diff --git a/.github/workflows/charts.yaml b/.github/workflows/charts.yaml new file mode 100644 index 000000000..2716a9206 --- /dev/null +++ b/.github/workflows/charts.yaml @@ -0,0 +1,71 @@ +name: Build Helm Chart + +on: + pull_request: + # Only consider PRs that change files for this asset, including ci scripts + paths: + - '.github/workflows/charts.yaml' + - 'charts/**' + # Make sure all workflows that are "required checks" for a given + # branch protection rule have the same paths: and branches-ignore: + # filters. Otherwise, you can end up in a deadlock waiting on a + # required check that will never be executed. + push: + # Only release off of release and maintenance branches for this asset + branches: + - 'main' + # Only consider pushes that change files for this asset, including ci scripts + paths: + - '.github/workflows/charts.yaml' + - 'charts/**' + +permissions: + contents: write + pull-requests: write + actions: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + # Needed to generate releases safely + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + +jobs: + # Job name must be unique across repo to target + # branch protection rules "required checks" properly! + agent-helm-chart: + uses: SwanseaUniversityMedical/workflows/.github/workflows/pr-and-release-chart.yaml@v2.0.3-charts + with: + job-name: agent-helm-chart + registry: ${{ vars.HARBOR_REGISTRY }} + registry-user: ${{ vars.HARBOR_USER }} + registry-project: ${{ vars.HARBOR_PROJECT }} + registry-repo: trefx-agent + release-tag-format: 'Agent-Helm-Chart-${version}' + cosign-public-key: ${{ vars.COSIGN_PUBLIC_KEY }} + chart: charts/agent + test-command: | + helm template $CHART --debug + + secrets: + cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }} + cosign-password: ${{ secrets.COSIGN_PASSWORD }} + registry-token: ${{ secrets.HARBOR_TOKEN }} + + agent-stack-helm-chart: + uses: SwanseaUniversityMedical/workflows/.github/workflows/pr-and-release-chart.yaml@v2.0.3-charts + with: + job-name: agent-stack-helm-chart + registry: ${{ vars.HARBOR_REGISTRY }} + registry-user: ${{ vars.HARBOR_USER }} + registry-project: ${{ vars.HARBOR_PROJECT }} + registry-repo: agent-stack + release-tag-format: 'Agent-Stack-Helm-Chart-${version}' + cosign-public-key: ${{ vars.COSIGN_PUBLIC_KEY }} + chart: charts/agent-stack + test-command: | + helm template $CHART --debug + + secrets: + cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }} + cosign-password: ${{ secrets.COSIGN_PASSWORD }} + registry-token: ${{ secrets.HARBOR_TOKEN }} diff --git a/.gitignore b/.gitignore index 0d6b282fb..efee72986 100644 --- a/.gitignore +++ b/.gitignore @@ -376,3 +376,6 @@ serp-forms-api/appsettings.Development.json serp-forms-api/appsettings.Development.json .idea + +.DS_Store +**/.DS_Store \ No newline at end of file diff --git a/charts/agent-stack/.helmignore b/charts/agent-stack/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/charts/agent-stack/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/agent-stack/Chart.yaml b/charts/agent-stack/Chart.yaml new file mode 100644 index 000000000..06820e15a --- /dev/null +++ b/charts/agent-stack/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: agent-stack +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "0.0.0" diff --git a/charts/agent-stack/templates/_helpers.tpl b/charts/agent-stack/templates/_helpers.tpl new file mode 100644 index 000000000..6aa1df95b --- /dev/null +++ b/charts/agent-stack/templates/_helpers.tpl @@ -0,0 +1,70 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "agent-deploy.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "agent-deploy.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "agent-deploy.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "agent-deploy.labels" -}} +helm.sh/chart: {{ include "agent-deploy.chart" . }} +{{ include "agent-deploy.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "agent-deploy.selectorLabels" -}} +app.kubernetes.io/name: {{ include "agent-deploy.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "agent-deploy.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "agent-deploy.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Derive the oidc authority host from the full url +*/}} +{{- define "agent-deploy.oidcHost" -}} +{{- $parts := split "/" .Values.global.oidc.authority }} +{{- printf "%s" $parts._2 }} +{{- end }} \ No newline at end of file diff --git a/charts/agent-stack/templates/hasura.yaml b/charts/agent-stack/templates/hasura.yaml new file mode 100644 index 000000000..26cb25ef2 --- /dev/null +++ b/charts/agent-stack/templates/hasura.yaml @@ -0,0 +1,29 @@ +{{- if .Values.hasura.enabled }} +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: hasura + namespace: {{ .Release.Namespace }} + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: {{ .Values.global.argo.project }} + destination: + namespace: {{ .Release.Namespace }} + server: {{ .Values.global.argo.destinationServer }} + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ApplyOutOfSyncOnly=true + source: + repoURL: {{ .Values.hasura.repoUrl }} + chart: {{ .Values.hasura.chart }} + targetRevision: {{ .Values.hasura.chartVersion }} + helm: + values: | + {{- .Values.hasura.helmValues | toYaml | nindent 8 }} + +{{- end }} \ No newline at end of file diff --git a/charts/agent-stack/templates/minio-cert.yaml b/charts/agent-stack/templates/minio-cert.yaml new file mode 100644 index 000000000..552acf916 --- /dev/null +++ b/charts/agent-stack/templates/minio-cert.yaml @@ -0,0 +1,44 @@ +# {{- if .Values.minio.enabled }} +# apiVersion: cert-manager.io/v1 +# kind: Certificate +# metadata: +# name: minio-tls-secret +# namespace: {{ .Release.Namespace }} +# spec: +# # Secret names are always required. +# secretName: minio-tls-secret +# duration: 2160h0m0s #90d +# renewBefore: 360h0m0s #15d +# subject: +# organizations: +# - serp +# privateKey: +# algorithm: RSA +# encoding: PKCS1 +# size: 2048 +# usages: +# - server auth +# - digital signature +# - client auth +# - key encipherment +# dnsNames: +# - "minio.{{ .Values.global.network.ingress.host }}" +# - "minio" +# - "minio.{{ .Release.Namespace }}" +# - "minio.{{ .Release.Namespace }}.svc" +# - "minio.{{ .Release.Namespace }}.svc.cluster.local" +# - "{{ .Values.minio.tenantName }}-hl" +# - "{{ .Values.minio.tenantName }}-hl.{{ .Release.Namespace }}" +# - "{{ .Values.minio.tenantName }}-hl.{{ .Release.Namespace }}.svc" +# - "{{ .Values.minio.tenantName }}-hl.{{ .Release.Namespace }}.svc.cluster.local" +# - "*.{{ .Values.minio.tenantName }}-hl.{{ .Release.Namespace }}.svc.cluster.local" +# - "*.{{ .Release.Namespace }}.svc.cluster.local" +# # we use this as a cheat/workaround to get it to trust the keycloak ca for oidc +# - {{ include "agent-deploy.oidcHost" . }} +# ipAddresses: +# - 127.0.0.1 +# issuerRef: +# name: {{ .Values.global.network.certificate.clusterIssuer }} +# kind: ClusterIssuer +# group: cert-manager.io +# {{- end }} \ No newline at end of file diff --git a/charts/agent-stack/templates/minio.yaml b/charts/agent-stack/templates/minio.yaml new file mode 100644 index 000000000..3dc1100aa --- /dev/null +++ b/charts/agent-stack/templates/minio.yaml @@ -0,0 +1,144 @@ +{{- if .Values.minio.enabled }} +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: minio + namespace: {{ .Release.Namespace }} + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: {{ .Values.global.argo.project}} + destination: + server: {{ .Values.global.argo.destinationServer }} + namespace: {{ .Release.Namespace }} + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + source: + repoURL: {{ .Values.minio.repoUrl }} + chart: {{ .Values.minio.chart }} + targetRevision: {{ .Values.minio.chartVersion }} + helm: + valuesObject: + secrets: + existingSecret: {{ .Values.agent.helmValues.egress.config.minio.authSecret.name }} + + tenant: + name: {{ .Values.minio.tenantName }} + configuration: + name: {{ .Values.agent.helmValues.egress.config.minio.authSecret.name }} + + pools: + - servers: {{ .Values.minio.firstPool.servers }} + name: pool-0 + volumesPerServer: {{ .Values.minio.firstPool.volumesPerServer }} + size: {{ .Values.minio.firstPool.size }} + {{- if .Values.minio.firstPool.storageClassName }} + storageClassName: {{ .Values.minio.firstPool.storageClassName }} + {{- end }} + {{- if .Values.minio.firstPool.storageTierNodeLabel }} + nodeSelector: + hiru.io/storage-tier: "{{ .Values.minio.firstPool.storageTierNodeLabel }}" + {{- end }} + resources: + requests: + cpu: "1" + memory: "1Gi" + limits: + cpu: "4" + memory: "4Gi" + containerSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + {{- if .Values.minio.extraPools -}} + {{- range $i, $value := .Values.minio.extraPools }} + - servers: {{ $value.servers }} + name: pool-{{ add $i 1 }} + volumesPerServer: {{ $value.volumesPerServer }} + size: {{ $value.size }} + storageClassName: {{ $value.storageClassName }} + nodeSelector: + hiru.io/storage-tier: "{{ $value.storageTierNodeLabel }}" + resources: + requests: + cpu: "4" + memory: "4Gi" + limits: + cpu: "8" + memory: "8Gi" + containerSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + {{- end }} + {{- end }} + + # metrics: + # enabled: true + + buckets: + - name: {{ .Values.agent.helmValues.egress.config.minio.bucketName }} + + env: + - name: MINIO_IDENTITY_OPENID_CONFIG_URL_PRIMARY_IAM + value: "{{ .Values.global.oidc.authority }}/.well-known/openid-configuration" + - name: MINIO_IDENTITY_OPENID_DISPLAY_NAME_PRIMARY_IAM + value: "SSO_IDENTIFIER" + - name: MINIO_IDENTITY_OPENID_SCOPES_PRIMARY_IAM + value: "openid,email" + - name: MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC_PRIMARY_IAM + value: "on" + - name: GC + value: "10" + + prometheusOperator: false + + {{- if .Values.minio.ingress.enabled }} + ingress: + api: + enabled: true + ingressClassName: "{{ .Values.global.network.ingress.className }}" + annotations: + cert-manager.io/cluster-issuer: "{{ .Values.global.network.certificate.clusterIssuer }}" + nginx.ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/secure-backends: "true" + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + tls: + - hosts: + - minio-api.{{ .Values.global.network.ingress.host }} + secretName: minioapi-ingress-tls + host: minio-api.{{ .Values.global.network.ingress.host }} + path: / + pathType: Prefix + + console: + enabled: true + ingressClassName: "{{ .Values.global.network.ingress.className }}" + annotations: + cert-manager.io/cluster-issuer: "{{ .Values.global.network.certificate.clusterIssuer }}" + nginx.ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/secure-backends: "true" + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + tls: + - hosts: + - minio.{{ .Values.global.network.ingress.host }} + secretName: minio-ingress-tls + host: minio.{{ .Values.global.network.ingress.host }} + path: / + pathType: Prefix + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/agent-stack/templates/rabbitmq.yaml b/charts/agent-stack/templates/rabbitmq.yaml new file mode 100644 index 000000000..b5441d495 --- /dev/null +++ b/charts/agent-stack/templates/rabbitmq.yaml @@ -0,0 +1,25 @@ +{{- if .Values.rabbitmq.enabled }} +apiVersion: rabbitmq.com/v1beta1 +kind: RabbitmqCluster +metadata: + name: rabbitmq + namespace: {{ .Release.Namespace }} +spec: + persistence: + # storageClassName: {{ .Values.rabbitmq.storageClassName }} + storage: {{ .Values.rabbitmq.storageSize }} + + resources: + requests: + cpu: 250m + memory: 2Gi + limits: + cpu: 500m + memory: 2Gi + + secretBackend: + externalSecret: + name: {{ .Values.agent.helmValues.rabbitmq.passwordSecret.name }} + +{{- end }} + diff --git a/charts/agent-stack/templates/seq.yaml b/charts/agent-stack/templates/seq.yaml new file mode 100644 index 000000000..909abe5b1 --- /dev/null +++ b/charts/agent-stack/templates/seq.yaml @@ -0,0 +1,29 @@ +{{- if .Values.seq.enabled }} +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: seq + namespace: {{ .Release.Namespace }} + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: {{ .Values.global.argo.project }} + destination: + namespace: {{ .Release.Namespace }} + server: {{ .Values.global.argo.destinationServer }} + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ApplyOutOfSyncOnly=true + source: + repoURL: {{ .Values.seq.repoUrl }} + chart: {{ .Values.seq.chart }} + targetRevision: {{ .Values.seq.chartVersion }} + helm: + values: | + {{- .Values.seq.helmValues | toYaml | nindent 8 }} + +{{- end }} \ No newline at end of file diff --git a/charts/agent-stack/templates/trefx-agent-postgres.yaml b/charts/agent-stack/templates/trefx-agent-postgres.yaml new file mode 100644 index 000000000..213d06972 --- /dev/null +++ b/charts/agent-stack/templates/trefx-agent-postgres.yaml @@ -0,0 +1,35 @@ +{{- if .Values.agentPostgres.enabled }} +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: postgresql + namespace: {{ .Release.Namespace }} +spec: + instances: {{ .Values.agentPostgres.instances }} + imageName: ghcr.io/cloudnative-pg/postgresql:{{ .Values.agentPostgres.version }} + + enableSuperuserAccess: true + superuserSecret: + name: {{ .Values.agentPostgres.postgresUserSecretName }} + + bootstrap: + initdb: + database: DATA-Egress + owner: postgres + secret: + name: {{ .Values.agentPostgres.postgresUserSecretName }} + postInitSQL: + - CREATE DATABASE "DARE-Control" + + storage: + size: {{ .Values.agentPostgres.size }} + pvcTemplate: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.agentPostgres.size }} + + monitoring: + enablePodMonitor: false +{{- end }} \ No newline at end of file diff --git a/charts/agent-stack/templates/trefx-agent.yaml b/charts/agent-stack/templates/trefx-agent.yaml new file mode 100644 index 000000000..f4c329313 --- /dev/null +++ b/charts/agent-stack/templates/trefx-agent.yaml @@ -0,0 +1,103 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: trefx-agent + namespace: {{ .Release.Namespace }} + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: {{ .Values.global.argo.project }} + destination: + namespace: {{ .Release.Namespace }} + server: {{ .Values.global.argo.destinationServer }} + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ApplyOutOfSyncOnly=true + source: + repoURL: {{ .Values.agent.repoUrl }} + chart: {{ .Values.agent.chart }} + targetRevision: {{ .Values.agent.chartVersion }} + helm: + values: | + egress: + config: + {{- .Values.agent.helmValues.egress.config | toYaml | nindent 12 }} + + ui: + image: + tag: {{ .Values.agent.containerVersion }} + + ingress: + enabled: {{ .Values.agent.helmValues.egress.ui.ingress.enabled }} + className: {{ .Values.global.network.ingress.className }} + annotations: + cert-manager.io/cluster-issuer: "{{ .Values.global.network.certificate.clusterIssuer }}" + host: {{ .Values.agent.helmValues.egress.ui.ingress.host }} + tls: + - hosts: + - {{ .Values.agent.helmValues.egress.ui.ingress.host }} + secretName: egress-ui-tls-secret + + service: + {{- .Values.agent.helmValues.egress.ui.service | toYaml | nindent 14 }} + + api: + image: + tag: {{ .Values.agent.containerVersion }} + + tre: + config: + {{- .Values.agent.helmValues.tre.config | toYaml | nindent 12 }} + + ui: + image: + tag: {{ .Values.agent.containerVersion }} + + ingress: + enabled: {{ .Values.agent.helmValues.tre.ui.ingress.enabled }} + className: {{ .Values.global.network.ingress.className }} + annotations: + cert-manager.io/cluster-issuer: "{{ .Values.global.network.certificate.clusterIssuer }}" + host: {{ .Values.agent.helmValues.tre.ui.ingress.host }} + tls: + - hosts: + - {{ .Values.agent.helmValues.tre.ui.ingress.host }} + secretName: tre-ui-tls-secret + + service: + {{- .Values.agent.helmValues.tre.ui.service | toYaml | nindent 14 }} + + api: + image: + tag: {{ .Values.agent.containerVersion }} + + submission: + config: + {{- .Values.agent.helmValues.submission.config | toYaml | nindent 12 }} + + externalPostgres: + enabled: true + host: "postgresql-rw" + username: "postgres" + password: "{{ .Values.agent.helmValues.postgres.password }}" + + rabbitmq: + host: "http://rabbitmq" + username: {{ .Values.agent.helmValues.rabbitmq.username }} + passwordSecret: + name: {{ .Values.agent.helmValues.rabbitmq.passwordSecret.name }} + key: {{ .Values.agent.helmValues.rabbitmq.passwordSecret.key }} + + seq: + enabled: true + url: "http://seq:5341" + + {{- with .Values.agent.helmValues.resources }} + + resources: + {{- . | toYaml | nindent 10 }} + {{- end }} \ No newline at end of file diff --git a/charts/agent-stack/values.yaml b/charts/agent-stack/values.yaml new file mode 100644 index 000000000..7c642da28 --- /dev/null +++ b/charts/agent-stack/values.yaml @@ -0,0 +1,197 @@ +global: + argo: + destinationServer: https://kubernetes.default.svc + project: default + network: + certificate: + clusterIssuer: "ca-issuer" + ingress: + className: "nginx" + host: "trefx.serp.ac.uk" + oidc: + # this is the keycloak used to log into the egress minio + authority: "" + +hasura: + enabled: true + repoUrl: 'https://hasura.github.io/helm-charts' + chart: hasura-enterprise-stack + chartVersion: 0.7.0 + + helmValues: + global: + connector: + graphql: + enabled: true + + graphql-engine: + postgres: + enabled: true + + service: + type: ClusterIP + + config: + metadataOnly: false + authHook: "http://trefx-agent-tre-api:81/api/HasuraAuthentication" + enabledLogTypes: "startup, http-log, webhook-log, websocket-log, query-log" + +seq: + enabled: true + repoUrl: 'https://helm.datalust.co' + chart: seq + chartVersion: 2024.1.1 + helmValues: {} + +minio: + enabled: true + repoUrl: 'https://operator.min.io/' + chart: tenant + chartVersion: "5.0.13" + + # set the name of the secret with the minio config in agent.helmValues.egress.config.minio.authSecret.name + # configSecretName: "minio-env-config" + + tenantName: "trefx-agent" + firstPool: + servers: 4 + volumesPerServer: 1 + size: 10Gi + # storageClassName: directpv-min-io-tier2 + # storageTierNodeLabel: "2" + + extraPools: [] + # - servers: 2 + # volumesPerServer: 1 + # size: 1000Gi + # storageClassName: directpv-min-io-tier9 + # storageTierNodeLabel: "woo" + + ingress: + enabled: true + +agentPostgres: + enabled: true + instances: 1 + version: "16.1" + size: 10Gi + storageClassName: ceph-block + postgresUserSecretName: agent-postgres-secret + +rabbitmq: + enabled: true + storageClassName: ceph-block + storageSize: 5Gi + +agent: + repoUrl: 'harbor.ukserp.ac.uk/dare-trefx/chart' + chart: "trefx-agent" + chartVersion: "0.0.0-pr.849" + containerVersion: "pr-849" + helmValues: + egress: + config: + keycloak: + baseUrl: "" + realm: "" + clientAuthSecret: + name: "egress-keycloak-client" + idKey: "clientId" + secretKey: "clientSecret" + validAudiences: "Data-Egress-UI,Data-Egress-API" + minio: + url: "http://minio" + authSecret: + name: "minio-env-config" + accessKeyRef: "accessKey" + secretKeyRef: "secretKey" + bucketName: "outbucket" + adminConsole: "https://minio.trefx.serp.ac.uk" + + ui: + # TODO find a nice way of letting them specify ui image and tag + ingress: + enabled: true + host: "" + + service: + type: ClusterIP + port: 80 + + tre: + config: + name: "MYTRE" + keycloak: + baseUrl: "" + realm: "" + clientAuthSecret: + name: "tre-keycloak-client" + idKey: "clientId" + secretKey: "clientSecret" + validAudiences: "Dare-TRE-API,Dare-TRE-UI" + + # this is a separate minio to the one deployed alongside the agent? + minio: + url: "http://minio" + authSecret: + name: "minio-env-config" + accessKeyRef: "accessKey" + secretKeyRef: "secretKey" + bucketName: "outbucket" + adminConsole: "" + + agent: + tesk: + apiUrl: "http://tesk-api.tesk.svc.cluster.local:8080/ga4gh/tes/v1/tasks" + hasura: + externalAddress: "http://hasura-graphql-engine.trefx.svc.cluster.local:8080" + internalAddress: "http://hasura-graphql-engine:8080" + adminPassword: "" + + ui: + # TODO find a nice way of letting them specify ui image and tag + ingress: + enabled: true + host: "" + + service: + type: ClusterIP + port: 80 + + submission: + config: + apiUrl: "" + keycloak: + baseUrl: "" + realm: "" + clientAuthSecret: + name: "submission-keycloak-client" + idKey: "clientId" + secretKey: "clientSecret" + validAudiences: "Dare-Control-UI,Dare-Control-API,Dare-Control-Minio" + + minio: + url: "http://minio" + authSecret: + name: "minio-env-config" + accessKeyRef: "accessKey" + secretKeyRef: "secretKey" + bucketName: "outbuc" + adminConsole: "" + + postgres: + password: "my-temp-pg-pass" + + rabbitmq: + username: "myuser" + passwordSecret: + name: "rabbitmqauth" + key: "password" + + resources: + limits: + cpu: 1 + memory: 2Gi + requests: + cpu: 0.5m + memory: 1Gi \ No newline at end of file diff --git a/charts/agent/.helmignore b/charts/agent/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/charts/agent/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/agent/Chart.yaml b/charts/agent/Chart.yaml new file mode 100644 index 000000000..918336ead --- /dev/null +++ b/charts/agent/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: trefx-agent +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.186.3" diff --git a/charts/agent/templates/_helpers.tpl b/charts/agent/templates/_helpers.tpl new file mode 100644 index 000000000..91dd688c3 --- /dev/null +++ b/charts/agent/templates/_helpers.tpl @@ -0,0 +1,381 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "agent.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "agent.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "agent.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels - egress +*/}} +{{- define "agent.egressApiLabels" -}} +helm.sh/chart: {{ include "agent.chart" . }} +{{ include "agent.egressApiSelectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Common labels - egress +*/}} +{{- define "agent.egressUiLabels" -}} +helm.sh/chart: {{ include "agent.chart" . }} +{{ include "agent.egressUiSelectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Common labels - tre +*/}} +{{- define "agent.treApiLabels" -}} +helm.sh/chart: {{ include "agent.chart" . }} +{{ include "agent.treApiSelectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Common labels - tre +*/}} +{{- define "agent.treUiLabels" -}} +helm.sh/chart: {{ include "agent.chart" . }} +{{ include "agent.treUiSelectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Egress selector labels +*/}} +{{- define "agent.egressApiSelectorLabels" -}} +app.kubernetes.io/name: {{ include "agent.name" . }}-egress-api +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Egress selector labels +*/}} +{{- define "agent.egressUiSelectorLabels" -}} +app.kubernetes.io/name: {{ include "agent.name" . }}-egress-ui +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Tre selector labels +*/}} +{{- define "agent.treApiSelectorLabels" -}} +app.kubernetes.io/name: {{ include "agent.name" . }}-tre-api +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Tre selector labels +*/}} +{{- define "agent.treUiSelectorLabels" -}} +app.kubernetes.io/name: {{ include "agent.name" . }}-tre-ui +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the egress service account to use +*/}} +{{- define "agent.egressServiceAccountName" -}} +{{- if .Values.egress.serviceAccount.create }} +{{- default (include "agent.fullname" .) .Values.egress.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.egress.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Create the name of the tre service account to use +*/}} +{{- define "agent.treServiceAccountName" -}} +{{- if .Values.tre.serviceAccount.create }} +{{- default (include "agent.fullname" .) .Values.tre.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.tre.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Create env var settings that are common to all containers +*/}} +{{- define "agent.commonEnvVars" -}} +{{- if .Values.seq.enabled }} +- name: Serilog__SeqServerUrl + value: "{{ .Values.seq.url }}" +{{- end }} +- name: DataEgressAPISettings__Address + value: "http://{{ include "agent.fullname" . }}-egress-api:{{ .Values.egress.api.service.port }}" +- name: RabbitMQ__HostAddress + value: "{{ .Values.rabbitmq.host }}" +- name: RabbitMQ__Username + value: "{{ .Values.rabbitmq.username }}" +- name: RabbitMQ__Password + valueFrom: + secretKeyRef: + name: {{ .Values.rabbitmq.passwordSecret.name }} + key: {{ .Values.rabbitmq.passwordSecret.key }} +{{- end }} + +{{/* +Create the common data egress Keycloak settings +*/}} +{{- define "agent.egressKeycloakSettings" -}} +- name: DataEgressKeyCloakSettings__Authority + value: "{{ .Values.egress.config.keycloak.baseUrl}}/realms/{{ .Values.egress.config.keycloak.realm }}" +- name: DataEgressKeyCloakSettings__MetadataAddress + value: "{{ .Values.egress.config.keycloak.baseUrl}}/realms/{{ .Values.egress.config.keycloak.realm }}/.well-known/openid-configuration" +- name: DataEgressKeyCloakSettings__BaseUrl + value: "{{ .Values.egress.config.keycloak.baseUrl}}/realms/{{ .Values.egress.config.keycloak.realm }}" +- name: DataEgressKeyCloakSettings__ClientId + valueFrom: + secretKeyRef: + name: {{ .Values.egress.config.keycloak.clientAuthSecret.name }} + key: {{ .Values.egress.config.keycloak.clientAuthSecret.idKey }} +- name: DataEgressKeyCloakSettings__ClientSecret + valueFrom: + secretKeyRef: + name: {{ .Values.egress.config.keycloak.clientAuthSecret.name }} + key: {{ .Values.egress.config.keycloak.clientAuthSecret.secretKey }} +- name: DataEgressKeyCloakSettings__ValidAudiences + value: "{{ .Values.egress.config.keycloak.validAudiences }}" +- name: DataEgressKeyCloakSettings__TokenExpiredAddress +{{- if .Values.egress.ui.ingress.enabled }} + value: "https://{{ .Values.egress.ui.ingress.host }}/Account/LoginAfterTokenExpired" +{{- else }} + value: "{{ .Values.egress.config.keycloak.tokenExpiredAddress }}" +{{- end }} +- name: DataEgressKeyCloakSettings__UseRedirectURL + value: "{{ .Values.egress.config.keycloak.redirect.enabled }}" +{{- if .Values.egress.config.keycloak.redirect.enabled }} +- name: DataEgressKeyCloakSettings__RedirectURL + value: "{{ .Values.egress.config.keycloak.redirect.url }}" +{{- end }} +- name: DataEgressKeyCloakSettings__Proxy + value: "{{ .Values.egress.config.keycloak.proxy.enabled }}" +{{- if .Values.egress.config.keycloak.proxy.enabled }} +- name: DataEgressKeyCloakSettings__ProxyAddresURL + value: "{{ .Values.egress.config.keycloak.proxy.url }}" +- name: DataEgressKeyCloakSettings__BypassProxy + value: "{{ .Values.egress.config.keycloak.proxy.bypass }}" +{{- end }} +{{- end }} + +{{/* +Create the common TRE Keycloak settings +*/}} +{{- define "agent.treKeycloakSettings" -}} +- name: TreKeyCloakSettings__Authority + value: "{{ .Values.tre.config.keycloak.baseUrl}}/realms/{{ .Values.tre.config.keycloak.realm }}" +- name: TreKeyCloakSettings__MetadataAddress + value: "{{ .Values.tre.config.keycloak.baseUrl}}/realms/{{ .Values.tre.config.keycloak.realm }}/.well-known/openid-configuration" +- name: TreKeyCloakSettings__BaseUrl + value: "{{ .Values.tre.config.keycloak.baseUrl}}/realms/{{ .Values.tre.config.keycloak.realm }}" +- name: TreKeyCloakSettings__ClientId + valueFrom: + secretKeyRef: + name: {{ .Values.tre.config.keycloak.clientAuthSecret.name }} + key: {{ .Values.tre.config.keycloak.clientAuthSecret.idKey }} +- name: TreKeyCloakSettings__ClientSecret + valueFrom: + secretKeyRef: + name: {{ .Values.tre.config.keycloak.clientAuthSecret.name }} + key: {{ .Values.tre.config.keycloak.clientAuthSecret.secretKey }} +- name: TreKeyCloakSettings__ValidAudiences + value: "{{ .Values.tre.config.keycloak.validAudiences }}" +- name: TreKeyCloakSettings__TokenExpiredAddress +{{- if .Values.tre.ui.ingress.enabled }} + value: "https://{{ .Values.tre.ui.ingress.host }}/Account/LoginAfterTokenExpired" +{{- else }} + value: "{{ .Values.tre.config.keycloak.tokenExpiredAddress }}" +{{- end }} +- name: TreKeyCloakSettings__AccountManagementURL + value: "{{ .Values.tre.config.keycloak.baseUrl}}/realms/{{ .Values.tre.config.keycloak.realm }}/account" +- name: TreKeyCloakSettings__UseRedirectURL + value: "{{ .Values.tre.config.keycloak.redirect.enabled }}" +{{- if .Values.tre.config.keycloak.redirect.enabled }} +- name: TreKeyCloakSettings__RedirectURL + value: "{{ .Values.tre.config.keycloak.redirect.url }}" +{{- end }} +- name: TreKeyCloakSettings__Proxy + value: "{{ .Values.tre.config.keycloak.proxy.enabled }}" +{{- if .Values.tre.config.keycloak.proxy.enabled }} +- name: TreKeyCloakSettings__ProxyAddresURL + value: "{{ .Values.tre.config.keycloak.proxy.url }}" +- name: TreKeyCloakSettings__BypassProxy + value: "{{ .Values.tre.config.keycloak.proxy.bypass }}" +{{- end }} +{{- end }} + +{{/* +Create the common Submission Keycloak settings +*/}} +{{- define "agent.submissionKeycloakSettings" -}} +- name: SubmissionKeyCloakSettings__Authority + value: "{{ .Values.submission.config.keycloak.baseUrl}}/realms/{{ .Values.submission.config.keycloak.realm }}" +- name: SubmissionKeyCloakSettings__MetadataAddress + value: "{{ .Values.submission.config.keycloak.baseUrl}}/realms/{{ .Values.submission.config.keycloak.realm }}/.well-known/openid-configuration" +- name: SubmissionKeyCloakSettings__BaseUrl + value: "{{ .Values.submission.config.keycloak.baseUrl}}/realms/{{ .Values.submission.config.keycloak.realm }}" +- name: SubmissionKeyCloakSettings__ClientId + valueFrom: + secretKeyRef: + name: {{ .Values.submission.config.keycloak.clientAuthSecret.name }} + key: {{ .Values.submission.config.keycloak.clientAuthSecret.idKey }} +- name: SubmissionKeyCloakSettings__ClientSecret + valueFrom: + secretKeyRef: + name: {{ .Values.submission.config.keycloak.clientAuthSecret.name }} + key: {{ .Values.submission.config.keycloak.clientAuthSecret.secretKey }} +- name: SubmissionKeyCloakSettings__ValidAudiences + value: "{{ .Values.submission.config.keycloak.validAudiences }}" +- name: SubmissionKeyCloakSettings__TokenExpiredAddress + value: "{{ .Values.submission.config.keycloak.tokenExpiredAddress }}" +- name: SubmissionKeyCloakSettings__AccountManagementURL + value: "{{ .Values.submission.config.keycloak.baseUrl}}/realms/{{ .Values.submission.config.keycloak.realm }}/account" +- name: SubmissionKeyCloakSettings__UseRedirectURL + value: "{{ .Values.submission.config.keycloak.redirect.enabled }}" +{{- if .Values.submission.config.keycloak.redirect.enabled }} +- name: SubmissionKeyCloakSettings__RedirectURL + value: "{{ .Values.submission.config.keycloak.redirect.url }}" +{{- end }} +- name: SubmissionKeyCloakSettings__Proxy + value: "{{ .Values.submission.config.keycloak.proxy.enabled }}" +{{- if .Values.submission.config.keycloak.proxy.enabled }} +- name: SubmissionKeyCloakSettings__ProxyAddresURL + value: "{{ .Values.submission.config.keycloak.proxy.url }}" +- name: SubmissionKeyCloakSettings__BypassProxy + value: "{{ .Values.submission.config.keycloak.proxy.bypass }}" +{{- end }} +{{- end }} + + +{{/* +Create the common Agent settings +*/}} +{{- define "agent.agentSettings" -}} +- name: AgentSettings__UseTESK + value: "{{ .Values.tre.config.agent.tesk.enabled }}" +{{- if .Values.tre.config.agent.tesk.enabled }} +- name: AgentSettings__TESKAPIURL + value: "{{ .Values.tre.config.agent.tesk.apiUrl }}" +- name: AgentSettings__TESKOutputBucketPrefix + value: "{{ .Values.tre.config.agent.tesk.outputBucketPrefix }}" +{{- end }} +- name: AgentSettings__UseHutch + value: "{{ .Values.tre.config.agent.hutch.enabled }}" +{{- if .Values.tre.config.agent.hutch.enabled }} +- name: Hutch__APIAddress + value: "{{ .Values.tre.config.agent.hutch.apiUrl }}" +- name: Hutch__DbServer + value: "{{ .Values.tre.config.agent.hutch.database.host }}" +- name: Hutch__DbName + value: "{{ .Values.tre.config.agent.hutch.database.name }}" +- name: Hutch__DbPort + value: "{{ .Values.tre.config.agent.hutch.database.port }}" +- name: IgnoreHutchSSL + value: "{{ .Values.tre.config.agent.hutch.ignoreSsl }}" +{{- end }} +- name: AgentSettings__UseRabbit + value: "{{ .Values.tre.config.agent.rabbit.enabled }}" +- name: AgentSettings__URLHasuraToAdd + value: "{{ .Values.tre.config.agent.hasura.externalAddress }}" +- name: AgentSettings__ImageNameToAddToToken + value: "{{ .Values.tre.config.agent.image }}" +- name: AgentSettings__Proxy + value: "{{ .Values.tre.config.agent.proxy.enabled }}" +{{- if .Values.tre.config.agent.proxy.enabled }} +- name: AgentSettings__ProxyAddresURL + value: "{{ .Values.tre.config.agent.proxy.url }}" +{{- end }} +- name: HasuraSettings__HasuraURL + value: "{{ .Values.tre.config.agent.hasura.internalAddress }}" +- name: HasuraSettings__HasuraAdminSecret + value: "{{ .Values.tre.config.agent.hasura.adminPassword }}" +{{- end }} + +{{/* +Create TRE minio settings +*/}} +{{- define "agent.treMinioSettings" -}} +- name: MinioTRESettings__Url + value: "{{ .Values.tre.config.minio.url }}" +- name: MinioTRESettings__AccessKey + valueFrom: + secretKeyRef: + name: {{ .Values.tre.config.minio.authSecret.name }} + key: {{ .Values.tre.config.minio.authSecret.accessKeyRef }} +- name: MinioTRESettings__SecretKey + valueFrom: + secretKeyRef: + name: {{ .Values.tre.config.minio.authSecret.name }} + key: {{ .Values.tre.config.minio.authSecret.secretKeyRef }} +- name: MinioTRESettings__BucketName + value: "{{ .Values.tre.config.minio.bucketName }}" +- name: MinioTRESettings__AdminConsole + value: "{{ .Values.tre.config.minio.adminConsole }}" +- name: MinioTRESettings__HutchURLOverride + value: "{{ .Values.tre.config.agent.hutch.minioUrlOverride }}" +- name: MinioTRESettings__AWSRegion + value: "us-east-1" +{{- end }} + +{{/* +Create submission minio settings +*/}} +{{- define "agent.submissionMinioSettings" -}} +- name: MinioSubSettings__Url + value: "{{ .Values.submission.config.minio.url }}" +- name: MinioSubSettings__AccessKey + valueFrom: + secretKeyRef: + name: {{ .Values.submission.config.minio.authSecret.name }} + key: {{ .Values.submission.config.minio.authSecret.accessKeyRef }} +- name: MinioSubSettings__SecretKey + valueFrom: + secretKeyRef: + name: {{ .Values.submission.config.minio.authSecret.name }} + key: {{ .Values.submission.config.minio.authSecret.secretKeyRef }} +- name: MinioSubSettings__BucketName + value: "{{ .Values.submission.config.minio.bucketName }}" +- name: MinioSubSettings__AdminConsole + value: "{{ .Values.submission.config.minio.adminConsole }}" +- name: MinioSubSettings__AWSRegion + value: "us-east-1" +{{- end }} \ No newline at end of file diff --git a/charts/agent/templates/egress/api/deployment.yaml b/charts/agent/templates/egress/api/deployment.yaml new file mode 100644 index 000000000..5fcd0f1f3 --- /dev/null +++ b/charts/agent/templates/egress/api/deployment.yaml @@ -0,0 +1,84 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "agent.fullname" . }}-egress-api + labels: + {{- include "agent.egressApiLabels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "agent.egressApiSelectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "agent.egressApiSelectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "agent.egressServiceAccountName" . }}-egress + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: egress-api + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.egress.api.image.repository }}:{{ .Values.egress.api.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.egress.api.image.pullPolicy }} + ports: + - name: http + containerPort: 80 + protocol: TCP + # livenessProbe: + # httpGet: + # path: / + # port: http-api + # readinessProbe: + # httpGet: + # path: / + # port: http-api + resources: + {{- toYaml .Values.resources | nindent 12 }} + env: + {{- include "agent.commonEnvVars" . | nindent 12 }} + {{- include "agent.egressKeycloakSettings" . | nindent 12 }} + {{- include "agent.treKeycloakSettings" . | nindent 12 }} + {{- include "agent.submissionKeycloakSettings" . | nindent 12 }} + - name: ConnectionStrings__DefaultConnection + value: "Server={{ .Values.externalPostgres.host }};Port={{ .Values.externalPostgres.port }};Database=DATA-Egress;Include Error Detail=true;User Id={{ .Values.externalPostgres.username }};Password={{ .Values.externalPostgres.password }};" + - name: MinioSettings__Url + value: "{{ .Values.egress.config.minio.url }}" + - name: MinioSettings__AccessKey + valueFrom: + secretKeyRef: + name: {{ .Values.egress.config.minio.authSecret.name }} + key: {{ .Values.egress.config.minio.authSecret.accessKeyRef }} + - name: MinioSettings__SecretKey + valueFrom: + secretKeyRef: + name: {{ .Values.egress.config.minio.authSecret.name }} + key: {{ .Values.egress.config.minio.authSecret.secretKeyRef }} + - name: MinioSettings__BucketName + value: "{{ .Values.egress.config.minio.bucketName }}" + - name: MinioSettings__AdminConsole + value: "{{ .Values.egress.config.minio.adminConsole }}" + - name: TreAPISettings__Address + value: "http://{{ include "agent.fullname" . }}-tre-api:{{ .Values.tre.api.service.port }}" + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/agent/templates/egress/api/ingress.yaml b/charts/agent/templates/egress/api/ingress.yaml new file mode 100644 index 000000000..048a185a6 --- /dev/null +++ b/charts/agent/templates/egress/api/ingress.yaml @@ -0,0 +1,76 @@ +{{- if .Values.egress.api.ingress.enabled -}} +{{- $fullName := include "agent.fullname" . -}} +{{- $svcPort := .Values.egress.api.service.port -}} +{{- if and .Values.egress.api.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.egress.api.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.egress.api.ingress.annotations "kubernetes.io/ingress.class" .Values.egress.api.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }}-api + labels: + {{- include "agent.egressApiLabels" . | nindent 4 }} + {{- with .Values.egress.api.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.egress.api.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.egress.api.ingress.className }} + {{- end }} + {{- if .Values.egress.api.ingress.tls }} + tls: + {{- range .Values.egress.api.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.egress.api.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }}-egress-api + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }}-egress-api + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} + - host: {{ .Values.egress.api.ingress.host }} + http: + paths: + - path: / + pathType: Prefix + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }}-egress-api + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }}-egress-api + servicePort: {{ $svcPort }} + {{- end }} +{{- end }} diff --git a/charts/agent/templates/egress/api/service.yaml b/charts/agent/templates/egress/api/service.yaml new file mode 100644 index 000000000..e5ba5fb60 --- /dev/null +++ b/charts/agent/templates/egress/api/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "agent.fullname" . }}-egress-api + labels: + {{- include "agent.egressApiLabels" . | nindent 4 }} +spec: + type: {{ .Values.egress.api.service.type }} + ports: + - port: {{ .Values.egress.api.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "agent.egressApiSelectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/charts/agent/templates/egress/serviceaccount.yaml b/charts/agent/templates/egress/serviceaccount.yaml new file mode 100644 index 000000000..f2c0bec01 --- /dev/null +++ b/charts/agent/templates/egress/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.egress.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "agent.egressServiceAccountName" . }}-egress + labels: + {{- include "agent.egressUiLabels" . | nindent 4 }} + {{- with .Values.egress.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/agent/templates/egress/ui/deployment.yaml b/charts/agent/templates/egress/ui/deployment.yaml new file mode 100644 index 000000000..f24e79950 --- /dev/null +++ b/charts/agent/templates/egress/ui/deployment.yaml @@ -0,0 +1,66 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "agent.fullname" . }}-egress-ui + labels: + {{- include "agent.egressUiLabels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "agent.egressUiSelectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "agent.egressUiSelectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "agent.egressServiceAccountName" . }}-egress + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: egress-ui + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.egress.ui.image.repository }}:{{ .Values.egress.ui.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.egress.ui.image.pullPolicy }} + ports: + - name: http + containerPort: 80 + protocol: TCP + # livenessProbe: + # httpGet: + # path: / + # port: http + # readinessProbe: + # httpGet: + # path: / + # port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + env: + {{- include "agent.commonEnvVars" . | nindent 12 }} + {{- include "agent.egressKeycloakSettings" . | nindent 12 }} + - name: sslcookies + value: "{{ .Values.egress.config.useSslCookies }}" + - name: httpsRedirect + value: "{{ .Values.egress.config.httpsRedirect }}" + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/agent/templates/egress/ui/ingress.yaml b/charts/agent/templates/egress/ui/ingress.yaml new file mode 100644 index 000000000..7b86239bf --- /dev/null +++ b/charts/agent/templates/egress/ui/ingress.yaml @@ -0,0 +1,76 @@ +{{- if .Values.egress.ui.ingress.enabled -}} +{{- $fullName := include "agent.fullname" . -}} +{{- $svcPort := .Values.egress.ui.service.port -}} +{{- if and .Values.egress.ui.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.egress.ui.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.egress.ui.ingress.annotations "kubernetes.io/ingress.class" .Values.egress.ui.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }}-ui + labels: + {{- include "agent.egressUiLabels" . | nindent 4 }} + {{- with .Values.egress.ui.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.egress.ui.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.egress.ui.ingress.className }} + {{- end }} + {{- if .Values.egress.ui.ingress.tls }} + tls: + {{- range .Values.egress.ui.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.egress.ui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }}-egress-ui + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }}-egress-ui + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} + - host: {{ .Values.egress.ui.ingress.host }} + http: + paths: + - path: / + pathType: Prefix + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }}-egress-ui + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }}-egress-ui + servicePort: {{ $svcPort }} + {{- end }} +{{- end }} diff --git a/charts/agent/templates/egress/ui/service.yaml b/charts/agent/templates/egress/ui/service.yaml new file mode 100644 index 000000000..47eaa6805 --- /dev/null +++ b/charts/agent/templates/egress/ui/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "agent.fullname" . }}-egress-ui + labels: + {{- include "agent.egressUiLabels" . | nindent 4 }} +spec: + type: {{ .Values.egress.ui.service.type }} + ports: + - port: {{ .Values.egress.ui.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "agent.egressUiSelectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/charts/agent/templates/tre/api/deployment.yaml b/charts/agent/templates/tre/api/deployment.yaml new file mode 100644 index 000000000..69cb64425 --- /dev/null +++ b/charts/agent/templates/tre/api/deployment.yaml @@ -0,0 +1,79 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "agent.fullname" . }}-tre-api + labels: + {{- include "agent.treApiLabels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "agent.treApiSelectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "agent.treApiSelectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "agent.treServiceAccountName" . }}-tre + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: tre-api + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.tre.api.image.repository }}:{{ .Values.tre.api.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.tre.api.image.pullPolicy }} + ports: + - name: http + containerPort: 80 + protocol: TCP + # livenessProbe: + # httpGet: + # path: / + # port: http-api + # readinessProbe: + # httpGet: + # path: / + # port: http-api + resources: + {{- toYaml .Values.resources | nindent 12 }} + env: + {{- include "agent.commonEnvVars" . | nindent 12 }} + {{- include "agent.egressKeycloakSettings" . | nindent 12 }} + {{- include "agent.treKeycloakSettings" . | nindent 12 }} + {{- include "agent.submissionKeycloakSettings" . | nindent 12 }} + {{- include "agent.agentSettings" . | nindent 12 }} + {{- include "agent.treMinioSettings" . | nindent 12 }} + {{- include "agent.submissionMinioSettings" . | nindent 12 }} + - name: ConnectionStrings__DefaultConnection + value: "Server={{ .Values.externalPostgres.host }};Port={{ .Values.externalPostgres.port }};Database=DARE-Control;Include Error Detail=true;User Id={{ .Values.externalPostgres.username }};Password={{ .Values.externalPostgres.password }};" + - name: DareAPISettings__Address + value: "{{ .Values.submission.config.apiUrl }}" + - name: EnableExternalHangfire + value: "{{ .Values.tre.config.externalHangfire }}" + - name: TreName + value: "{{ .Values.tre.config.name }}" + - name: JobSettings__scanSchedule + value: "{{ .Values.tre.config.job.schedule.scan }}" + - name: JobSettings__syncSchedule + value: "{{ .Values.tre.config.job.schedule.sync }}" + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/agent/templates/tre/api/ingress.yaml b/charts/agent/templates/tre/api/ingress.yaml new file mode 100644 index 000000000..2c675e69e --- /dev/null +++ b/charts/agent/templates/tre/api/ingress.yaml @@ -0,0 +1,76 @@ +{{- if .Values.tre.api.ingress.enabled -}} +{{- $fullName := include "agent.fullname" . -}} +{{- $svcPort := .Values.tre.api.service.port -}} +{{- if and .Values.tre.api.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.tre.api.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.tre.api.ingress.annotations "kubernetes.io/ingress.class" .Values.tre.api.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }}-api + labels: + {{- include "agent.treApiLabels" . | nindent 4 }} + {{- with .Values.tre.api.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.tre.api.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.tre.api.ingress.className }} + {{- end }} + {{- if .Values.tre.api.ingress.tls }} + tls: + {{- range .Values.tre.api.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.tre.api.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }}-tre-api + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }}-tre-api + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} + - host: {{ .Values.tre.api.ingress.host }} + http: + paths: + - path: / + pathType: Prefix + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }}-tre-api + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }}-tre-api + servicePort: {{ $svcPort }} + {{- end }} +{{- end }} diff --git a/charts/agent/templates/tre/api/service.yaml b/charts/agent/templates/tre/api/service.yaml new file mode 100644 index 000000000..8d02ed3e1 --- /dev/null +++ b/charts/agent/templates/tre/api/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "agent.fullname" . }}-tre-api + labels: + {{- include "agent.treApiLabels" . | nindent 4 }} +spec: + type: {{ .Values.tre.api.service.type }} + ports: + - port: {{ .Values.tre.api.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "agent.treApiSelectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/charts/agent/templates/tre/serviceaccount.yaml b/charts/agent/templates/tre/serviceaccount.yaml new file mode 100644 index 000000000..483574320 --- /dev/null +++ b/charts/agent/templates/tre/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.tre.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "agent.treServiceAccountName" . }}-tre + labels: + {{- include "agent.treUiLabels" . | nindent 4 }} + {{- with .Values.tre.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/agent/templates/tre/ui/deployment.yaml b/charts/agent/templates/tre/ui/deployment.yaml new file mode 100644 index 000000000..956ea7b4d --- /dev/null +++ b/charts/agent/templates/tre/ui/deployment.yaml @@ -0,0 +1,68 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "agent.fullname" . }}-tre-ui + labels: + {{- include "agent.treUiLabels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "agent.treUiSelectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "agent.treUiSelectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "agent.treServiceAccountName" . }}-tre + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: tre-ui + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.tre.ui.image.repository }}:{{ .Values.tre.ui.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.tre.ui.image.pullPolicy }} + ports: + - name: http + containerPort: 80 + protocol: TCP + # livenessProbe: + # httpGet: + # path: / + # port: http + # readinessProbe: + # httpGet: + # path: / + # port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + env: + {{- include "agent.commonEnvVars" . | nindent 12 }} + {{- include "agent.treKeycloakSettings" . | nindent 12 }} + - name: sslcookies + value: "{{ .Values.tre.config.useSslCookies }}" + - name: httpsRedirect + value: "{{ .Values.tre.config.httpsRedirect }}" + - name: TreAPISettings__Address + value: "http://{{ include "agent.fullname" . }}-tre-api:{{ .Values.tre.api.service.port }}" + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/agent/templates/tre/ui/ingress.yaml b/charts/agent/templates/tre/ui/ingress.yaml new file mode 100644 index 000000000..ef5f9807c --- /dev/null +++ b/charts/agent/templates/tre/ui/ingress.yaml @@ -0,0 +1,76 @@ +{{- if .Values.tre.ui.ingress.enabled -}} +{{- $fullName := include "agent.fullname" . -}} +{{- $svcPort := .Values.tre.ui.service.port -}} +{{- if and .Values.tre.ui.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.tre.ui.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.tre.ui.ingress.annotations "kubernetes.io/ingress.class" .Values.tre.ui.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }}-ui + labels: + {{- include "agent.treLabels" . | nindent 4 }} + {{- with .Values.tre.ui.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.tre.ui.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.tre.ui.ingress.className }} + {{- end }} + {{- if .Values.tre.ui.ingress.tls }} + tls: + {{- range .Values.tre.ui.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.tre.ui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }}-tre-ui + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }}-tre-ui + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} + - host: {{ .Values.tre.ui.ingress.host }} + http: + paths: + - path: / + pathType: Prefix + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }}-tre-ui + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }}-tre-ui + servicePort: {{ $svcPort }} + {{- end }} +{{- end }} diff --git a/charts/agent/templates/tre/ui/service.yaml b/charts/agent/templates/tre/ui/service.yaml new file mode 100644 index 000000000..773de22c4 --- /dev/null +++ b/charts/agent/templates/tre/ui/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "agent.fullname" . }}-tre-ui + labels: + {{- include "agent.treUiLabels" . | nindent 4 }} +spec: + type: {{ .Values.tre.ui.service.type }} + ports: + - port: {{ .Values.tre.ui.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "agent.treUiSelectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/charts/agent/values.yaml b/charts/agent/values.yaml new file mode 100644 index 000000000..2361a14cd --- /dev/null +++ b/charts/agent/values.yaml @@ -0,0 +1,288 @@ +# Default values for agent. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +egress: + api: + image: + repository: harbor.ukserp.ac.uk/dare-trefx/control-egress-api + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + + service: + type: ClusterIP + port: 81 + + ingress: + enabled: false + className: nginx + annotations: {} + clusterHostNameOverride: "" + tls: [] + host: "" + hosts: [] + + ui: + image: + repository: harbor.ukserp.ac.uk/dare-trefx/control-egress-ui + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + + service: + type: ClusterIP + port: 80 + + ingress: + enabled: false + className: nginx + annotations: {} + clusterHostNameOverride: "" + tls: [] + host: "" + hosts: [] + + config: + useSslCookies: false + httpsRedirect: false + # dataegressapisettings__address is just the internal service name of the egress api container + # treapisettings__address is just the internal service name of the tre api container + keycloak: + baseUrl: "" + realm: "" + clientAuthSecret: + name: "" + idKey: "clientId" + secretKey: "clientSecret" + validAudiences: "Data-Egress-UI,Data-Egress-API" + proxy: + enabled: false + url: "" + bypass: "" # needs to be the tre api and seq + # tokenExpiredAddress can be derived from the ingress host with /Account/LoginAfterTokenExpired, otherwise it needs to be set here + tokenExpiredAddress: "" + redirect: + enabled: false + url: "" + minio: + url: "" + authSecret: + name: "" + accessKeyRef: "accessKey" + secretKeyRef: "secretKey" + bucketName: "" + adminConsole: "" + + + serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +tre: + config: + name: "MYTRE" + useSslCookies: false + httpsRedirect: false + externalHangfire: false + # dataegressapisettings__address is just the internal service name of the egress api container + # treapisettings__address is just the internal service name of the tre api container + keycloak: + baseUrl: "" + realm: "" + clientAuthSecret: + name: "" + idKey: "clientId" + secretKey: "clientSecret" + validAudiences: "" + proxy: + enabled: false + url: "" + bypass: "" # needs to be the tre api and seq + # tokenExpiredAddress can be derived from the ingress host with /Account/LoginAfterTokenExpired + # AccountManagementURL can be derived from baseurl/realm/account + tokenExpiredAddress: "" + redirect: + enabled: false + url: "" + + minio: + url: "" + authSecret: + name: "" + accessKeyRef: "accessKey" + secretKeyRef: "secretKey" + bucketName: "" + adminConsole: "" + + agent: + image: "harbor.ukserp.ac.uk/dare-trefx/control-tre-hasura" + tesk: + enabled: true + apiUrl: "" + # Do not change me unless you know what you're doing! + outputBucketPrefix: "http://s3.foo.bar.baz/" + hutch: + enabled: false + ignoreSsl: true + minioUrlOverride: "" + apiUrl: "" + database: + host: "" + port: "" + name: "" + rabbit: + enabled: false + hasura: + externalAddress: "" + internalAddress: "" + adminPassword: "" + proxy: + enabled: false + url: "" + + job: + schedule: + scan: "1" + sync: "10" + + api: + image: + repository: harbor.ukserp.ac.uk/dare-trefx/control-tre-api + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + + service: + type: ClusterIP + port: 81 + + ingress: + enabled: false + className: nginx + annotations: {} + clusterHostNameOverride: "" + tls: [] + host: "" + hosts: [] + + ui: + image: + repository: harbor.ukserp.ac.uk/dare-trefx/control-tre-ui + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + + service: + type: ClusterIP + port: 80 + + ingress: + enabled: false + className: nginx + annotations: {} + clusterHostNameOverride: "" + tls: [] + host: "" + hosts: [] + + serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +submission: + config: + apiUrl: "" + keycloak: + baseUrl: "" + realm: "" + clientAuthSecret: + name: "" + idKey: "clientId" + secretKey: "clientSecret" + validAudiences: "" + proxy: + enabled: false + url: "" + bypass: "" # needs to be the tre api and seq + # tokenExpiredAddress can be derived from the ingress host with /Account/LoginAfterTokenExpired + tokenExpiredAddress: "" + redirect: + enabled: false + url: "" + + minio: + url: "" + authSecret: + name: "" + accessKeyRef: "accessKey" + secretKeyRef: "secretKey" + bucketName: "" + adminConsole: "" + + +externalPostgres: + enabled: true + host: "postgres" + port: "5432" + username: "pglogin" + password: "pgpass" + +rabbitmq: + host: "rabbitmq" + username: "guest" + passwordSecret: + name: "" + key: "password" + +seq: + enabled: false + url: "http://seq:5341" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +podAnnotations: {} + +podSecurityContext: + fsGroup: 2000 + +securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/src/DARE-API/Dockerfile b/src/DARE-API/Dockerfile index e2028255c..e11bd9f08 100644 --- a/src/DARE-API/Dockerfile +++ b/src/DARE-API/Dockerfile @@ -25,6 +25,7 @@ RUN dotnet publish "DARE-API.csproj" -c Release -o /app/publish /p:UseAppHost=fa FROM base AS final WORKDIR /app +ENV COMPlus_EnableDiagnostics=0 COPY --from=publish /app/publish . ENTRYPOINT ["dotnet", "DARE-API.dll"] diff --git a/src/DARE-FrontEnd/Dockerfile b/src/DARE-FrontEnd/Dockerfile index 18023c025..ffd6a3ffd 100644 --- a/src/DARE-FrontEnd/Dockerfile +++ b/src/DARE-FrontEnd/Dockerfile @@ -22,6 +22,7 @@ RUN dotnet publish "DARE-FrontEnd.csproj" -c Release -o /app/publish /p:UseAppHo FROM base AS final WORKDIR /app COPY --from=publish /app/publish . +ENV COMPlus_EnableDiagnostics=0 ENTRYPOINT ["dotnet", "DARE-FrontEnd.dll"] COPY rootca.pem /usr/local/share/ca-certificates/chi-ansible.crt diff --git a/src/Data-Egress-API/Dockerfile b/src/Data-Egress-API/Dockerfile index d3a48d4b4..65ec064fe 100644 --- a/src/Data-Egress-API/Dockerfile +++ b/src/Data-Egress-API/Dockerfile @@ -21,10 +21,15 @@ RUN dotnet publish "Data-Egress-API.csproj" -c Release -o /app/publish /p:UseApp FROM base AS final WORKDIR /app -COPY --from=publish /app/publish . -ENTRYPOINT ["dotnet", "Data-Egress-API.dll"] COPY rootca.pem /usr/local/share/ca-certificates/chi-ansible.crt - RUN chmod 644 /usr/local/share/ca-certificates/*.crt && \ - update-ca-certificates \ No newline at end of file + update-ca-certificates + +ENV APP_USER app_user +RUN useradd -r $APP_USER +USER $APP_USER +ENV COMPlus_EnableDiagnostics=0 + +COPY --from=publish /app/publish . +ENTRYPOINT ["dotnet", "Data-Egress-API.dll"] \ No newline at end of file diff --git a/src/Data-Egress-UI/Dockerfile b/src/Data-Egress-UI/Dockerfile index 14a607a07..a2602fabf 100644 --- a/src/Data-Egress-UI/Dockerfile +++ b/src/Data-Egress-UI/Dockerfile @@ -22,6 +22,7 @@ RUN dotnet publish "Data-Egress-UI.csproj" -c Release -o /app/publish /p:UseAppH FROM base AS final WORKDIR /app COPY --from=publish /app/publish . +ENV COMPlus_EnableDiagnostics=0 ENTRYPOINT ["dotnet", "Data-Egress-UI.dll"] COPY rootca.pem /usr/local/share/ca-certificates/chi-ansible.crt diff --git a/src/TRE-API/Dockerfile b/src/TRE-API/Dockerfile index 2654162e3..25b74db58 100644 --- a/src/TRE-API/Dockerfile +++ b/src/TRE-API/Dockerfile @@ -28,6 +28,7 @@ RUN dotnet publish "TRE-API.csproj" -c Release -o /app/publish /p:UseAppHost=fal FROM base AS final WORKDIR /app COPY --from=publish /app/publish . +ENV COMPlus_EnableDiagnostics=0 ENTRYPOINT ["dotnet", "TRE-API.dll"] COPY rootca.pem /usr/local/share/ca-certificates/chi-ansible.crt diff --git a/src/TRE-UI/Dockerfile b/src/TRE-UI/Dockerfile index 9b45ab9ee..da78a7973 100644 --- a/src/TRE-UI/Dockerfile +++ b/src/TRE-UI/Dockerfile @@ -28,6 +28,7 @@ RUN dotnet publish "TRE-UI.csproj" -c Release -o /app/publish /p:UseAppHost=fals FROM base AS final WORKDIR /app COPY --from=publish /app/publish . +ENV COMPlus_EnableDiagnostics=0 ENTRYPOINT ["dotnet", "TRE-UI.dll"] COPY rootca.pem /usr/local/share/ca-certificates/chi-ansible.crt diff --git a/src/Tre-Hasura/Dockerfile b/src/Tre-Hasura/Dockerfile index 1f4841b49..8ab12ab84 100644 --- a/src/Tre-Hasura/Dockerfile +++ b/src/Tre-Hasura/Dockerfile @@ -26,6 +26,7 @@ RUN dotnet publish "Tre-Hasura.csproj" -c Release -o /app/publish /p:UseAppHost= FROM base AS final WORKDIR /app COPY --from=publish /app/publish . +ENV COMPlus_EnableDiagnostics=0 ENTRYPOINT ["dotnet", "Tre-Hasura.dll"] COPY rootca.pem /usr/local/share/ca-certificates/chi-ansible.crt diff --git a/src/Tre-SQL-PG/Dockerfile b/src/Tre-SQL-PG/Dockerfile index 6abdc4f31..b79853246 100644 --- a/src/Tre-SQL-PG/Dockerfile +++ b/src/Tre-SQL-PG/Dockerfile @@ -17,4 +17,5 @@ RUN dotnet publish "Tre-SQL-PG.csproj" -c Release -o /app/publish /p:UseAppHost= FROM base AS final WORKDIR /app COPY --from=publish /app/publish . +ENV COMPlus_EnableDiagnostics=0 ENTRYPOINT ["dotnet", "Tre-SQL-PG.dll"] \ No newline at end of file