm/manifestservice/templates/service.yaml index db55bbf1..452a1803 100644 --- a/helm/manifestservice/templates/service.yaml +++ b/helm/manifestservice/templates/service.yaml @@ -10,14 +10,12 @@ spec: {{- with .Values.service.port }} {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} - - name: app - containerPort: 8080 - protocol: TCP - {{- else }} - name: http - containerPort: 80 - protocol: TCP - {{- end }} + port: 80 + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + targetPort: 8080 + {{- else }} + targetPort: 80 + {{- end }} selector: {{- include "manifestservice.selectorLabels" . | nindent 4 }} diff --git a/helm/metadata/templates/deployment.yaml b/helm/metadata/templates/deployment.yaml index 1d7430cb..f149c743 100644 --- a/helm/metadata/templates/deployment.yaml +++ b/helm/metadata/templates/deployment.yaml @@ -143,14 +143,14 @@ spec: containerPort: 80 protocol: TCP {{- end }} - {{- with .Values.volumeMounts }} volumeMounts: + {{- with .Values.volumeMounts }} {{- toYaml . | nindent 10 }} {{- end }} {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} - - name: "wsgi-config" - mountPath: "/metadata-service/deployment/wsgi/gunicorn.conf.py" - subPath: gunicorn.conf.py + - name: "wsgi-config" + mountPath: "/metadata-service/deployment/wsgi/gunicorn.conf.py" + subPath: gunicorn.conf.py {{- end }} {{- with .Values.resources }} resources: diff --git a/helm/metadata/templates/service.yaml b/helm/metadata/templates/service.yaml index 78a35f36..ad798473 100644 --- a/helm/metadata/templates/service.yaml +++ b/helm/metadata/templates/service.yaml @@ -15,13 +15,11 @@ spec: {{- with .Values.service.port }} {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} - - name: app - containerPort: 8080 - protocol: TCP - {{- else }} - name: http - containerPort: 80 - protocol: TCP - {{- end }} + port: 80 + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + targetPort: 8080 + {{- else }} + targetPort: 80 + {{- end }} type: {{ .Values.service.type }} \ No newline at end of file diff --git a/helm/peregrine/README.md b/helm/peregrine/README.md index b5b1aa58..836cb4bf 100644 --- a/helm/peregrine/README.md +++ b/helm/peregrine/README.md @@ -110,6 +110,6 @@ A Helm chart for gen3 Peregrine service | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. | | serviceAccount.name | string | `""` | The name of the service account | | tolerations | list | `[]` | Tolerations for the pods | -| volumeMounts | list | `[{"mountPath":"/peregrine/deployment/wsgi/wsgi.py","name":"config-volume","readOnly":true,"subPath":"settings.py"}]` | Volumes to mount to the container. | +| volumeMounts | list | `[]` | Volumes to mount to the container. | | volumes | list | `[{"emptyDir":{},"name":"shared-data"},{"name":"config-volume","secret":{"secretName":"peregrine-secret"}},{"configMap":{"name":"peregrine-wsgi"},"name":"wsgi-config"},{"configMap":{"name":"peregrine-nginx-configmap"},"name":"nginx-config"}]` | Volumes to attach to the container. | diff --git a/helm/peregrine/templates/deployment.yaml b/helm/peregrine/templates/deployment.yaml index 34ff2459..3424c739 100644 --- a/helm/peregrine/templates/deployment.yaml +++ b/helm/peregrine/templates/deployment.yaml @@ -26,11 +26,13 @@ spec: {{- include "common.datadogLabels" . | nindent 8 }} {{- end }} spec: - {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} securityContext: + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 + {{- else }} + {{- toYaml .Values.podSecurityContext | nindent 8 }} {{- end }} {{- with .Values.volumes }} volumes: @@ -41,8 +43,6 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} serviceAccountName: {{ include "peregrine.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - name: {{ .Chart.Name }} securityContext: @@ -157,14 +157,23 @@ spec: value: "False" - name: CONF_HOSTNAME value: {{ .Values.global.hostname }} - {{- with .Values.volumeMounts }} volumeMounts: + {{- with .Values.volumeMounts }} {{- toYaml . | nindent 10 }} {{- end }} {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} - name: "wsgi-config" mountPath: "/peregrine/deployment/wsgi/gunicorn.conf.py" subPath: gunicorn.conf.py + - name: "config-volume" + readOnly: true + mountPath: "/peregrine/deployment/wsgi/wsgi.py" + subPath: "settings.py" + {{- else }} + - name: "config-volume" + readOnly: true + mountPath: "/var/www/peregrine/settings.py" + subPath: "settings.py" {{- end }} ports: {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} diff --git a/helm/peregrine/templates/service.yaml b/helm/peregrine/templates/service.yaml index fbb48969..2c2106d7 100644 --- a/helm/peregrine/templates/service.yaml +++ b/helm/peregrine/templates/service.yaml @@ -10,14 +10,12 @@ spec: {{- with .Values.service.port }} {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} - - name: app - containerPort: 8080 - protocol: TCP - {{- else }} - name: http - containerPort: 80 - protocol: TCP - {{- end }} + port: 80 + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + targetPort: 8080 + {{- else }} + targetPort: 80 + {{- end }} selector: {{- include "peregrine.selectorLabels" . | nindent 4 }} diff --git a/helm/peregrine/values.yaml b/helm/peregrine/values.yaml index 00ee4a93..5abadc74 100644 --- a/helm/peregrine/values.yaml +++ b/helm/peregrine/values.yaml @@ -231,14 +231,10 @@ volumes: name: peregrine-wsgi - name: nginx-config configMap: - name: peregrine-nginx-configmap + name: peregrine-nginx-configmap # -- (list) Volumes to mount to the container. -volumeMounts: - - name: "config-volume" - readOnly: true - mountPath: "/peregrine/deployment/wsgi/wsgi.py" - subPath: "settings.py" +volumeMounts: [] # Values to determine the labels that are used for the deployment, pod, etc. # -- (string) Valid options are "production" or "dev". If invalid option is set- the value will default to "dev". diff --git a/helm/requestor/templates/deployment.yaml b/helm/requestor/templates/deployment.yaml index 5d2dc70e..09569a75 100644 --- a/helm/requestor/templates/deployment.yaml +++ b/helm/requestor/templates/deployment.yaml @@ -102,6 +102,7 @@ spec: livenessProbe: httpGet: path: /_status + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} port: app {{- else }} port: http @@ -112,6 +113,7 @@ spec: readinessProbe: httpGet: path: /_status + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} port: app {{- else }} port: http @@ -126,8 +128,8 @@ spec: containerPort: 80 protocol: TCP {{- end }} - {{- with .Values.volumeMounts }} volumeMounts: + {{- with .Values.volumeMounts }} {{- toYaml . | nindent 10 }} {{- end }} {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} @@ -140,7 +142,6 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} {{- if .Values.secureImage.sidecar.enabled | default .Values.global.secureImage.sidecar.enabled }} - - name: sidecar-nginx - name: sidecar-nginx image: "{{ .Values.secureImage.sidecar.image }}:{{ .Values.secureImage.sidecar.tag }}" imagePullPolicy: {{ .Values.secureImage.sidecar.pullPolicy }} diff --git a/helm/requestor/templates/service.yaml b/helm/requestor/templates/service.yaml index 00d88d22..d912d810 100644 --- a/helm/requestor/templates/service.yaml +++ b/helm/requestor/templates/service.yaml @@ -11,13 +11,11 @@ spec: {{- with .Values.service.port }} {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} - - name: app - containerPort: 8080 - protocol: TCP - {{- else }} - name: http - containerPort: 80 - protocol: TCP - {{- end }} + port: 80 + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + targetPort: 8080 + {{- else }} + targetPort: 80 + {{- end }} type: {{ .Values.service.type }} \ No newline at end of file diff --git a/helm/sheepdog/templates/deployment.yaml b/helm/sheepdog/templates/deployment.yaml index 10db0fef..5e902174 100644 --- a/helm/sheepdog/templates/deployment.yaml +++ b/helm/sheepdog/templates/deployment.yaml @@ -267,8 +267,8 @@ spec: # value: /etc/ssl/certs/ca-certificates.crt - name: GEN3_DEBUG value: "True" - {{- with .Values.volumeMounts }} volumeMounts: + {{- with .Values.volumeMounts }} {{- toYaml . | nindent 10 }} {{- end }} {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} diff --git a/helm/sheepdog/templates/service.yaml b/helm/sheepdog/templates/service.yaml index 770b06ec..a43de377 100644 --- a/helm/sheepdog/templates/service.yaml +++ b/helm/sheepdog/templates/service.yaml @@ -10,14 +10,12 @@ spec: {{- with .Values.service.port }} {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} - - name: app - containerPort: 8080 - protocol: TCP - {{- else }} - name: http - containerPort: 80 - protocol: TCP - {{- end }} + port: 80 + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + targetPort: 8080 + {{- else }} + targetPort: 80 + {{- end }} selector: {{- include "sheepdog.selectorLabels" . | nindent 4 }} diff --git a/helm/wts/templates/deployment.yaml b/helm/wts/templates/deployment.yaml index 103f0d45..57cbe3e7 100644 --- a/helm/wts/templates/deployment.yaml +++ b/helm/wts/templates/deployment.yaml @@ -38,10 +38,12 @@ spec: {{- include "common.datadogLabels" . | nindent 8 }} {{- end }} spec: + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} securityContext: runAsUser: 1000 runAsGroup: 1000 - fsGroup: 1000 + fsGroup: 1000 + {{- end }} affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: @@ -83,9 +85,9 @@ spec: {{- toYaml . | nindent 10 }} {{- end }} {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} - - name: "wsgi-config" - mountPath: "/wts/deployment/wsgi/gunicorn.conf.py" - subPath: gunicorn.conf.py + - name: "wsgi-config" + mountPath: "/wts/deployment/wsgi/gunicorn.conf.py" + subPath: gunicorn.conf.py {{- end }} ports: {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} @@ -187,11 +189,11 @@ spec: {{- end }} initContainers: - name: wts-db-migrate - {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} - image: "quay.io/cdis/workspace-token-service:feat_gunicorn" - {{- else }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - {{- end }} + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + image: "quay.io/cdis/workspace-token-service:feat_gunicorn" + {{- else }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} {{- with .Values.volumeMounts }} volumeMounts: @@ -257,4 +259,3 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} - diff --git a/helm/wts/templates/nginx_config.yaml b/helm/wts/templates/nginx_config.yaml index a3acdebe..0e28060b 100644 --- a/helm/wts/templates/nginx_config.yaml +++ b/helm/wts/templates/nginx_config.yaml @@ -11,4 +11,5 @@ data: location / { proxy_pass http://127.0.0.1:8000; # Gunicorn binds to this address } - }{{- end }} \ No newline at end of file + } +{{- end }} \ No newline at end of file diff --git a/helm/wts/templates/service.yaml b/helm/wts/templates/service.yaml index fdc8eca9..4c4889c5 100644 --- a/helm/wts/templates/service.yaml +++ b/helm/wts/templates/service.yaml @@ -12,12 +12,10 @@ spec: {{- with .Values.service.port }} {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} - - name: app - containerPort: 8080 - protocol: TCP - {{- else }} - name: http - containerPort: 80 - protocol: TCP - {{- end }} \ No newline at end of file + port: 80 + {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} + targetPort: 8080 + {{- else }} + targetPort: 80 + {{- end }} \ No newline at end of file diff --git a/helm/wts/templates/wsgi.yaml b/helm/wts/templates/wsgi.yaml index 952d74c5..5fc2960f 100644 --- a/helm/wts/templates/wsgi.yaml +++ b/helm/wts/templates/wsgi.yaml @@ -11,5 +11,4 @@ data: user = 'gen3' group = 'gen3' timeout = 300 - worker_class = "uvicorn.workers.UvicornWorker" {{- end }} \ No newline at end of file From 179f864092b908a19e90c2114e1d2f2d39bd431e Mon Sep 17 00:00:00 2001 From: EliseCastle23 <109446148+EliseCastle23@users.noreply.github.com> Date: Fri, 12 Jul 2024 13:27:25 -0600 Subject: [PATCH 26/27] correcting 'common' chart version --- .secrets.baseline | 10 +++++----- helm/audit/Chart.yaml | 2 +- helm/audit/README.md | 2 +- helm/fence/Chart.yaml | 2 +- helm/fence/README.md | 2 +- helm/indexd/Chart.yaml | 2 +- helm/indexd/README.md | 2 +- helm/manifestservice/Chart.yaml | 2 +- helm/manifestservice/README.md | 2 +- helm/metadata/Chart.yaml | 2 +- helm/metadata/README.md | 2 +- helm/peregrine/Chart.yaml | 2 +- helm/peregrine/README.md | 2 +- helm/requestor/Chart.yaml | 2 +- helm/requestor/README.md | 2 +- helm/sheepdog/Chart.yaml | 2 +- helm/sheepdog/README.md | 2 +- helm/wts/Chart.yaml | 2 +- helm/wts/README.md | 2 +- 19 files changed, 23 insertions(+), 23 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index 58ab5f71..d9e1aac2 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "^.secrets.baseline$", "lines": null }, - "generated_at": "2024-07-12T19:23:30Z", + "generated_at": "2024-07-12T19:26:58Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -170,7 +170,7 @@ "hashed_secret": "f09dd6e359833a12f48c4c4255d6e87a6e55cfe9", "is_secret": false, "is_verified": false, - "line_number": 85, + "line_number": 90, "type": "Secret Keyword" } ], @@ -469,21 +469,21 @@ "hashed_secret": "cbdb7939a61698c9c866ea614399ef7eb7770c68", "is_secret": false, "is_verified": false, - "line_number": 49, + "line_number": 48, "type": "Secret Keyword" }, { "hashed_secret": "d84ce25b0f9bc2cc263006ae39453efb22cc2900", "is_secret": false, "is_verified": false, - "line_number": 74, + "line_number": 73, "type": "Secret Keyword" }, { "hashed_secret": "f09dd6e359833a12f48c4c4255d6e87a6e55cfe9", "is_secret": false, "is_verified": false, - "line_number": 93, + "line_number": 96, "type": "Secret Keyword" } ], diff --git a/helm/audit/Chart.yaml b/helm/audit/Chart.yaml index 6504dab2..31739d3b 100644 --- a/helm/audit/Chart.yaml +++ b/helm/audit/Chart.yaml @@ -24,7 +24,7 @@ appVersion: "master" dependencies: - name: common - version: 0.1.11 + version: 0.1.12 repository: file://../common - name: postgresql version: 11.9.13 diff --git a/helm/audit/README.md b/helm/audit/README.md index 7501e8a1..ecae6ff6 100644 --- a/helm/audit/README.md +++ b/helm/audit/README.md @@ -8,7 +8,7 @@ A Helm chart for Kubernetes | Repository | Name | Version | |------------|------|---------| -| file://../common | common | 0.1.11 | +| file://../common | common | 0.1.12 | | https://charts.bitnami.com/bitnami | postgresql | 11.9.13 | ## Values diff --git a/helm/fence/Chart.yaml b/helm/fence/Chart.yaml index d7cf0ccf..e145f4a4 100644 --- a/helm/fence/Chart.yaml +++ b/helm/fence/Chart.yaml @@ -24,7 +24,7 @@ appVersion: "master" dependencies: - name: common - version: 0.1.11 + version: 0.1.12 repository: file://../common - name: postgresql version: 11.9.13 diff --git a/helm/fence/README.md b/helm/fence/README.md index f0386c8b..1eee3756 100644 --- a/helm/fence/README.md +++ b/helm/fence/README.md @@ -8,7 +8,7 @@ A Helm chart for gen3 Fence | Repository | Name | Version | |------------|------|---------| -| file://../common | common | 0.1.11 | +| file://../common | common | 0.1.12 | | https://charts.bitnami.com/bitnami | postgresql | 11.9.13 | ## Values diff --git a/helm/indexd/Chart.yaml b/helm/indexd/Chart.yaml index da9e5989..99d51416 100644 --- a/helm/indexd/Chart.yaml +++ b/helm/indexd/Chart.yaml @@ -26,7 +26,7 @@ appVersion: "master" dependencies: - name: common - version: 0.1.10 + version: 0.1.12 repository: file://../common - name: postgresql version: 11.9.13 diff --git a/helm/indexd/README.md b/helm/indexd/README.md index 8939aa37..d605b015 100644 --- a/helm/indexd/README.md +++ b/helm/indexd/README.md @@ -8,7 +8,7 @@ A Helm chart for gen3 indexd | Repository | Name | Version | |------------|------|---------| -| file://../common | common | 0.1.10 | +| file://../common | common | 0.1.12 | | https://charts.bitnami.com/bitnami | postgresql | 11.9.13 | ## Values diff --git a/helm/manifestservice/Chart.yaml b/helm/manifestservice/Chart.yaml index ead7c837..87860f02 100644 --- a/helm/manifestservice/Chart.yaml +++ b/helm/manifestservice/Chart.yaml @@ -25,5 +25,5 @@ appVersion: "master" dependencies: - name: common - version: 0.1.10 + version: 0.1.12 repository: file://../common diff --git a/helm/manifestservice/README.md b/helm/manifestservice/README.md index 4bc3dd98..e4e87559 100644 --- a/helm/manifestservice/README.md +++ b/helm/manifestservice/README.md @@ -8,7 +8,7 @@ A Helm chart for Kubernetes | Repository | Name | Version | |------------|------|---------| -| file://../common | common | 0.1.10 | +| file://../common | common | 0.1.12 | ## Values diff --git a/helm/metadata/Chart.yaml b/helm/metadata/Chart.yaml index cc38c640..c2cd2d9b 100644 --- a/helm/metadata/Chart.yaml +++ b/helm/metadata/Chart.yaml @@ -25,7 +25,7 @@ appVersion: "master" dependencies: - name: common - version: 0.1.10 + version: 0.1.12 repository: file://../common - name: postgresql version: 11.9.13 diff --git a/helm/metadata/README.md b/helm/metadata/README.md index f371bceb..48999d46 100644 --- a/helm/metadata/README.md +++ b/helm/metadata/README.md @@ -8,7 +8,7 @@ A Helm chart for gen3 Metadata Service | Repository | Name | Version | |------------|------|---------| -| file://../common | common | 0.1.10 | +| file://../common | common | 0.1.12 | | https://charts.bitnami.com/bitnami | postgresql | 11.9.13 | | https://helm.elastic.co | elasticsearch | 7.17.1 | diff --git a/helm/peregrine/Chart.yaml b/helm/peregrine/Chart.yaml index fe934b49..dc0c7c16 100644 --- a/helm/peregrine/Chart.yaml +++ b/helm/peregrine/Chart.yaml @@ -26,7 +26,7 @@ appVersion: "master" dependencies: - name: common - version: 0.1.10 + version: 0.1.12 repository: file://../common - name: postgresql version: 11.9.13 diff --git a/helm/peregrine/README.md b/helm/peregrine/README.md index 836cb4bf..97f59798 100644 --- a/helm/peregrine/README.md +++ b/helm/peregrine/README.md @@ -8,7 +8,7 @@ A Helm chart for gen3 Peregrine service | Repository | Name | Version | |------------|------|---------| -| file://../common | common | 0.1.10 | +| file://../common | common | 0.1.12 | | https://charts.bitnami.com/bitnami | postgresql | 11.9.13 | ## Values diff --git a/helm/requestor/Chart.yaml b/helm/requestor/Chart.yaml index f434c773..ab00815c 100644 --- a/helm/requestor/Chart.yaml +++ b/helm/requestor/Chart.yaml @@ -26,7 +26,7 @@ appVersion: "master" dependencies: - name: common - version: 0.1.10 + version: 0.1.12 repository: file://../common - name: postgresql version: 11.9.13 diff --git a/helm/requestor/README.md b/helm/requestor/README.md index f9ebf221..7ef35853 100644 --- a/helm/requestor/README.md +++ b/helm/requestor/README.md @@ -8,7 +8,7 @@ A Helm chart for gen3 Requestor Service | Repository | Name | Version | |------------|------|---------| -| file://../common | common | 0.1.10 | +| file://../common | common | 0.1.12 | | https://charts.bitnami.com/bitnami | postgresql | 11.9.13 | ## Values diff --git a/helm/sheepdog/Chart.yaml b/helm/sheepdog/Chart.yaml index 30c9dbda..3e93d550 100644 --- a/helm/sheepdog/Chart.yaml +++ b/helm/sheepdog/Chart.yaml @@ -25,7 +25,7 @@ appVersion: "master" dependencies: - name: common - version: 0.1.10 + version: 0.1.12 repository: file://../common - name: postgresql version: 11.9.13 diff --git a/helm/sheepdog/README.md b/helm/sheepdog/README.md index 10a60efc..f8f6be27 100644 --- a/helm/sheepdog/README.md +++ b/helm/sheepdog/README.md @@ -8,7 +8,7 @@ A Helm chart for gen3 Sheepdog Service | Repository | Name | Version | |------------|------|---------| -| file://../common | common | 0.1.10 | +| file://../common | common | 0.1.12 | | https://charts.bitnami.com/bitnami | postgresql | 11.9.13 | ## Values diff --git a/helm/wts/Chart.yaml b/helm/wts/Chart.yaml index 8799591c..8c6abbb8 100644 --- a/helm/wts/Chart.yaml +++ b/helm/wts/Chart.yaml @@ -25,7 +25,7 @@ appVersion: "master" dependencies: - name: common - version: 0.1.10 + version: 0.1.12 repository: file://../common - name: postgresql version: 11.9.13 diff --git a/helm/wts/README.md b/helm/wts/README.md index 1ca35530..d163467e 100644 --- a/helm/wts/README.md +++ b/helm/wts/README.md @@ -8,7 +8,7 @@ A Helm chart for gen3 workspace token service | Repository | Name | Version | |------------|------|---------| -| file://../common | common | 0.1.10 | +| file://../common | common | 0.1.12 | | https://charts.bitnami.com/bitnami | postgresql | 11.9.13 | ## Values From a05038262eb545f326c6705915eeae893cd4390a Mon Sep 17 00:00:00 2001 From: EliseCastle23 <109446148+EliseCastle23@users.noreply.github.com> Date: Mon, 15 Jul 2024 12:06:52 -0600 Subject: [PATCH 27/27] updating volume mounts for fence and presigned url --- helm/fence/templates/fence-deployment.yaml | 4 ++-- helm/fence/templates/presigned-url-fence.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/helm/fence/templates/fence-deployment.yaml b/helm/fence/templates/fence-deployment.yaml index 2e9a1e13..2cfb6fba 100644 --- a/helm/fence/templates/fence-deployment.yaml +++ b/helm/fence/templates/fence-deployment.yaml @@ -95,8 +95,8 @@ spec: volumeMounts: {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} - name: wsgi-config - configMap: - name: fence-wsgi + mountPath: "/fence/deployment/wsgi/gunicorn.conf.py" + subPath: gunicorn.conf.py {{- end }} {{- toYaml .Values.volumeMounts | nindent 12 }} {{- if .Values.secureImage.sidecar.enabled | default .Values.global.secureImage.sidecar.enabled }} diff --git a/helm/fence/templates/presigned-url-fence.yaml b/helm/fence/templates/presigned-url-fence.yaml index 745c457a..99bdf27f 100644 --- a/helm/fence/templates/presigned-url-fence.yaml +++ b/helm/fence/templates/presigned-url-fence.yaml @@ -88,8 +88,8 @@ spec: volumeMounts: {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }} - name: wsgi-config - configMap: - name: fence-wsgi + mountPath: "/fence/deployment/wsgi/gunicorn.conf.py" + subPath: gunicorn.conf.py {{- end }} {{- toYaml .Values.volumeMounts | nindent 12 }} {{- if .Values.secureImage.sidecar.enabled | default .Values.global.secureImage.sidecar.enabled }}