From 7db407bda96bf45c4580a11acac73334487dd0e4 Mon Sep 17 00:00:00 2001 From: Alex Date: Tue, 8 Oct 2024 14:34:40 +0100 Subject: [PATCH 01/20] chore: add ds store to gitignore --- .gitignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitignore b/.gitignore index 0d6b282fb..efee72986 100644 --- a/.gitignore +++ b/.gitignore @@ -376,3 +376,6 @@ serp-forms-api/appsettings.Development.json serp-forms-api/appsettings.Development.json .idea + +.DS_Store +**/.DS_Store \ No newline at end of file From 45f105d80a407d64c664d1f2e438a6dc0bd48ab0 Mon Sep 17 00:00:00 2001 From: Alex Date: Tue, 8 Oct 2024 14:34:57 +0100 Subject: [PATCH 02/20] feat: add chart to deploy trefx agent --- charts/agent/.helmignore | 23 ++ charts/agent/Chart.yaml | 24 ++ charts/agent/templates/_helpers.tpl | 341 ++++++++++++++++++ charts/agent/templates/egress/deployment.yaml | 110 ++++++ .../agent/templates/egress/ingress-api.yaml | 76 ++++ charts/agent/templates/egress/ingress-ui.yaml | 76 ++++ charts/agent/templates/egress/service.yaml | 33 ++ .../templates/egress/serviceaccount.yaml | 12 + charts/agent/templates/tre/deployment.yaml | 108 ++++++ charts/agent/templates/tre/ingress-api.yaml | 76 ++++ charts/agent/templates/tre/ingress-ui.yaml | 76 ++++ charts/agent/templates/tre/service.yaml | 33 ++ .../agent/templates/tre/serviceaccount.yaml | 12 + charts/agent/values.yaml | 288 +++++++++++++++ 14 files changed, 1288 insertions(+) create mode 100644 charts/agent/.helmignore create mode 100644 charts/agent/Chart.yaml create mode 100644 charts/agent/templates/_helpers.tpl create mode 100644 charts/agent/templates/egress/deployment.yaml create mode 100644 charts/agent/templates/egress/ingress-api.yaml create mode 100644 charts/agent/templates/egress/ingress-ui.yaml create mode 100644 charts/agent/templates/egress/service.yaml create mode 100644 charts/agent/templates/egress/serviceaccount.yaml create mode 100644 charts/agent/templates/tre/deployment.yaml create mode 100644 charts/agent/templates/tre/ingress-api.yaml create mode 100644 charts/agent/templates/tre/ingress-ui.yaml create mode 100644 charts/agent/templates/tre/service.yaml create mode 100644 charts/agent/templates/tre/serviceaccount.yaml create mode 100644 charts/agent/values.yaml diff --git a/charts/agent/.helmignore b/charts/agent/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/charts/agent/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/agent/Chart.yaml b/charts/agent/Chart.yaml new file mode 100644 index 000000000..918336ead --- /dev/null +++ b/charts/agent/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: trefx-agent +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.186.3" diff --git a/charts/agent/templates/_helpers.tpl b/charts/agent/templates/_helpers.tpl new file mode 100644 index 000000000..7ec4c78b5 --- /dev/null +++ b/charts/agent/templates/_helpers.tpl @@ -0,0 +1,341 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "agent.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "agent.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "agent.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels - egress +*/}} +{{- define "agent.egressLabels" -}} +helm.sh/chart: {{ include "agent.chart" . }} +{{ include "agent.egressSelectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Common labels - tre +*/}} +{{- define "agent.treLabels" -}} +helm.sh/chart: {{ include "agent.chart" . }} +{{ include "agent.treSelectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Egress selector labels +*/}} +{{- define "agent.egressSelectorLabels" -}} +app.kubernetes.io/name: {{ include "agent.name" . }}-egress +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Tre selector labels +*/}} +{{- define "agent.treSelectorLabels" -}} +app.kubernetes.io/name: {{ include "agent.name" . }}-tre +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the egress service account to use +*/}} +{{- define "agent.egressServiceAccountName" -}} +{{- if .Values.egress.serviceAccount.create }} +{{- default (include "agent.fullname" .) .Values.egress.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.egress.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Create the name of the tre service account to use +*/}} +{{- define "agent.treServiceAccountName" -}} +{{- if .Values.tre.serviceAccount.create }} +{{- default (include "agent.fullname" .) .Values.tre.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.tre.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Create env var settings that are common to all containers +*/}} +{{- define "agent.commonEnvVars" -}} +{{- if .Values.seq.enabled }} +- name: Serilog__SeqServerUrl + value: "{{ .Values.seq.url }}" +{{- end }} +- name: DataEgressAPISettings__Address + value: "http://{{ include "agent.fullname" . }}-egress-api:{{ .Values.egress.api.service.port }}" +- name: RabbitMQ__HostAddress + value: "{{ .Values.rabbitmq.host }}" +- name: RabbitMQ__Username + value: "{{ .Values.rabbitmq.username }}" +- name: RabbitMQ__Password + valueFrom: + secretKeyRef: + name: {{ .Values.rabbitmq.passwordSecret.name }} + key: {{ .Values.rabbitmq.passwordSecret.key }} +{{- end }} + +{{/* +Create the common data egress Keycloak settings +*/}} +{{- define "agent.egressKeycloakSettings" -}} +- name: DataEgressKeyCloakSettings__Authority + value: "{{ .Values.egress.config.keycloak.baseUrl}}/realms/{{ .Values.egress.config.keycloak.realm }}" +- name: DataEgressKeyCloakSettings__MetadataAddress + value: "{{ .Values.egress.config.keycloak.baseUrl}}/realms/{{ .Values.egress.config.keycloak.realm }}/.well-known/openid-configuration" +- name: DataEgressKeyCloakSettings__BaseUrl + value: "{{ .Values.egress.config.keycloak.baseUrl}}/realms/{{ .Values.egress.config.keycloak.realm }}" +- name: DataEgressKeyCloakSettings__ClientId + valueFrom: + secretKeyRef: + name: {{ .Values.egress.config.keycloak.clientAuthSecret.name }} + key: {{ .Values.egress.config.keycloak.clientAuthSecret.idKey }} +- name: DataEgressKeyCloakSettings__ClientSecret + valueFrom: + secretKeyRef: + name: {{ .Values.egress.config.keycloak.clientAuthSecret.name }} + key: {{ .Values.egress.config.keycloak.clientAuthSecret.secretKey }} +- name: DataEgressKeyCloakSettings__ValidAudiences + value: "{{ .Values.egress.config.keycloak.validAudiences }}" +- name: DataEgressKeyCloakSettings__TokenExpiredAddress +{{- if .Values.egress.ui.ingress.enabled }} + value: "https://{{ .Values.egress.ui.ingress.host }}/Account/LoginAfterTokenExpired" +{{- else }} + value: "{{ .Values.egress.config.keycloak.tokenExpiredAddress }}" +{{- end }} +- name: DataEgressKeyCloakSettings__UseRedirectURL + value: "{{ .Values.egress.config.keycloak.redirect.enabled }}" +{{- if .Values.egress.config.keycloak.redirect.enabled }} +- name: DataEgressKeyCloakSettings__RedirectURL + value: "{{ .Values.egress.config.keycloak.redirect.url }}" +{{- end }} +- name: DataEgressKeyCloakSettings__Proxy + value: "{{ .Values.egress.config.keycloak.proxy.enabled }}" +{{- if .Values.egress.config.keycloak.proxy.enabled }} +- name: DataEgressKeyCloakSettings__ProxyAddresURL + value: "{{ .Values.egress.config.keycloak.proxy.url }}" +- name: DataEgressKeyCloakSettings__BypassProxy + value: "{{ .Values.egress.config.keycloak.proxy.bypass }}" +{{- end }} +{{- end }} + +{{/* +Create the common TRE Keycloak settings +*/}} +{{- define "agent.treKeycloakSettings" -}} +- name: TreKeyCloakSettings__Authority + value: "{{ .Values.tre.config.keycloak.baseUrl}}/realms/{{ .Values.tre.config.keycloak.realm }}" +- name: TreKeyCloakSettings__MetadataAddress + value: "{{ .Values.tre.config.keycloak.baseUrl}}/realms/{{ .Values.tre.config.keycloak.realm }}/.well-known/openid-configuration" +- name: TreKeyCloakSettings__BaseUrl + value: "{{ .Values.tre.config.keycloak.baseUrl}}/realms/{{ .Values.tre.config.keycloak.realm }}" +- name: TreKeyCloakSettings__ClientId + valueFrom: + secretKeyRef: + name: {{ .Values.tre.config.keycloak.clientAuthSecret.name }} + key: {{ .Values.tre.config.keycloak.clientAuthSecret.idKey }} +- name: TreKeyCloakSettings__ClientSecret + valueFrom: + secretKeyRef: + name: {{ .Values.tre.config.keycloak.clientAuthSecret.name }} + key: {{ .Values.tre.config.keycloak.clientAuthSecret.secretKey }} +- name: TreKeyCloakSettings__ValidAudiences + value: "{{ .Values.tre.config.keycloak.validAudiences }}" +- name: TreKeyCloakSettings__TokenExpiredAddress +{{- if .Values.tre.ui.ingress.enabled }} + value: "https://{{ .Values.tre.ui.ingress.host }}/Account/LoginAfterTokenExpired" +{{- else }} + value: "{{ .Values.tre.config.keycloak.tokenExpiredAddress }}" +{{- end }} +- name: TreKeyCloakSettings__AccountManagementURL + value: "{{ .Values.tre.config.keycloak.baseUrl}}/realms/{{ .Values.tre.config.keycloak.realm }}/account" +- name: TreKeyCloakSettings__UseRedirectURL + value: "{{ .Values.tre.config.keycloak.redirect.enabled }}" +{{- if .Values.tre.config.keycloak.redirect.enabled }} +- name: TreKeyCloakSettings__RedirectURL + value: "{{ .Values.tre.config.keycloak.redirect.url }}" +{{- end }} +- name: TreKeyCloakSettings__Proxy + value: "{{ .Values.tre.config.keycloak.proxy.enabled }}" +{{- if .Values.tre.config.keycloak.proxy.enabled }} +- name: TreKeyCloakSettings__ProxyAddresURL + value: "{{ .Values.tre.config.keycloak.proxy.url }}" +- name: TreKeyCloakSettings__BypassProxy + value: "{{ .Values.tre.config.keycloak.proxy.bypass }}" +{{- end }} +{{- end }} + +{{/* +Create the common Submission Keycloak settings +*/}} +{{- define "agent.submissionKeycloakSettings" -}} +- name: SubmissionKeyCloakSettings__Authority + value: "{{ .Values.submission.config.keycloak.baseUrl}}/realms/{{ .Values.submission.config.keycloak.realm }}" +- name: SubmissionKeyCloakSettings__MetadataAddress + value: "{{ .Values.submission.config.keycloak.baseUrl}}/realms/{{ .Values.submission.config.keycloak.realm }}/.well-known/openid-configuration" +- name: SubmissionKeyCloakSettings__BaseUrl + value: "{{ .Values.submission.config.keycloak.baseUrl}}/realms/{{ .Values.submission.config.keycloak.realm }}" +- name: SubmissionKeyCloakSettings__ClientId + valueFrom: + secretKeyRef: + name: {{ .Values.submission.config.keycloak.clientAuthSecret.name }} + key: {{ .Values.submission.config.keycloak.clientAuthSecret.idKey }} +- name: SubmissionKeyCloakSettings__ClientSecret + valueFrom: + secretKeyRef: + name: {{ .Values.submission.config.keycloak.clientAuthSecret.name }} + key: {{ .Values.submission.config.keycloak.clientAuthSecret.secretKey }} +- name: SubmissionKeyCloakSettings__ValidAudiences + value: "{{ .Values.submission.config.keycloak.validAudiences }}" +- name: SubmissionKeyCloakSettings__TokenExpiredAddress + value: "{{ .Values.submission.config.keycloak.tokenExpiredAddress }}" +- name: SubmissionKeyCloakSettings__AccountManagementURL + value: "{{ .Values.submission.config.keycloak.baseUrl}}/realms/{{ .Values.submission.config.keycloak.realm }}/account" +- name: SubmissionKeyCloakSettings__UseRedirectURL + value: "{{ .Values.submission.config.keycloak.redirect.enabled }}" +{{- if .Values.submission.config.keycloak.redirect.enabled }} +- name: SubmissionKeyCloakSettings__RedirectURL + value: "{{ .Values.submission.config.keycloak.redirect.url }}" +{{- end }} +- name: SubmissionKeyCloakSettings__Proxy + value: "{{ .Values.submission.config.keycloak.proxy.enabled }}" +{{- if .Values.submission.config.keycloak.proxy.enabled }} +- name: SubmissionKeyCloakSettings__ProxyAddresURL + value: "{{ .Values.submission.config.keycloak.proxy.url }}" +- name: SubmissionKeyCloakSettings__BypassProxy + value: "{{ .Values.submission.config.keycloak.proxy.bypass }}" +{{- end }} +{{- end }} + + +{{/* +Create the common Agent settings +*/}} +{{- define "agent.agentSettings" -}} +- name: AgentSettings__UseTESK + value: "{{ .Values.tre.config.agent.tesk.enabled }}" +{{- if .Values.tre.config.agent.tesk.enabled }} +- name: AgentSettings__TESKAPIURL + value: "{{ .Values.tre.config.agent.tesk.apiUrl }}" +- name: AgentSettings__TESKOutputBucketPrefix + value: "{{ .Values.tre.config.agent.tesk.outputBucketPrefix }}" +{{- end }} +- name: AgentSettings__UseHutch + value: "{{ .Values.tre.config.agent.hutch.enabled }}" +{{- if .Values.tre.config.agent.hutch.enabled }} +- name: Hutch__APIAddress + value: "{{ .Values.tre.config.agent.hutch.apiUrl }}" +- name: Hutch__DbServer + value: "{{ .Values.tre.config.agent.hutch.database.host }}" +- name: Hutch__DbName + value: "{{ .Values.tre.config.agent.hutch.database.name }}" +- name: Hutch__DbPort + value: "{{ .Values.tre.config.agent.hutch.database.port }}" +- name: IgnoreHutchSSL + value: "{{ .Values.tre.config.agent.hutch.ignoreSsl }}" +{{- end }} +- name: AgentSettings__UseRabbit + value: "{{ .Values.tre.config.agent.rabbit.enabled }}" +- name: AgentSettings__URLHasuraToAdd + value: "{{ .Values.tre.config.agent.hasura.externalAddress }}" +- name: AgentSettings__ImageNameToAddToToken + value: "{{ .Values.tre.config.agent.image }}" +- name: AgentSettings__Proxy + value: "{{ .Values.tre.config.agent.proxy.enabled }}" +{{- if .Values.tre.config.agent.proxy.enabled }} +- name: AgentSettings__ProxyAddresURL + value: "{{ .Values.tre.config.agent.proxy.url }}" +{{- end }} +- name: HasuraSettings__HasuraURL + value: "{{ .Values.tre.config.agent.hasura.internalAddress }}" +- name: HasuraSettings__HasuraAdminSecret + value: "{{ .Values.tre.config.agent.hasura.adminPassword }}" +{{- end }} + +{{/* +Create TRE minio settings +*/}} +{{- define "agent.treMinioSettings" -}} +- name: MinioTRESettings__Url + value: "{{ .Values.tre.config.minio.url }}" +- name: MinioTRESettings__AccessKey + valueFrom: + secretKeyRef: + name: {{ .Values.tre.config.minio.authSecret.name }} + key: {{ .Values.tre.config.minio.authSecret.accessKeyRef }} +- name: MinioTRESettings__SecretKey + valueFrom: + secretKeyRef: + name: {{ .Values.tre.config.minio.authSecret.name }} + key: {{ .Values.tre.config.minio.authSecret.secretKeyRef }} +- name: MinioTRESettings__BucketName + value: "{{ .Values.tre.config.minio.bucketName }}" +- name: MinioTRESettings__AdminConsole + value: "{{ .Values.tre.config.minio.adminConsole }}" +- name: MinioTRESettings__HutchURLOverride + value: "{{ .Values.tre.config.agent.hutch.minioUrlOverride }}" +- name: MinioTRESettings__AWSRegion + value: "us-east-1" +{{- end }} + +{{/* +Create submission minio settings +*/}} +{{- define "agent.submissionMinioSettings" -}} +- name: MinioSubSettings__Url + value: "{{ .Values.submission.config.minio.url }}" +- name: MinioSubSettings__AccessKey + valueFrom: + secretKeyRef: + name: {{ .Values.submission.config.minio.authSecret.name }} + key: {{ .Values.submission.config.minio.authSecret.accessKeyRef }} +- name: MinioSubSettings__SecretKey + valueFrom: + secretKeyRef: + name: {{ .Values.submission.config.minio.authSecret.name }} + key: {{ .Values.submission.config.minio.authSecret.secretKeyRef }} +- name: MinioSubSettings__BucketName + value: "{{ .Values.submission.config.minio.bucketName }}" +- name: MinioSubSettings__AdminConsole + value: "{{ .Values.submission.config.minio.adminConsole }}" +- name: MinioSubSettings__AWSRegion + value: "us-east-1" +{{- end }} \ No newline at end of file diff --git a/charts/agent/templates/egress/deployment.yaml b/charts/agent/templates/egress/deployment.yaml new file mode 100644 index 000000000..90b8b6f2e --- /dev/null +++ b/charts/agent/templates/egress/deployment.yaml @@ -0,0 +1,110 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "agent.fullname" . }}-egress + labels: + {{- include "agent.egressLabels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "agent.egressSelectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "agent.egressSelectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "agent.egressServiceAccountName" . }}-egress + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: egress-api + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.egress.api.image.repository }}:{{ .Values.egress.api.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.egress.api.image.pullPolicy }} + ports: + - name: http-api + containerPort: 80 + protocol: TCP + # livenessProbe: + # httpGet: + # path: / + # port: http-api + # readinessProbe: + # httpGet: + # path: / + # port: http-api + resources: + {{- toYaml .Values.resources | nindent 12 }} + env: + {{- include "agent.commonEnvVars" . | nindent 12 }} + {{- include "agent.egressKeycloakSettings" . | nindent 12 }} + {{- include "agent.treKeycloakSettings" . | nindent 12 }} + {{- include "agent.submissionKeycloakSettings" . | nindent 12 }} + - name: ConnectionStrings__DefaultConnection + value: "Server={{ .Values.externalPostgres.host }};Port={{ .Values.externalPostgres.port }};Database=DATA-Egress;Include Error Detail=true;User Id={{ .Values.externalPostgres.username }};Password={{ .Values.externalPostgres.password }};" + - name: MinioSettings__Url + value: "{{ .Values.egress.config.minio.url }}" + - name: MinioSettings__AccessKey + valueFrom: + secretKeyRef: + name: {{ .Values.egress.config.minio.authSecret.name }} + key: {{ .Values.egress.config.minio.authSecret.accessKeyRef }} + - name: MinioSettings__SecretKey + valueFrom: + secretKeyRef: + name: {{ .Values.egress.config.minio.authSecret.name }} + key: {{ .Values.egress.config.minio.authSecret.secretKeyRef }} + - name: MinioSettings__BucketName + value: "{{ .Values.egress.config.minio.bucketName }}" + - name: MinioSettings__AdminConsole + value: "{{ .Values.egress.config.minio.adminConsole }}" + - name: TreAPISettings__Address + value: "http://{{ include "agent.fullname" . }}-tre-api:{{ .Values.tre.api.service.port }}" + - name: egress-ui + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.egress.ui.image.repository }}:{{ .Values.egress.ui.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.egress.ui.image.pullPolicy }} + ports: + - name: http + containerPort: 80 + protocol: TCP + # livenessProbe: + # httpGet: + # path: / + # port: http + # readinessProbe: + # httpGet: + # path: / + # port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + env: + {{- include "agent.commonEnvVars" . | nindent 12 }} + {{- include "agent.egressKeycloakSettings" . | nindent 12 }} + - name: sslcookies + value: "{{ .Values.egress.config.useSslCookies }}" + - name: httpsRedirect + value: "{{ .Values.egress.config.httpsRedirect }}" + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/agent/templates/egress/ingress-api.yaml b/charts/agent/templates/egress/ingress-api.yaml new file mode 100644 index 000000000..be7d66320 --- /dev/null +++ b/charts/agent/templates/egress/ingress-api.yaml @@ -0,0 +1,76 @@ +{{- if .Values.egress.api.ingress.enabled -}} +{{- $fullName := include "agent.fullname" . -}} +{{- $svcPort := .Values.egress.api.service.port -}} +{{- if and .Values.egress.api.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.egress.api.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.egress.api.ingress.annotations "kubernetes.io/ingress.class" .Values.egress.api.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }}-api + labels: + {{- include "agent.egressLabels" . | nindent 4 }} + {{- with .Values.egress.api.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.egress.api.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.egress.api.ingress.className }} + {{- end }} + {{- if .Values.egress.api.ingress.tls }} + tls: + {{- range .Values.egress.api.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.egress.api.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }}-egress-api + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }}-egress-api + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} + - host: {{ .Values.egress.api.ingress.host }} + http: + paths: + - path: / + pathType: Prefix + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }}-egress-api + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }}-egress-api + servicePort: {{ $svcPort }} + {{- end }} +{{- end }} diff --git a/charts/agent/templates/egress/ingress-ui.yaml b/charts/agent/templates/egress/ingress-ui.yaml new file mode 100644 index 000000000..ba06121f5 --- /dev/null +++ b/charts/agent/templates/egress/ingress-ui.yaml @@ -0,0 +1,76 @@ +{{- if .Values.egress.ui.ingress.enabled -}} +{{- $fullName := include "agent.fullname" . -}} +{{- $svcPort := .Values.egress.ui.service.port -}} +{{- if and .Values.egress.ui.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.egress.ui.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.egress.ui.ingress.annotations "kubernetes.io/ingress.class" .Values.egress.ui.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }}-ui + labels: + {{- include "agent.egressLabels" . | nindent 4 }} + {{- with .Values.egress.ui.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.egress.ui.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.egress.ui.ingress.className }} + {{- end }} + {{- if .Values.egress.ui.ingress.tls }} + tls: + {{- range .Values.egress.ui.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.egress.ui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }}-egress-ui + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }}-egress-ui + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} + - host: {{ .Values.egress.ui.ingress.host }} + http: + paths: + - path: / + pathType: Prefix + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }}-egress-ui + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }}-egress-ui + servicePort: {{ $svcPort }} + {{- end }} +{{- end }} diff --git a/charts/agent/templates/egress/service.yaml b/charts/agent/templates/egress/service.yaml new file mode 100644 index 000000000..e3baa6ea4 --- /dev/null +++ b/charts/agent/templates/egress/service.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "agent.fullname" . }}-egress-api + labels: + {{- include "agent.egressLabels" . | nindent 4 }} +spec: + type: {{ .Values.egress.api.service.type }} + ports: + - port: {{ .Values.egress.api.service.port }} + targetPort: http-api + protocol: TCP + name: http-api + selector: + {{- include "agent.egressSelectorLabels" . | nindent 4 }} + +--- + +apiVersion: v1 +kind: Service +metadata: + name: {{ include "agent.fullname" . }}-egress-ui + labels: + {{- include "agent.egressLabels" . | nindent 4 }} +spec: + type: {{ .Values.egress.ui.service.type }} + ports: + - port: {{ .Values.egress.ui.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "agent.egressSelectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/charts/agent/templates/egress/serviceaccount.yaml b/charts/agent/templates/egress/serviceaccount.yaml new file mode 100644 index 000000000..70f782d20 --- /dev/null +++ b/charts/agent/templates/egress/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.egress.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "agent.egressServiceAccountName" . }}-egress + labels: + {{- include "agent.egressLabels" . | nindent 4 }} + {{- with .Values.egress.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/agent/templates/tre/deployment.yaml b/charts/agent/templates/tre/deployment.yaml new file mode 100644 index 000000000..f2b275d7c --- /dev/null +++ b/charts/agent/templates/tre/deployment.yaml @@ -0,0 +1,108 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "agent.fullname" . }}-tre + labels: + {{- include "agent.treLabels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "agent.treSelectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "agent.treSelectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "agent.treServiceAccountName" . }}-tre + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: tre-api + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.tre.api.image.repository }}:{{ .Values.tre.api.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.tre.api.image.pullPolicy }} + ports: + - name: http-api + containerPort: 80 + protocol: TCP + # livenessProbe: + # httpGet: + # path: / + # port: http-api + # readinessProbe: + # httpGet: + # path: / + # port: http-api + resources: + {{- toYaml .Values.resources | nindent 12 }} + env: + {{- include "agent.commonEnvVars" . | nindent 12 }} + {{- include "agent.egressKeycloakSettings" . | nindent 12 }} + {{- include "agent.treKeycloakSettings" . | nindent 12 }} + {{- include "agent.submissionKeycloakSettings" . | nindent 12 }} + {{- include "agent.agentSettings" . | nindent 12 }} + {{- include "agent.treMinioSettings" . | nindent 12 }} + {{- include "agent.submissionMinioSettings" . | nindent 12 }} + - name: ConnectionStrings__DefaultConnection + value: "Server={{ .Values.externalPostgres.host }};Port={{ .Values.externalPostgres.port }};Database=DARE-Control;Include Error Detail=true;User Id={{ .Values.externalPostgres.username }};Password={{ .Values.externalPostgres.password }};" + - name: DareAPISettings__Address + value: "{{ .Values.submission.config.apiUrl }}" + - name: EnableExternalHangfire + value: "{{ .Values.tre.config.externalHangfire }}" + - name: TreName + value: "{{ .Values.tre.config.name }}" + - name: JobSettings__scanSchedule + value: "{{ .Values.tre.config.job.schedule.scan }}" + - name: JobSettings__syncSchedule + value: "{{ .Values.tre.config.job.schedule.sync }}" + + - name: tre-ui + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.tre.ui.image.repository }}:{{ .Values.tre.ui.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.tre.ui.image.pullPolicy }} + ports: + - name: http + containerPort: 80 + protocol: TCP + # livenessProbe: + # httpGet: + # path: / + # port: http + # readinessProbe: + # httpGet: + # path: / + # port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + env: + {{- include "agent.commonEnvVars" . | nindent 12 }} + {{- include "agent.treKeycloakSettings" . | nindent 12 }} + - name: sslcookies + value: "{{ .Values.tre.config.useSslCookies }}" + - name: httpsRedirect + value: "{{ .Values.tre.config.httpsRedirect }}" + - name: TreAPISettings__Address + value: "http://{{ include "agent.fullname" . }}-tre-api:{{ .Values.tre.api.service.port }}" + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/agent/templates/tre/ingress-api.yaml b/charts/agent/templates/tre/ingress-api.yaml new file mode 100644 index 000000000..c7d9feadd --- /dev/null +++ b/charts/agent/templates/tre/ingress-api.yaml @@ -0,0 +1,76 @@ +{{- if .Values.tre.api.ingress.enabled -}} +{{- $fullName := include "agent.fullname" . -}} +{{- $svcPort := .Values.tre.api.service.port -}} +{{- if and .Values.tre.api.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.tre.api.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.tre.api.ingress.annotations "kubernetes.io/ingress.class" .Values.tre.api.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }}-api + labels: + {{- include "agent.treLabels" . | nindent 4 }} + {{- with .Values.tre.api.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.tre.api.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.tre.api.ingress.className }} + {{- end }} + {{- if .Values.tre.api.ingress.tls }} + tls: + {{- range .Values.tre.api.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.tre.api.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }}-tre-api + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }}-tre-api + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} + - host: {{ .Values.tre.api.ingress.host }} + http: + paths: + - path: / + pathType: Prefix + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }}-tre-api + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }}-tre-api + servicePort: {{ $svcPort }} + {{- end }} +{{- end }} diff --git a/charts/agent/templates/tre/ingress-ui.yaml b/charts/agent/templates/tre/ingress-ui.yaml new file mode 100644 index 000000000..ef5f9807c --- /dev/null +++ b/charts/agent/templates/tre/ingress-ui.yaml @@ -0,0 +1,76 @@ +{{- if .Values.tre.ui.ingress.enabled -}} +{{- $fullName := include "agent.fullname" . -}} +{{- $svcPort := .Values.tre.ui.service.port -}} +{{- if and .Values.tre.ui.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.tre.ui.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.tre.ui.ingress.annotations "kubernetes.io/ingress.class" .Values.tre.ui.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }}-ui + labels: + {{- include "agent.treLabels" . | nindent 4 }} + {{- with .Values.tre.ui.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.tre.ui.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.tre.ui.ingress.className }} + {{- end }} + {{- if .Values.tre.ui.ingress.tls }} + tls: + {{- range .Values.tre.ui.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.tre.ui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }}-tre-ui + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }}-tre-ui + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} + - host: {{ .Values.tre.ui.ingress.host }} + http: + paths: + - path: / + pathType: Prefix + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }}-tre-ui + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }}-tre-ui + servicePort: {{ $svcPort }} + {{- end }} +{{- end }} diff --git a/charts/agent/templates/tre/service.yaml b/charts/agent/templates/tre/service.yaml new file mode 100644 index 000000000..b76e8386e --- /dev/null +++ b/charts/agent/templates/tre/service.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "agent.fullname" . }}-tre-api + labels: + {{- include "agent.treLabels" . | nindent 4 }} +spec: + type: {{ .Values.tre.api.service.type }} + ports: + - port: {{ .Values.tre.api.service.port }} + targetPort: http-api + protocol: TCP + name: http-api + selector: + {{- include "agent.treSelectorLabels" . | nindent 4 }} + +--- + +apiVersion: v1 +kind: Service +metadata: + name: {{ include "agent.fullname" . }}-tre-ui + labels: + {{- include "agent.treLabels" . | nindent 4 }} +spec: + type: {{ .Values.tre.ui.service.type }} + ports: + - port: {{ .Values.tre.ui.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "agent.treSelectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/charts/agent/templates/tre/serviceaccount.yaml b/charts/agent/templates/tre/serviceaccount.yaml new file mode 100644 index 000000000..29880254a --- /dev/null +++ b/charts/agent/templates/tre/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.tre.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "agent.treServiceAccountName" . }}-tre + labels: + {{- include "agent.treLabels" . | nindent 4 }} + {{- with .Values.tre.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/agent/values.yaml b/charts/agent/values.yaml new file mode 100644 index 000000000..1469ed1da --- /dev/null +++ b/charts/agent/values.yaml @@ -0,0 +1,288 @@ +# Default values for agent. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +egress: + api: + image: + repository: harbor.ukserp.ac.uk:/dare-trefx/control-egress-api + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + + service: + type: ClusterIP + port: 81 + + ingress: + enabled: false + className: nginx + annotations: {} + clusterHostNameOverride: "" + tls: [] + host: "" + hosts: [] + + ui: + image: + repository: harbor.ukserp.ac.uk/dare-trefx/control-egress-ui + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + + service: + type: ClusterIP + port: 80 + + ingress: + enabled: false + className: nginx + annotations: {} + clusterHostNameOverride: "" + tls: [] + host: "" + hosts: [] + + config: + useSslCookies: false + httpsRedirect: false + # dataegressapisettings__address is just the internal service name of the egress api container + # treapisettings__address is just the internal service name of the tre api container + keycloak: + baseUrl: "" + realm: "" + clientAuthSecret: + name: "" + idKey: "clientId" + secretKey: "clientSecret" + validAudiences: "Data-Egress-UI,Data-Egress-API" + proxy: + enabled: false + url: "" + bypass: "" # needs to be the tre api and seq + # tokenExpiredAddress can be derived from the ingress host with /Account/LoginAfterTokenExpired, otherwise it needs to be set here + tokenExpiredAddress: "" + redirect: + enabled: false + url: "" + minio: + url: "" + authSecret: + name: "" + accessKeyRef: "accessKey" + secretKeyRef: "secretKey" + bucketName: "" + adminConsole: "" + + + serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +tre: + config: + name: "MYTRE" + useSslCookies: false + httpsRedirect: false + externalHangfire: false + # dataegressapisettings__address is just the internal service name of the egress api container + # treapisettings__address is just the internal service name of the tre api container + keycloak: + baseUrl: "" + realm: "" + clientAuthSecret: + name: "" + idKey: "clientId" + secretKey: "clientSecret" + validAudiences: "" + proxy: + enabled: false + url: "" + bypass: "" # needs to be the tre api and seq + # tokenExpiredAddress can be derived from the ingress host with /Account/LoginAfterTokenExpired + # AccountManagementURL can be derived from baseurl/realm/account + tokenExpiredAddress: "" + redirect: + enabled: false + url: "" + + minio: + url: "" + authSecret: + name: "" + accessKeyRef: "accessKey" + secretKeyRef: "secretKey" + bucketName: "" + adminConsole: "" + + agent: + image: "harbor.ukserp.ac.uk/dare-trefx/control-tre-hasura" + tesk: + enabled: true + apiUrl: "" + # Do not change me unless you know what you're doing! + outputBucketPrefix: "http://s3.foo.bar.baz/" + hutch: + enabled: false + ignoreSsl: true + minioUrlOverride: "" + apiUrl: "" + database: + host: "" + port: "" + name: "" + rabbit: + enabled: false + hasura: + externalAddress: "" + internalAddress: "" + adminPassword: "" + proxy: + enabled: false + url: "" + + job: + schedule: + scan: "1" + sync: "10" + + api: + image: + repository: harbor.ukserp.ac.uk:/dare-trefx/control-tre-api + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + + service: + type: ClusterIP + port: 81 + + ingress: + enabled: false + className: nginx + annotations: {} + clusterHostNameOverride: "" + tls: [] + host: "" + hosts: [] + + ui: + image: + repository: harbor.ukserp.ac.uk/dare-trefx/control-tre-ui + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + + service: + type: ClusterIP + port: 80 + + ingress: + enabled: false + className: nginx + annotations: {} + clusterHostNameOverride: "" + tls: [] + host: "" + hosts: [] + + serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +submission: + config: + apiUrl: "" + keycloak: + baseUrl: "" + realm: "" + clientAuthSecret: + name: "" + idKey: "clientId" + secretKey: "clientSecret" + validAudiences: "" + proxy: + enabled: false + url: "" + bypass: "" # needs to be the tre api and seq + # tokenExpiredAddress can be derived from the ingress host with /Account/LoginAfterTokenExpired + tokenExpiredAddress: "" + redirect: + enabled: false + url: "" + + minio: + url: "" + authSecret: + name: "" + accessKeyRef: "accessKey" + secretKeyRef: "secretKey" + bucketName: "" + adminConsole: "" + + +externalPostgres: + enabled: true + host: "postgres" + port: "5432" + username: "pglogin" + password: "pgpass" + +rabbitmq: + host: "rabbitmq" + username: "guest" + passwordSecret: + name: "" + key: "password" + +seq: + enabled: false + url: "http://seq:5341" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +podAnnotations: {} + +podSecurityContext: + fsGroup: 2000 + +securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + +nodeSelector: {} + +tolerations: [] + +affinity: {} From 26e72bfdca6b045808ea7773b3966b7bbd4dcff5 Mon Sep 17 00:00:00 2001 From: Alex Date: Tue, 8 Oct 2024 14:58:52 +0100 Subject: [PATCH 03/20] feat: add ci to build agent helm chart --- .github/workflows/charts.yaml | 52 +++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 .github/workflows/charts.yaml diff --git a/.github/workflows/charts.yaml b/.github/workflows/charts.yaml new file mode 100644 index 000000000..b19973db9 --- /dev/null +++ b/.github/workflows/charts.yaml @@ -0,0 +1,52 @@ +name: Build Helm Chart + +on: + pull_request: + # Only consider PRs that change files for this asset, including ci scripts + paths: + - '.github/workflows/charts.yaml' + - 'charts/**' + # Make sure all workflows that are "required checks" for a given + # branch protection rule have the same paths: and branches-ignore: + # filters. Otherwise, you can end up in a deadlock waiting on a + # required check that will never be executed. + push: + # Only release off of release and maintenance branches for this asset + branches: + - 'main' + # Only consider pushes that change files for this asset, including ci scripts + paths: + - '.github/workflows/charts.yaml' + - 'charts/**' + +permissions: + contents: write + pull-requests: write + actions: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + # Needed to generate releases safely + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + +jobs: + # Job name must be unique across repo to target + # branch protection rules "required checks" properly! + agent-helm-chart: + uses: SwanseaUniversityMedical/workflows/.github/workflows/pr-and-release-chart.yaml@v2.0.3-charts + with: + job-name: agent-helm-chart + registry: ${{ vars.HARBOR_REGISTRY }} + registry-user: ${{ vars.HARBOR_USER }} + registry-project: ${{ vars.HARBOR_PROJECT }} + registry-repo: ${{ vars.HARBOR_REPO }}-agent + release-tag-format: 'Agent-Helm-Chart-${version}' + cosign-public-key: ${{ vars.COSIGN_PUBLIC_KEY }} + chart: charts/agent + test-command: | + helm template $CHART --debug + + secrets: + cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }} + cosign-password: ${{ secrets.COSIGN_PASSWORD }} + registry-token: ${{ secrets.HARBOR_TOKEN }} From cd5b80a11bbecefd64b7437d31874fd7e990a8e1 Mon Sep 17 00:00:00 2001 From: Alex Date: Tue, 8 Oct 2024 15:28:14 +0100 Subject: [PATCH 04/20] fix: use right chart name for ci --- .github/workflows/charts.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/charts.yaml b/.github/workflows/charts.yaml index b19973db9..cf12dc873 100644 --- a/.github/workflows/charts.yaml +++ b/.github/workflows/charts.yaml @@ -39,7 +39,7 @@ jobs: registry: ${{ vars.HARBOR_REGISTRY }} registry-user: ${{ vars.HARBOR_USER }} registry-project: ${{ vars.HARBOR_PROJECT }} - registry-repo: ${{ vars.HARBOR_REPO }}-agent + registry-repo: trefx-agent release-tag-format: 'Agent-Helm-Chart-${version}' cosign-public-key: ${{ vars.COSIGN_PUBLIC_KEY }} chart: charts/agent From 9e4b1f8bca23db40f575e15877fdac7090f1095f Mon Sep 17 00:00:00 2001 From: Alex Date: Wed, 9 Oct 2024 09:21:10 +0100 Subject: [PATCH 05/20] fix: correct typo in default image nameg --- charts/agent/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/agent/values.yaml b/charts/agent/values.yaml index 1469ed1da..2361a14cd 100644 --- a/charts/agent/values.yaml +++ b/charts/agent/values.yaml @@ -7,7 +7,7 @@ replicaCount: 1 egress: api: image: - repository: harbor.ukserp.ac.uk:/dare-trefx/control-egress-api + repository: harbor.ukserp.ac.uk/dare-trefx/control-egress-api pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. tag: "" @@ -155,7 +155,7 @@ tre: api: image: - repository: harbor.ukserp.ac.uk:/dare-trefx/control-tre-api + repository: harbor.ukserp.ac.uk/dare-trefx/control-tre-api pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. tag: "" From 44f0ade5191703c2af768ee6ab5a9e29fbb5792d Mon Sep 17 00:00:00 2001 From: Alex Date: Wed, 9 Oct 2024 09:28:17 +0100 Subject: [PATCH 06/20] feat: agent stack deployment helm chart --- .github/workflows/charts.yaml | 19 ++ charts/agent-stack/.helmignore | 23 +++ charts/agent-stack/Chart.yaml | 24 +++ charts/agent-stack/templates/_helpers.tpl | 70 +++++++ charts/agent-stack/templates/hasura.yaml | 29 +++ charts/agent-stack/templates/minio-cert.yaml | 44 ++++ charts/agent-stack/templates/minio.yaml | 156 +++++++++++++++ charts/agent-stack/templates/rabbitmq.yaml | 25 +++ charts/agent-stack/templates/seq.yaml | 29 +++ .../templates/trefx-agent-postgres.yaml | 35 ++++ charts/agent-stack/templates/trefx-agent.yaml | 83 ++++++++ charts/agent-stack/values.yaml | 188 ++++++++++++++++++ 12 files changed, 725 insertions(+) create mode 100644 charts/agent-stack/.helmignore create mode 100644 charts/agent-stack/Chart.yaml create mode 100644 charts/agent-stack/templates/_helpers.tpl create mode 100644 charts/agent-stack/templates/hasura.yaml create mode 100644 charts/agent-stack/templates/minio-cert.yaml create mode 100644 charts/agent-stack/templates/minio.yaml create mode 100644 charts/agent-stack/templates/rabbitmq.yaml create mode 100644 charts/agent-stack/templates/seq.yaml create mode 100644 charts/agent-stack/templates/trefx-agent-postgres.yaml create mode 100644 charts/agent-stack/templates/trefx-agent.yaml create mode 100644 charts/agent-stack/values.yaml diff --git a/.github/workflows/charts.yaml b/.github/workflows/charts.yaml index cf12dc873..2716a9206 100644 --- a/.github/workflows/charts.yaml +++ b/.github/workflows/charts.yaml @@ -50,3 +50,22 @@ jobs: cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }} cosign-password: ${{ secrets.COSIGN_PASSWORD }} registry-token: ${{ secrets.HARBOR_TOKEN }} + + agent-stack-helm-chart: + uses: SwanseaUniversityMedical/workflows/.github/workflows/pr-and-release-chart.yaml@v2.0.3-charts + with: + job-name: agent-stack-helm-chart + registry: ${{ vars.HARBOR_REGISTRY }} + registry-user: ${{ vars.HARBOR_USER }} + registry-project: ${{ vars.HARBOR_PROJECT }} + registry-repo: agent-stack + release-tag-format: 'Agent-Stack-Helm-Chart-${version}' + cosign-public-key: ${{ vars.COSIGN_PUBLIC_KEY }} + chart: charts/agent-stack + test-command: | + helm template $CHART --debug + + secrets: + cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }} + cosign-password: ${{ secrets.COSIGN_PASSWORD }} + registry-token: ${{ secrets.HARBOR_TOKEN }} diff --git a/charts/agent-stack/.helmignore b/charts/agent-stack/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/charts/agent-stack/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/agent-stack/Chart.yaml b/charts/agent-stack/Chart.yaml new file mode 100644 index 000000000..06820e15a --- /dev/null +++ b/charts/agent-stack/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: agent-stack +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "0.0.0" diff --git a/charts/agent-stack/templates/_helpers.tpl b/charts/agent-stack/templates/_helpers.tpl new file mode 100644 index 000000000..6aa1df95b --- /dev/null +++ b/charts/agent-stack/templates/_helpers.tpl @@ -0,0 +1,70 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "agent-deploy.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "agent-deploy.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "agent-deploy.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "agent-deploy.labels" -}} +helm.sh/chart: {{ include "agent-deploy.chart" . }} +{{ include "agent-deploy.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "agent-deploy.selectorLabels" -}} +app.kubernetes.io/name: {{ include "agent-deploy.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "agent-deploy.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "agent-deploy.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Derive the oidc authority host from the full url +*/}} +{{- define "agent-deploy.oidcHost" -}} +{{- $parts := split "/" .Values.global.oidc.authority }} +{{- printf "%s" $parts._2 }} +{{- end }} \ No newline at end of file diff --git a/charts/agent-stack/templates/hasura.yaml b/charts/agent-stack/templates/hasura.yaml new file mode 100644 index 000000000..26cb25ef2 --- /dev/null +++ b/charts/agent-stack/templates/hasura.yaml @@ -0,0 +1,29 @@ +{{- if .Values.hasura.enabled }} +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: hasura + namespace: {{ .Release.Namespace }} + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: {{ .Values.global.argo.project }} + destination: + namespace: {{ .Release.Namespace }} + server: {{ .Values.global.argo.destinationServer }} + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ApplyOutOfSyncOnly=true + source: + repoURL: {{ .Values.hasura.repoUrl }} + chart: {{ .Values.hasura.chart }} + targetRevision: {{ .Values.hasura.chartVersion }} + helm: + values: | + {{- .Values.hasura.helmValues | toYaml | nindent 8 }} + +{{- end }} \ No newline at end of file diff --git a/charts/agent-stack/templates/minio-cert.yaml b/charts/agent-stack/templates/minio-cert.yaml new file mode 100644 index 000000000..ffc6c9746 --- /dev/null +++ b/charts/agent-stack/templates/minio-cert.yaml @@ -0,0 +1,44 @@ +{{- if .Values.minio.enabled }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: minio-tls-secret + namespace: {{ .Release.Namespace }} +spec: + # Secret names are always required. + secretName: minio-tls-secret + duration: 2160h0m0s #90d + renewBefore: 360h0m0s #15d + subject: + organizations: + - serp + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + usages: + - server auth + - digital signature + - client auth + - key encipherment + dnsNames: + - "minio.{{ .Values.global.ingress.host }}" + - "minio" + - "minio.{{ .Release.Namespace }}" + - "minio.{{ .Release.Namespace }}.svc" + - "minio.{{ .Release.Namespace }}.svc.cluster.local" + - "{{ .Values.minio.tenantName }}-hl" + - "{{ .Values.minio.tenantName }}-hl.{{ .Release.Namespace }}" + - "{{ .Values.minio.tenantName }}-hl.{{ .Release.Namespace }}.svc" + - "{{ .Values.minio.tenantName }}-hl.{{ .Release.Namespace }}.svc.cluster.local" + - "*.{{ .Values.minio.tenantName }}-hl.{{ .Release.Namespace }}.svc.cluster.local" + - "*.{{ .Release.Namespace }}.svc.cluster.local" + # we use this as a cheat/workaround to get it to trust the keycloak ca for oidc + - {{ include "agent-deploy.oidcHost" . }} + ipAddresses: + - 127.0.0.1 + issuerRef: + name: {{ .Values.global.network.certificate.clusterIssuer }} + kind: ClusterIssuer + group: cert-manager.io +{{- end }} \ No newline at end of file diff --git a/charts/agent-stack/templates/minio.yaml b/charts/agent-stack/templates/minio.yaml new file mode 100644 index 000000000..bf72ecb92 --- /dev/null +++ b/charts/agent-stack/templates/minio.yaml @@ -0,0 +1,156 @@ +{{- if .Values.minio.enabled }} +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: minio + namespace: {{ .Release.Namespace }} + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: {{ .Values.global.argo.project}} + destination: + server: {{ .Values.global.argo.destinationServer }} + namespace: {{ .Release.Namespace }} + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + source: + repoURL: {{ .Values.minio.repoUrl }} + chart: {{ .Values.minio.chart }} + targetRevision: {{ .Values.minio.chartVersion }} + helm: + valuesObject: + secrets: + existingSecret: {{ .Values.agent.helmValues.egress.config.minio.authSecret.name }} + + tenant: + name: {{ .Values.minio.tenantName }} + configuration: + name: {{ .Values.agent.helmValues.egress.config.minio.authSecret.name }} + + pools: + - servers: {{ .Values.minio.firstPool.servers }} + name: pool-0 + volumesPerServer: {{ .Values.minio.firstPool.volumesPerServer }} + size: {{ .Values.minio.firstPool.size }} + {{- if .Values.minio.firstPool.storageClassName }} + storageClassName: {{ .Values.minio.firstPool.storageClassName }} + {{- end }} + {{- if .Values.minio.firstPool.storageTierNodeLabel }} + nodeSelector: + hiru.io/storage-tier: "{{ .Values.minio.firstPool.storageTierNodeLabel }}" + {{- end }} + resources: + requests: + cpu: "1" + memory: "1Gi" + limits: + cpu: "4" + memory: "4Gi" + containerSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + {{- if .Values.minio.extraPools -}} + {{- range $i, $value := .Values.minio.extraPools }} + - servers: {{ $value.servers }} + name: pool-{{ add $i 1 }} + volumesPerServer: {{ $value.volumesPerServer }} + size: {{ $value.size }} + storageClassName: {{ $value.storageClassName }} + nodeSelector: + hiru.io/storage-tier: "{{ $value.storageTierNodeLabel }}" + resources: + requests: + cpu: "4" + memory: "4Gi" + limits: + cpu: "8" + memory: "8Gi" + containerSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + {{- end }} + {{- end }} + + # metrics: + # enabled: true + + buckets: + - name: {{ .Values.agent.helmValues.egress.config.minio.bucketName }} + + env: + # - name: MINIO_PROMETHEUS_AUTH_TYPE + # value: public + # - name: MINIO_PROMETHEUS_URL + # value: "{{ .Values.global.monitoring.prometheusEndpoint }}" + # - name: CONSOLE_PROMETHEUS_URL + # value: "{{ .Values.global.monitoring.prometheusEndpoint }}" + # - name: MINIO_PROMETHEUS_JOB_ID + # value: "scrapeConfig/{{ .Values.global.monitoring.prometheusNamespace }}/{{ .Values.global.namespace }}-minio-job" + # - name: PROMETHEUS_NAMESPACE + # value: "{{ .Values.global.monitoring.prometheusNamespace }}" + # - name: PROMETHEUS_NAME + # value: "prometheus-operator-kube-p-prometheus" + - name: MINIO_IDENTITY_OPENID_CONFIG_URL_PRIMARY_IAM + value: "{{ .Values.global.oidc.authority }}/.well-known/openid-configuration" + - name: MINIO_IDENTITY_OPENID_DISPLAY_NAME_PRIMARY_IAM + value: "SSO_IDENTIFIER" + - name: MINIO_IDENTITY_OPENID_SCOPES_PRIMARY_IAM + value: "openid,email" + - name: MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC_PRIMARY_IAM + value: "on" + - name: GC + value: "10" + + prometheusOperator: false + + {{- if .Values.minio.ingress.enabled }} + ingress: + api: + enabled: true + ingressClassName: "{{ .Values.global.network.ingress.className }}" + annotations: + cert-manager.io/cluster-issuer: "{{ .Values.global.network.certificate.clusterIssuer }}" + nginx.ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/secure-backends: "true" + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + tls: + - hosts: + - minio-api.{{ .Values.global.network.ingress.host }} + secretName: minioapi-ingress-tls + host: minio-api.{{ .Values.global.network.ingress.host }} + path: / + pathType: Prefix + + console: + enabled: true + ingressClassName: "{{ .Values.global.network.ingress.className }}" + annotations: + cert-manager.io/cluster-issuer: "{{ .Values.global.network.certificate.clusterIssuer }}" + nginx.ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/secure-backends: "true" + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + tls: + - hosts: + - minio.{{ .Values.global.network.ingress.host }} + secretName: minio-ingress-tls + host: minio.{{ .Values.global.network.ingress.host }} + path: / + pathType: Prefix + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/agent-stack/templates/rabbitmq.yaml b/charts/agent-stack/templates/rabbitmq.yaml new file mode 100644 index 000000000..b5441d495 --- /dev/null +++ b/charts/agent-stack/templates/rabbitmq.yaml @@ -0,0 +1,25 @@ +{{- if .Values.rabbitmq.enabled }} +apiVersion: rabbitmq.com/v1beta1 +kind: RabbitmqCluster +metadata: + name: rabbitmq + namespace: {{ .Release.Namespace }} +spec: + persistence: + # storageClassName: {{ .Values.rabbitmq.storageClassName }} + storage: {{ .Values.rabbitmq.storageSize }} + + resources: + requests: + cpu: 250m + memory: 2Gi + limits: + cpu: 500m + memory: 2Gi + + secretBackend: + externalSecret: + name: {{ .Values.agent.helmValues.rabbitmq.passwordSecret.name }} + +{{- end }} + diff --git a/charts/agent-stack/templates/seq.yaml b/charts/agent-stack/templates/seq.yaml new file mode 100644 index 000000000..909abe5b1 --- /dev/null +++ b/charts/agent-stack/templates/seq.yaml @@ -0,0 +1,29 @@ +{{- if .Values.seq.enabled }} +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: seq + namespace: {{ .Release.Namespace }} + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: {{ .Values.global.argo.project }} + destination: + namespace: {{ .Release.Namespace }} + server: {{ .Values.global.argo.destinationServer }} + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ApplyOutOfSyncOnly=true + source: + repoURL: {{ .Values.seq.repoUrl }} + chart: {{ .Values.seq.chart }} + targetRevision: {{ .Values.seq.chartVersion }} + helm: + values: | + {{- .Values.seq.helmValues | toYaml | nindent 8 }} + +{{- end }} \ No newline at end of file diff --git a/charts/agent-stack/templates/trefx-agent-postgres.yaml b/charts/agent-stack/templates/trefx-agent-postgres.yaml new file mode 100644 index 000000000..213d06972 --- /dev/null +++ b/charts/agent-stack/templates/trefx-agent-postgres.yaml @@ -0,0 +1,35 @@ +{{- if .Values.agentPostgres.enabled }} +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: postgresql + namespace: {{ .Release.Namespace }} +spec: + instances: {{ .Values.agentPostgres.instances }} + imageName: ghcr.io/cloudnative-pg/postgresql:{{ .Values.agentPostgres.version }} + + enableSuperuserAccess: true + superuserSecret: + name: {{ .Values.agentPostgres.postgresUserSecretName }} + + bootstrap: + initdb: + database: DATA-Egress + owner: postgres + secret: + name: {{ .Values.agentPostgres.postgresUserSecretName }} + postInitSQL: + - CREATE DATABASE "DARE-Control" + + storage: + size: {{ .Values.agentPostgres.size }} + pvcTemplate: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.agentPostgres.size }} + + monitoring: + enablePodMonitor: false +{{- end }} \ No newline at end of file diff --git a/charts/agent-stack/templates/trefx-agent.yaml b/charts/agent-stack/templates/trefx-agent.yaml new file mode 100644 index 000000000..132fec719 --- /dev/null +++ b/charts/agent-stack/templates/trefx-agent.yaml @@ -0,0 +1,83 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: trefx-agent + namespace: {{ .Release.Namespace }} + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: {{ .Values.global.argo.project }} + destination: + namespace: {{ .Release.Namespace }} + server: {{ .Values.global.argo.destinationServer }} + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ApplyOutOfSyncOnly=true + source: + repoURL: {{ .Values.agent.repoUrl }} + chart: {{ .Values.agent.chart }} + targetRevision: {{ .Values.agent.chartVersion }} + helm: + values: | + egress: + config: + {{- .Values.agent.helmValues.egress.config | toYaml | nindent 12 }} + + ui: + ingress: + enabled: {{ .Values.agent.helmValues.egress.ui.ingress.enabled }} + className: {{ .Values.global.network.ingress.className }} + annotations: + cert-manager.io/cluster-issuer: "{{ .Values.global.network.certificate.clusterIssuer }}" + host: {{ .Values.agent.helmValues.egress.ui.ingress.host }} + tls: + - hosts: + - {{ .Values.agent.helmValues.egress.ui.ingress.host }} + secretName: egress-ui-tls-secret + + service: + {{- .Values.agent.helmValues.egress.ui.service | toYaml | nindent 14 }} + + tre: + config: + {{- .Values.agent.helmValues.tre.config | toYaml | nindent 12 }} + + ui: + ingress: + enabled: {{ .Values.agent.helmValues.tre.ui.ingress.enabled }} + className: {{ .Values.global.network.ingress.className }} + annotations: + cert-manager.io/cluster-issuer: "{{ .Values.global.network.certificate.clusterIssuer }}" + host: {{ .Values.agent.helmValues.tre.ui.ingress.host }} + tls: + - hosts: + - {{ .Values.agent.helmValues.tre.ui.ingress.host }} + secretName: tre-ui-tls-secret + + service: + {{- .Values.agent.helmValues.tre.ui.service | toYaml | nindent 14 }} + + submission: + config: + {{- .Values.agent.helmValues.submission.config | toYaml | nindent 12 }} + + externalPostgres: + enabled: true + host: "postgresql-rw" + username: "postgres" + password: "{{ .Values.agent.helmValues.postgres.password }}" + + rabbitmq: + host: "http://rabbitmq" + username: {{ .Values.agent.helmValues.rabbitmq.username }} + passwordSecret: + name: {{ .Values.agent.helmValues.rabbitmq.passwordSecret.name }} + key: {{ .Values.agent.helmValues.rabbitmq.passwordSecret.key }} + + seq: + enabled: true + url: "http://seq:5341" \ No newline at end of file diff --git a/charts/agent-stack/values.yaml b/charts/agent-stack/values.yaml new file mode 100644 index 000000000..b2942a8da --- /dev/null +++ b/charts/agent-stack/values.yaml @@ -0,0 +1,188 @@ +global: + argo: + destinationServer: https://kubernetes.default.svc + project: default + network: + certificate: + clusterIssuer: "ca-issuer" + ingress: + className: "nginx" + host: "trefx.serp.ac.uk" + oidc: + # this is the keycloak used to log into the egress minio + authority: "" + +hasura: + enabled: true + repoUrl: 'https://hasura.github.io/helm-charts' + chart: hasura-enterprise-stack + chartVersion: 0.7.0 + + helmValues: + global: + connector: + graphql: + enabled: true + + graphql-engine: + postgres: + enabled: true + + service: + type: ClusterIP + + config: + metadataOnly: false + authHook: "http://trefx-agent-tre-api:81/api/HasuraAuthentication" + enabledLogTypes: "startup, http-log, webhook-log, websocket-log, query-log" + +seq: + enabled: true + repoUrl: 'https://helm.datalust.co' + chart: seq + chartVersion: 2024.1.1 + helmValues: {} + +minio: + enabled: true + repoUrl: 'https://operator.min.io/' + chart: tenant + chartVersion: "5.0.13" + + # set the name of the secret with the minio config in agent.helmValues.egress.config.minio.authSecret.name + # configSecretName: "minio-env-config" + + tenantName: "trefx-agent" + firstPool: + servers: 4 + volumesPerServer: 1 + size: 10Gi + storageClassName: directpv-min-io-tier2 + storageTierNodeLabel: "2" + + extraPools: [] + # - servers: 2 + # volumesPerServer: 1 + # size: 1000Gi + # storageClassName: directpv-min-io-tier9 + # storageTierNodeLabel: "woo" + + ingress: + enabled: true + +agentPostgres: + enabled: true + instances: 1 + version: "16.1" + size: 10Gi + storageClassName: ceph-block + postgresUserSecretName: agent-postgres-secret + +rabbitmq: + enabled: true + storageClassName: ceph-block + storageSize: 5Gi + +agent: + repoUrl: '' + chart: agent + chartVersion: 0.1.0 + helmValues: + egress: + config: + keycloak: + baseUrl: "" + realm: "" + clientAuthSecret: + name: "egressKeycloakClient" + idKey: "clientId" + secretKey: "clientSecret" + validAudiences: "Data-Egress-UI,Data-Egress-API" + minio: + url: "https://minio" + authSecret: + name: "minio-env-config" + accessKeyRef: "accessKey" + secretKeyRef: "secretKey" + bucketName: "outbucket" + adminConsole: "https://minio.trefx.serp.ac.uk" + + ui: + # TODO find a nice way of letting them specify ui image and tag + ingress: + enabled: true + host: "" + + service: + type: ClusterIP + port: 80 + + tre: + config: + name: "MYTRE" + keycloak: + baseUrl: "" + realm: "" + clientAuthSecret: + name: "treKeycloakClient" + idKey: "clientId" + secretKey: "clientSecret" + validAudiences: "" + + # this is a separate minio to the one deployed alongside the agent? + minio: + url: "https://minio" + authSecret: + name: "minio-env-config" + accessKeyRef: "accessKey" + secretKeyRef: "secretKey" + bucketName: "" + adminConsole: "" + + agent: + tesk: + apiUrl: "" + hasura: + externalAddress: "" + internalAddress: "" + adminPassword: "" + + ui: + # TODO find a nice way of letting them specify ui image and tag + ingress: + enabled: true + host: "" + + service: + type: ClusterIP + port: 80 + + submission: + config: + apiUrl: "" + keycloak: + baseUrl: "" + realm: "" + clientAuthSecret: + name: "" + idKey: "clientId" + secretKey: "clientSecret" + validAudiences: "" + + minio: + url: "" + authSecret: + name: "" + accessKeyRef: "accessKey" + secretKeyRef: "secretKey" + bucketName: "" + adminConsole: "" + + postgres: + password: "my-temp-pg-pass" + + rabbitmq: + username: "myuser" + passwordSecret: + name: "rabbitmqauth" + key: "password" From d455c2b63c0e0894cd244557968b13a409e02648 Mon Sep 17 00:00:00 2001 From: Alex Date: Wed, 9 Oct 2024 09:41:12 +0100 Subject: [PATCH 07/20] fix: remove unused interface reference --- charts/agent-stack/templates/minio.yaml | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/charts/agent-stack/templates/minio.yaml b/charts/agent-stack/templates/minio.yaml index bf72ecb92..3dc1100aa 100644 --- a/charts/agent-stack/templates/minio.yaml +++ b/charts/agent-stack/templates/minio.yaml @@ -94,18 +94,6 @@ spec: - name: {{ .Values.agent.helmValues.egress.config.minio.bucketName }} env: - # - name: MINIO_PROMETHEUS_AUTH_TYPE - # value: public - # - name: MINIO_PROMETHEUS_URL - # value: "{{ .Values.global.monitoring.prometheusEndpoint }}" - # - name: CONSOLE_PROMETHEUS_URL - # value: "{{ .Values.global.monitoring.prometheusEndpoint }}" - # - name: MINIO_PROMETHEUS_JOB_ID - # value: "scrapeConfig/{{ .Values.global.monitoring.prometheusNamespace }}/{{ .Values.global.namespace }}-minio-job" - # - name: PROMETHEUS_NAMESPACE - # value: "{{ .Values.global.monitoring.prometheusNamespace }}" - # - name: PROMETHEUS_NAME - # value: "prometheus-operator-kube-p-prometheus" - name: MINIO_IDENTITY_OPENID_CONFIG_URL_PRIMARY_IAM value: "{{ .Values.global.oidc.authority }}/.well-known/openid-configuration" - name: MINIO_IDENTITY_OPENID_DISPLAY_NAME_PRIMARY_IAM From 38df8df2e6555b0a9b6cf2daa0afcc9265f84a77 Mon Sep 17 00:00:00 2001 From: Alex Date: Wed, 9 Oct 2024 09:44:46 +0100 Subject: [PATCH 08/20] fix: point to correct host --- charts/agent-stack/templates/minio-cert.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/agent-stack/templates/minio-cert.yaml b/charts/agent-stack/templates/minio-cert.yaml index ffc6c9746..e05e6dc74 100644 --- a/charts/agent-stack/templates/minio-cert.yaml +++ b/charts/agent-stack/templates/minio-cert.yaml @@ -22,7 +22,7 @@ spec: - client auth - key encipherment dnsNames: - - "minio.{{ .Values.global.ingress.host }}" + - "minio.{{ .Values.global.network.ingress.host }}" - "minio" - "minio.{{ .Release.Namespace }}" - "minio.{{ .Release.Namespace }}.svc" From ddee72d5a2450ff05c12a5dc2e874361d28e1795 Mon Sep 17 00:00:00 2001 From: Alex Date: Wed, 9 Oct 2024 09:47:52 +0100 Subject: [PATCH 09/20] fix: fill in the gaps in the values --- charts/agent-stack/values.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/charts/agent-stack/values.yaml b/charts/agent-stack/values.yaml index b2942a8da..7f7f912f6 100644 --- a/charts/agent-stack/values.yaml +++ b/charts/agent-stack/values.yaml @@ -57,8 +57,8 @@ minio: servers: 4 volumesPerServer: 1 size: 10Gi - storageClassName: directpv-min-io-tier2 - storageTierNodeLabel: "2" + # storageClassName: directpv-min-io-tier2 + # storageTierNodeLabel: "2" extraPools: [] # - servers: 2 @@ -84,9 +84,9 @@ rabbitmq: storageSize: 5Gi agent: - repoUrl: '' - chart: agent - chartVersion: 0.1.0 + repoUrl: 'harbor.ukserp.ac.uk/dare-trefx/chart' + chart: "trefx-agent" + chartVersion: "0.0.0-pr.849" helmValues: egress: config: From f93dc9045c641e191e792a1a26966d46be6a7a06 Mon Sep 17 00:00:00 2001 From: Alex Date: Wed, 9 Oct 2024 10:00:58 +0100 Subject: [PATCH 10/20] fix: fill in the gaps in the values --- charts/agent-stack/values.yaml | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/charts/agent-stack/values.yaml b/charts/agent-stack/values.yaml index 7f7f912f6..51f627829 100644 --- a/charts/agent-stack/values.yaml +++ b/charts/agent-stack/values.yaml @@ -94,12 +94,12 @@ agent: baseUrl: "" realm: "" clientAuthSecret: - name: "egressKeycloakClient" + name: "egress-keycloak-client" idKey: "clientId" secretKey: "clientSecret" validAudiences: "Data-Egress-UI,Data-Egress-API" minio: - url: "https://minio" + url: "http://minio" authSecret: name: "minio-env-config" accessKeyRef: "accessKey" @@ -124,27 +124,27 @@ agent: baseUrl: "" realm: "" clientAuthSecret: - name: "treKeycloakClient" + name: "tre-keycloak-client" idKey: "clientId" secretKey: "clientSecret" - validAudiences: "" + validAudiences: "Dare-TRE-API,Dare-TRE-UI" # this is a separate minio to the one deployed alongside the agent? minio: - url: "https://minio" + url: "http://minio" authSecret: name: "minio-env-config" accessKeyRef: "accessKey" secretKeyRef: "secretKey" - bucketName: "" + bucketName: "outbucket" adminConsole: "" agent: tesk: - apiUrl: "" + apiUrl: "http://tesk-api.tesk.svc.cluster.local:8080/ga4gh/tes/v1/tasks" hasura: - externalAddress: "" - internalAddress: "" + externalAddress: "http://hasura-graphql-engine.trefx.svc.cluster.local:8080" + internalAddress: "http://hasura-graphql-engine:8080" adminPassword: "" ui: @@ -164,18 +164,18 @@ agent: baseUrl: "" realm: "" clientAuthSecret: - name: "" + name: "submission-keycloak-client" idKey: "clientId" secretKey: "clientSecret" - validAudiences: "" + validAudiences: "Dare-Control-UI,Dare-Control-API,Dare-Control-Minio" minio: - url: "" + url: "http://minio" authSecret: - name: "" + name: "minio-env-config" accessKeyRef: "accessKey" secretKeyRef: "secretKey" - bucketName: "" + bucketName: "outbuc" adminConsole: "" postgres: From 559889a3ecaa95edf8b26592a0f8d33a74453388 Mon Sep 17 00:00:00 2001 From: Alex Date: Wed, 9 Oct 2024 12:23:49 +0100 Subject: [PATCH 11/20] test: disable cert manager minio cert request --- charts/agent-stack/templates/minio-cert.yaml | 88 ++++++++++---------- 1 file changed, 44 insertions(+), 44 deletions(-) diff --git a/charts/agent-stack/templates/minio-cert.yaml b/charts/agent-stack/templates/minio-cert.yaml index e05e6dc74..552acf916 100644 --- a/charts/agent-stack/templates/minio-cert.yaml +++ b/charts/agent-stack/templates/minio-cert.yaml @@ -1,44 +1,44 @@ -{{- if .Values.minio.enabled }} -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: minio-tls-secret - namespace: {{ .Release.Namespace }} -spec: - # Secret names are always required. - secretName: minio-tls-secret - duration: 2160h0m0s #90d - renewBefore: 360h0m0s #15d - subject: - organizations: - - serp - privateKey: - algorithm: RSA - encoding: PKCS1 - size: 2048 - usages: - - server auth - - digital signature - - client auth - - key encipherment - dnsNames: - - "minio.{{ .Values.global.network.ingress.host }}" - - "minio" - - "minio.{{ .Release.Namespace }}" - - "minio.{{ .Release.Namespace }}.svc" - - "minio.{{ .Release.Namespace }}.svc.cluster.local" - - "{{ .Values.minio.tenantName }}-hl" - - "{{ .Values.minio.tenantName }}-hl.{{ .Release.Namespace }}" - - "{{ .Values.minio.tenantName }}-hl.{{ .Release.Namespace }}.svc" - - "{{ .Values.minio.tenantName }}-hl.{{ .Release.Namespace }}.svc.cluster.local" - - "*.{{ .Values.minio.tenantName }}-hl.{{ .Release.Namespace }}.svc.cluster.local" - - "*.{{ .Release.Namespace }}.svc.cluster.local" - # we use this as a cheat/workaround to get it to trust the keycloak ca for oidc - - {{ include "agent-deploy.oidcHost" . }} - ipAddresses: - - 127.0.0.1 - issuerRef: - name: {{ .Values.global.network.certificate.clusterIssuer }} - kind: ClusterIssuer - group: cert-manager.io -{{- end }} \ No newline at end of file +# {{- if .Values.minio.enabled }} +# apiVersion: cert-manager.io/v1 +# kind: Certificate +# metadata: +# name: minio-tls-secret +# namespace: {{ .Release.Namespace }} +# spec: +# # Secret names are always required. +# secretName: minio-tls-secret +# duration: 2160h0m0s #90d +# renewBefore: 360h0m0s #15d +# subject: +# organizations: +# - serp +# privateKey: +# algorithm: RSA +# encoding: PKCS1 +# size: 2048 +# usages: +# - server auth +# - digital signature +# - client auth +# - key encipherment +# dnsNames: +# - "minio.{{ .Values.global.network.ingress.host }}" +# - "minio" +# - "minio.{{ .Release.Namespace }}" +# - "minio.{{ .Release.Namespace }}.svc" +# - "minio.{{ .Release.Namespace }}.svc.cluster.local" +# - "{{ .Values.minio.tenantName }}-hl" +# - "{{ .Values.minio.tenantName }}-hl.{{ .Release.Namespace }}" +# - "{{ .Values.minio.tenantName }}-hl.{{ .Release.Namespace }}.svc" +# - "{{ .Values.minio.tenantName }}-hl.{{ .Release.Namespace }}.svc.cluster.local" +# - "*.{{ .Values.minio.tenantName }}-hl.{{ .Release.Namespace }}.svc.cluster.local" +# - "*.{{ .Release.Namespace }}.svc.cluster.local" +# # we use this as a cheat/workaround to get it to trust the keycloak ca for oidc +# - {{ include "agent-deploy.oidcHost" . }} +# ipAddresses: +# - 127.0.0.1 +# issuerRef: +# name: {{ .Values.global.network.certificate.clusterIssuer }} +# kind: ClusterIssuer +# group: cert-manager.io +# {{- end }} \ No newline at end of file From c761d4790014da01cae37b9fe5d8a3fcbd812dbb Mon Sep 17 00:00:00 2001 From: Alex Date: Wed, 9 Oct 2024 13:59:04 +0100 Subject: [PATCH 12/20] fix: allow set trefx agent resources --- charts/agent-stack/templates/trefx-agent.yaml | 8 +++++++- charts/agent-stack/values.yaml | 8 ++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/charts/agent-stack/templates/trefx-agent.yaml b/charts/agent-stack/templates/trefx-agent.yaml index 132fec719..15cf0d0d0 100644 --- a/charts/agent-stack/templates/trefx-agent.yaml +++ b/charts/agent-stack/templates/trefx-agent.yaml @@ -80,4 +80,10 @@ spec: seq: enabled: true - url: "http://seq:5341" \ No newline at end of file + url: "http://seq:5341" + + {{- with .Values.agent.helmValues.resources }} + + resources: + {{- . | toYaml | nindent 10 }} + {{- end }} \ No newline at end of file diff --git a/charts/agent-stack/values.yaml b/charts/agent-stack/values.yaml index 51f627829..af8319cae 100644 --- a/charts/agent-stack/values.yaml +++ b/charts/agent-stack/values.yaml @@ -186,3 +186,11 @@ agent: passwordSecret: name: "rabbitmqauth" key: "password" + + resources: + limits: + cpu: 1 + memory: 2Gi + requests: + cpu: 0.5m + memory: 1Gi \ No newline at end of file From a3c372de5ed1bb5b4a48637d7b5598e4745d27a0 Mon Sep 17 00:00:00 2001 From: Alex Date: Wed, 9 Oct 2024 14:16:08 +0100 Subject: [PATCH 13/20] test: don't run the containers as root --- src/Data-Egress-API/Dockerfile | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/Data-Egress-API/Dockerfile b/src/Data-Egress-API/Dockerfile index d3a48d4b4..343022883 100644 --- a/src/Data-Egress-API/Dockerfile +++ b/src/Data-Egress-API/Dockerfile @@ -21,10 +21,14 @@ RUN dotnet publish "Data-Egress-API.csproj" -c Release -o /app/publish /p:UseApp FROM base AS final WORKDIR /app -COPY --from=publish /app/publish . -ENTRYPOINT ["dotnet", "Data-Egress-API.dll"] COPY rootca.pem /usr/local/share/ca-certificates/chi-ansible.crt - RUN chmod 644 /usr/local/share/ca-certificates/*.crt && \ - update-ca-certificates \ No newline at end of file + update-ca-certificates + +ENV APP_USER app_user +RUN useradd -r $APP_USER +USER $APP_USER + +COPY --from=publish /app/publish . +ENTRYPOINT ["dotnet", "Data-Egress-API.dll"] \ No newline at end of file From 4c98cf814df16a1ba2861cc111d6edef7c8aa38b Mon Sep 17 00:00:00 2001 From: Alex Date: Wed, 9 Oct 2024 14:19:54 +0100 Subject: [PATCH 14/20] test: force run pr container for egress api --- charts/agent-stack/templates/trefx-agent.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/charts/agent-stack/templates/trefx-agent.yaml b/charts/agent-stack/templates/trefx-agent.yaml index 15cf0d0d0..84066b419 100644 --- a/charts/agent-stack/templates/trefx-agent.yaml +++ b/charts/agent-stack/templates/trefx-agent.yaml @@ -41,6 +41,10 @@ spec: service: {{- .Values.agent.helmValues.egress.ui.service | toYaml | nindent 14 }} + + api: + image: + tag: "pr-849" tre: config: @@ -83,7 +87,7 @@ spec: url: "http://seq:5341" {{- with .Values.agent.helmValues.resources }} - + resources: {{- . | toYaml | nindent 10 }} {{- end }} \ No newline at end of file From f0782f5254731a2c89f307ddad8b0a458962aea2 Mon Sep 17 00:00:00 2001 From: Alex Date: Wed, 9 Oct 2024 14:27:49 +0100 Subject: [PATCH 15/20] test: disable csharp diagnostics --- src/Data-Egress-API/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/src/Data-Egress-API/Dockerfile b/src/Data-Egress-API/Dockerfile index 343022883..65ec064fe 100644 --- a/src/Data-Egress-API/Dockerfile +++ b/src/Data-Egress-API/Dockerfile @@ -29,6 +29,7 @@ RUN chmod 644 /usr/local/share/ca-certificates/*.crt && \ ENV APP_USER app_user RUN useradd -r $APP_USER USER $APP_USER +ENV COMPlus_EnableDiagnostics=0 COPY --from=publish /app/publish . ENTRYPOINT ["dotnet", "Data-Egress-API.dll"] \ No newline at end of file From b38988660d8f1ebc7e7d9c239f6979dd8f94d643 Mon Sep 17 00:00:00 2001 From: Alex Date: Wed, 9 Oct 2024 14:40:01 +0100 Subject: [PATCH 16/20] test: force pull test image --- charts/agent-stack/templates/trefx-agent.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/agent-stack/templates/trefx-agent.yaml b/charts/agent-stack/templates/trefx-agent.yaml index 84066b419..f73f50f81 100644 --- a/charts/agent-stack/templates/trefx-agent.yaml +++ b/charts/agent-stack/templates/trefx-agent.yaml @@ -45,6 +45,7 @@ spec: api: image: tag: "pr-849" + pullPolicy: Always tre: config: From 36cf218a70e36c8df1cb0781134df73991740f61 Mon Sep 17 00:00:00 2001 From: Alex Date: Wed, 9 Oct 2024 14:56:30 +0100 Subject: [PATCH 17/20] fix: make all containers actually run on kubernetes --- charts/agent-stack/templates/trefx-agent.yaml | 5 ----- src/DARE-API/Dockerfile | 1 + src/DARE-FrontEnd/Dockerfile | 1 + src/Data-Egress-UI/Dockerfile | 1 + src/TRE-API/Dockerfile | 1 + src/TRE-UI/Dockerfile | 1 + src/Tre-Hasura/Dockerfile | 1 + src/Tre-SQL-PG/Dockerfile | 1 + 8 files changed, 7 insertions(+), 5 deletions(-) diff --git a/charts/agent-stack/templates/trefx-agent.yaml b/charts/agent-stack/templates/trefx-agent.yaml index f73f50f81..459e640da 100644 --- a/charts/agent-stack/templates/trefx-agent.yaml +++ b/charts/agent-stack/templates/trefx-agent.yaml @@ -41,11 +41,6 @@ spec: service: {{- .Values.agent.helmValues.egress.ui.service | toYaml | nindent 14 }} - - api: - image: - tag: "pr-849" - pullPolicy: Always tre: config: diff --git a/src/DARE-API/Dockerfile b/src/DARE-API/Dockerfile index e2028255c..e11bd9f08 100644 --- a/src/DARE-API/Dockerfile +++ b/src/DARE-API/Dockerfile @@ -25,6 +25,7 @@ RUN dotnet publish "DARE-API.csproj" -c Release -o /app/publish /p:UseAppHost=fa FROM base AS final WORKDIR /app +ENV COMPlus_EnableDiagnostics=0 COPY --from=publish /app/publish . ENTRYPOINT ["dotnet", "DARE-API.dll"] diff --git a/src/DARE-FrontEnd/Dockerfile b/src/DARE-FrontEnd/Dockerfile index 18023c025..ffd6a3ffd 100644 --- a/src/DARE-FrontEnd/Dockerfile +++ b/src/DARE-FrontEnd/Dockerfile @@ -22,6 +22,7 @@ RUN dotnet publish "DARE-FrontEnd.csproj" -c Release -o /app/publish /p:UseAppHo FROM base AS final WORKDIR /app COPY --from=publish /app/publish . +ENV COMPlus_EnableDiagnostics=0 ENTRYPOINT ["dotnet", "DARE-FrontEnd.dll"] COPY rootca.pem /usr/local/share/ca-certificates/chi-ansible.crt diff --git a/src/Data-Egress-UI/Dockerfile b/src/Data-Egress-UI/Dockerfile index 14a607a07..a2602fabf 100644 --- a/src/Data-Egress-UI/Dockerfile +++ b/src/Data-Egress-UI/Dockerfile @@ -22,6 +22,7 @@ RUN dotnet publish "Data-Egress-UI.csproj" -c Release -o /app/publish /p:UseAppH FROM base AS final WORKDIR /app COPY --from=publish /app/publish . +ENV COMPlus_EnableDiagnostics=0 ENTRYPOINT ["dotnet", "Data-Egress-UI.dll"] COPY rootca.pem /usr/local/share/ca-certificates/chi-ansible.crt diff --git a/src/TRE-API/Dockerfile b/src/TRE-API/Dockerfile index 2654162e3..25b74db58 100644 --- a/src/TRE-API/Dockerfile +++ b/src/TRE-API/Dockerfile @@ -28,6 +28,7 @@ RUN dotnet publish "TRE-API.csproj" -c Release -o /app/publish /p:UseAppHost=fal FROM base AS final WORKDIR /app COPY --from=publish /app/publish . +ENV COMPlus_EnableDiagnostics=0 ENTRYPOINT ["dotnet", "TRE-API.dll"] COPY rootca.pem /usr/local/share/ca-certificates/chi-ansible.crt diff --git a/src/TRE-UI/Dockerfile b/src/TRE-UI/Dockerfile index 9b45ab9ee..da78a7973 100644 --- a/src/TRE-UI/Dockerfile +++ b/src/TRE-UI/Dockerfile @@ -28,6 +28,7 @@ RUN dotnet publish "TRE-UI.csproj" -c Release -o /app/publish /p:UseAppHost=fals FROM base AS final WORKDIR /app COPY --from=publish /app/publish . +ENV COMPlus_EnableDiagnostics=0 ENTRYPOINT ["dotnet", "TRE-UI.dll"] COPY rootca.pem /usr/local/share/ca-certificates/chi-ansible.crt diff --git a/src/Tre-Hasura/Dockerfile b/src/Tre-Hasura/Dockerfile index 1f4841b49..8ab12ab84 100644 --- a/src/Tre-Hasura/Dockerfile +++ b/src/Tre-Hasura/Dockerfile @@ -26,6 +26,7 @@ RUN dotnet publish "Tre-Hasura.csproj" -c Release -o /app/publish /p:UseAppHost= FROM base AS final WORKDIR /app COPY --from=publish /app/publish . +ENV COMPlus_EnableDiagnostics=0 ENTRYPOINT ["dotnet", "Tre-Hasura.dll"] COPY rootca.pem /usr/local/share/ca-certificates/chi-ansible.crt diff --git a/src/Tre-SQL-PG/Dockerfile b/src/Tre-SQL-PG/Dockerfile index 6abdc4f31..b79853246 100644 --- a/src/Tre-SQL-PG/Dockerfile +++ b/src/Tre-SQL-PG/Dockerfile @@ -17,4 +17,5 @@ RUN dotnet publish "Tre-SQL-PG.csproj" -c Release -o /app/publish /p:UseAppHost= FROM base AS final WORKDIR /app COPY --from=publish /app/publish . +ENV COMPlus_EnableDiagnostics=0 ENTRYPOINT ["dotnet", "Tre-SQL-PG.dll"] \ No newline at end of file From 90b01e38f53921e942522f9038e90d10184c3a2b Mon Sep 17 00:00:00 2001 From: Alex Date: Thu, 10 Oct 2024 08:04:39 +0100 Subject: [PATCH 18/20] fix: allow to set agent image tag when deploying with agent stack chart --- charts/agent-stack/templates/trefx-agent.yaml | 14 ++++++++++++++ charts/agent-stack/values.yaml | 1 + 2 files changed, 15 insertions(+) diff --git a/charts/agent-stack/templates/trefx-agent.yaml b/charts/agent-stack/templates/trefx-agent.yaml index 459e640da..f4c329313 100644 --- a/charts/agent-stack/templates/trefx-agent.yaml +++ b/charts/agent-stack/templates/trefx-agent.yaml @@ -28,6 +28,9 @@ spec: {{- .Values.agent.helmValues.egress.config | toYaml | nindent 12 }} ui: + image: + tag: {{ .Values.agent.containerVersion }} + ingress: enabled: {{ .Values.agent.helmValues.egress.ui.ingress.enabled }} className: {{ .Values.global.network.ingress.className }} @@ -42,11 +45,18 @@ spec: service: {{- .Values.agent.helmValues.egress.ui.service | toYaml | nindent 14 }} + api: + image: + tag: {{ .Values.agent.containerVersion }} + tre: config: {{- .Values.agent.helmValues.tre.config | toYaml | nindent 12 }} ui: + image: + tag: {{ .Values.agent.containerVersion }} + ingress: enabled: {{ .Values.agent.helmValues.tre.ui.ingress.enabled }} className: {{ .Values.global.network.ingress.className }} @@ -61,6 +71,10 @@ spec: service: {{- .Values.agent.helmValues.tre.ui.service | toYaml | nindent 14 }} + api: + image: + tag: {{ .Values.agent.containerVersion }} + submission: config: {{- .Values.agent.helmValues.submission.config | toYaml | nindent 12 }} diff --git a/charts/agent-stack/values.yaml b/charts/agent-stack/values.yaml index af8319cae..7c642da28 100644 --- a/charts/agent-stack/values.yaml +++ b/charts/agent-stack/values.yaml @@ -87,6 +87,7 @@ agent: repoUrl: 'harbor.ukserp.ac.uk/dare-trefx/chart' chart: "trefx-agent" chartVersion: "0.0.0-pr.849" + containerVersion: "pr-849" helmValues: egress: config: From 6bc6e48a2b4459da5eaa2f355e170469e0838940 Mon Sep 17 00:00:00 2001 From: Alex Date: Thu, 10 Oct 2024 09:01:35 +0100 Subject: [PATCH 19/20] fix: all containers have to go into separate pods as they all use port 80 --- charts/agent/templates/_helpers.tpl | 24 +++++-- .../egress/{ => api}/deployment.yaml | 34 ++-------- .../{ingress-api.yaml => api/ingress.yaml} | 0 .../agent/templates/egress/api/service.yaml | 15 ++++ charts/agent/templates/egress/service.yaml | 33 --------- .../agent/templates/egress/ui/deployment.yaml | 66 ++++++++++++++++++ .../{ingress-ui.yaml => ui/ingress.yaml} | 0 charts/agent/templates/egress/ui/service.yaml | 15 ++++ .../templates/tre/{ => api}/deployment.yaml | 37 ++-------- .../{ingress-api.yaml => api/ingress.yaml} | 0 charts/agent/templates/tre/api/service.yaml | 15 ++++ charts/agent/templates/tre/service.yaml | 33 --------- charts/agent/templates/tre/ui/deployment.yaml | 68 +++++++++++++++++++ .../tre/{ingress-ui.yaml => ui/ingress.yaml} | 0 charts/agent/templates/tre/ui/service.yaml | 15 ++++ 15 files changed, 222 insertions(+), 133 deletions(-) rename charts/agent/templates/egress/{ => api}/deployment.yaml (72%) rename charts/agent/templates/egress/{ingress-api.yaml => api/ingress.yaml} (100%) create mode 100644 charts/agent/templates/egress/api/service.yaml delete mode 100644 charts/agent/templates/egress/service.yaml create mode 100644 charts/agent/templates/egress/ui/deployment.yaml rename charts/agent/templates/egress/{ingress-ui.yaml => ui/ingress.yaml} (100%) create mode 100644 charts/agent/templates/egress/ui/service.yaml rename charts/agent/templates/tre/{ => api}/deployment.yaml (68%) rename charts/agent/templates/tre/{ingress-api.yaml => api/ingress.yaml} (100%) create mode 100644 charts/agent/templates/tre/api/service.yaml delete mode 100644 charts/agent/templates/tre/service.yaml create mode 100644 charts/agent/templates/tre/ui/deployment.yaml rename charts/agent/templates/tre/{ingress-ui.yaml => ui/ingress.yaml} (100%) create mode 100644 charts/agent/templates/tre/ui/service.yaml diff --git a/charts/agent/templates/_helpers.tpl b/charts/agent/templates/_helpers.tpl index 7ec4c78b5..670a675e7 100644 --- a/charts/agent/templates/_helpers.tpl +++ b/charts/agent/templates/_helpers.tpl @@ -57,16 +57,32 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{/* Egress selector labels */}} -{{- define "agent.egressSelectorLabels" -}} -app.kubernetes.io/name: {{ include "agent.name" . }}-egress +{{- define "agent.egressApiSelectorLabels" -}} +app.kubernetes.io/name: {{ include "agent.name" . }}-egress-api +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Egress selector labels +*/}} +{{- define "agent.egressUiSelectorLabels" -}} +app.kubernetes.io/name: {{ include "agent.name" . }}-egress-ui +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Tre selector labels +*/}} +{{- define "agent.treApiSelectorLabels" -}} +app.kubernetes.io/name: {{ include "agent.name" . }}-tre-api app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} {{/* Tre selector labels */}} -{{- define "agent.treSelectorLabels" -}} -app.kubernetes.io/name: {{ include "agent.name" . }}-tre +{{- define "agent.treUiSelectorLabels" -}} +app.kubernetes.io/name: {{ include "agent.name" . }}-tre-ui app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} diff --git a/charts/agent/templates/egress/deployment.yaml b/charts/agent/templates/egress/api/deployment.yaml similarity index 72% rename from charts/agent/templates/egress/deployment.yaml rename to charts/agent/templates/egress/api/deployment.yaml index 90b8b6f2e..f5db8f6b6 100644 --- a/charts/agent/templates/egress/deployment.yaml +++ b/charts/agent/templates/egress/api/deployment.yaml @@ -1,14 +1,14 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ include "agent.fullname" . }}-egress + name: {{ include "agent.fullname" . }}-egress-api labels: {{- include "agent.egressLabels" . | nindent 4 }} spec: replicas: 1 selector: matchLabels: - {{- include "agent.egressSelectorLabels" . | nindent 6 }} + {{- include "agent.egressApiSelectorLabels" . | nindent 6 }} template: metadata: {{- with .Values.podAnnotations }} @@ -16,7 +16,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} labels: - {{- include "agent.egressSelectorLabels" . | nindent 8 }} + {{- include "agent.egressApiSelectorLabels" . | nindent 8 }} spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: @@ -32,7 +32,7 @@ spec: image: "{{ .Values.egress.api.image.repository }}:{{ .Values.egress.api.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.egress.api.image.pullPolicy }} ports: - - name: http-api + - name: http containerPort: 80 protocol: TCP # livenessProbe: @@ -70,32 +70,6 @@ spec: value: "{{ .Values.egress.config.minio.adminConsole }}" - name: TreAPISettings__Address value: "http://{{ include "agent.fullname" . }}-tre-api:{{ .Values.tre.api.service.port }}" - - name: egress-ui - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.egress.ui.image.repository }}:{{ .Values.egress.ui.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.egress.ui.image.pullPolicy }} - ports: - - name: http - containerPort: 80 - protocol: TCP - # livenessProbe: - # httpGet: - # path: / - # port: http - # readinessProbe: - # httpGet: - # path: / - # port: http - resources: - {{- toYaml .Values.resources | nindent 12 }} - env: - {{- include "agent.commonEnvVars" . | nindent 12 }} - {{- include "agent.egressKeycloakSettings" . | nindent 12 }} - - name: sslcookies - value: "{{ .Values.egress.config.useSslCookies }}" - - name: httpsRedirect - value: "{{ .Values.egress.config.httpsRedirect }}" {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/agent/templates/egress/ingress-api.yaml b/charts/agent/templates/egress/api/ingress.yaml similarity index 100% rename from charts/agent/templates/egress/ingress-api.yaml rename to charts/agent/templates/egress/api/ingress.yaml diff --git a/charts/agent/templates/egress/api/service.yaml b/charts/agent/templates/egress/api/service.yaml new file mode 100644 index 000000000..6a79b07a6 --- /dev/null +++ b/charts/agent/templates/egress/api/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "agent.fullname" . }}-egress-api + labels: + {{- include "agent.egressLabels" . | nindent 4 }} +spec: + type: {{ .Values.egress.api.service.type }} + ports: + - port: {{ .Values.egress.api.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "agent.egressApiSelectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/charts/agent/templates/egress/service.yaml b/charts/agent/templates/egress/service.yaml deleted file mode 100644 index e3baa6ea4..000000000 --- a/charts/agent/templates/egress/service.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "agent.fullname" . }}-egress-api - labels: - {{- include "agent.egressLabels" . | nindent 4 }} -spec: - type: {{ .Values.egress.api.service.type }} - ports: - - port: {{ .Values.egress.api.service.port }} - targetPort: http-api - protocol: TCP - name: http-api - selector: - {{- include "agent.egressSelectorLabels" . | nindent 4 }} - ---- - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "agent.fullname" . }}-egress-ui - labels: - {{- include "agent.egressLabels" . | nindent 4 }} -spec: - type: {{ .Values.egress.ui.service.type }} - ports: - - port: {{ .Values.egress.ui.service.port }} - targetPort: http - protocol: TCP - name: http - selector: - {{- include "agent.egressSelectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/charts/agent/templates/egress/ui/deployment.yaml b/charts/agent/templates/egress/ui/deployment.yaml new file mode 100644 index 000000000..acaf3d7b4 --- /dev/null +++ b/charts/agent/templates/egress/ui/deployment.yaml @@ -0,0 +1,66 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "agent.fullname" . }}-egress-ui + labels: + {{- include "agent.egressLabels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "agent.egressUiSelectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "agent.egressUiSelectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "agent.egressServiceAccountName" . }}-egress + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: egress-ui + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.egress.ui.image.repository }}:{{ .Values.egress.ui.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.egress.ui.image.pullPolicy }} + ports: + - name: http + containerPort: 80 + protocol: TCP + # livenessProbe: + # httpGet: + # path: / + # port: http + # readinessProbe: + # httpGet: + # path: / + # port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + env: + {{- include "agent.commonEnvVars" . | nindent 12 }} + {{- include "agent.egressKeycloakSettings" . | nindent 12 }} + - name: sslcookies + value: "{{ .Values.egress.config.useSslCookies }}" + - name: httpsRedirect + value: "{{ .Values.egress.config.httpsRedirect }}" + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/agent/templates/egress/ingress-ui.yaml b/charts/agent/templates/egress/ui/ingress.yaml similarity index 100% rename from charts/agent/templates/egress/ingress-ui.yaml rename to charts/agent/templates/egress/ui/ingress.yaml diff --git a/charts/agent/templates/egress/ui/service.yaml b/charts/agent/templates/egress/ui/service.yaml new file mode 100644 index 000000000..afac1c7c1 --- /dev/null +++ b/charts/agent/templates/egress/ui/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "agent.fullname" . }}-egress-ui + labels: + {{- include "agent.egressLabels" . | nindent 4 }} +spec: + type: {{ .Values.egress.ui.service.type }} + ports: + - port: {{ .Values.egress.ui.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "agent.egressUiSelectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/charts/agent/templates/tre/deployment.yaml b/charts/agent/templates/tre/api/deployment.yaml similarity index 68% rename from charts/agent/templates/tre/deployment.yaml rename to charts/agent/templates/tre/api/deployment.yaml index f2b275d7c..f2fcbc508 100644 --- a/charts/agent/templates/tre/deployment.yaml +++ b/charts/agent/templates/tre/api/deployment.yaml @@ -1,14 +1,14 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ include "agent.fullname" . }}-tre + name: {{ include "agent.fullname" . }}-tre-api labels: {{- include "agent.treLabels" . | nindent 4 }} spec: replicas: 1 selector: matchLabels: - {{- include "agent.treSelectorLabels" . | nindent 6 }} + {{- include "agent.treApiSelectorLabels" . | nindent 6 }} template: metadata: {{- with .Values.podAnnotations }} @@ -16,7 +16,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} labels: - {{- include "agent.treSelectorLabels" . | nindent 8 }} + {{- include "agent.treApiSelectorLabels" . | nindent 8 }} spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: @@ -32,7 +32,7 @@ spec: image: "{{ .Values.tre.api.image.repository }}:{{ .Values.tre.api.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.tre.api.image.pullPolicy }} ports: - - name: http-api + - name: http containerPort: 80 protocol: TCP # livenessProbe: @@ -65,35 +65,6 @@ spec: value: "{{ .Values.tre.config.job.schedule.scan }}" - name: JobSettings__syncSchedule value: "{{ .Values.tre.config.job.schedule.sync }}" - - - name: tre-ui - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.tre.ui.image.repository }}:{{ .Values.tre.ui.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.tre.ui.image.pullPolicy }} - ports: - - name: http - containerPort: 80 - protocol: TCP - # livenessProbe: - # httpGet: - # path: / - # port: http - # readinessProbe: - # httpGet: - # path: / - # port: http - resources: - {{- toYaml .Values.resources | nindent 12 }} - env: - {{- include "agent.commonEnvVars" . | nindent 12 }} - {{- include "agent.treKeycloakSettings" . | nindent 12 }} - - name: sslcookies - value: "{{ .Values.tre.config.useSslCookies }}" - - name: httpsRedirect - value: "{{ .Values.tre.config.httpsRedirect }}" - - name: TreAPISettings__Address - value: "http://{{ include "agent.fullname" . }}-tre-api:{{ .Values.tre.api.service.port }}" {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/agent/templates/tre/ingress-api.yaml b/charts/agent/templates/tre/api/ingress.yaml similarity index 100% rename from charts/agent/templates/tre/ingress-api.yaml rename to charts/agent/templates/tre/api/ingress.yaml diff --git a/charts/agent/templates/tre/api/service.yaml b/charts/agent/templates/tre/api/service.yaml new file mode 100644 index 000000000..257ee2ffa --- /dev/null +++ b/charts/agent/templates/tre/api/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "agent.fullname" . }}-tre-api + labels: + {{- include "agent.treLabels" . | nindent 4 }} +spec: + type: {{ .Values.tre.api.service.type }} + ports: + - port: {{ .Values.tre.api.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "agent.treApiSelectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/charts/agent/templates/tre/service.yaml b/charts/agent/templates/tre/service.yaml deleted file mode 100644 index b76e8386e..000000000 --- a/charts/agent/templates/tre/service.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "agent.fullname" . }}-tre-api - labels: - {{- include "agent.treLabels" . | nindent 4 }} -spec: - type: {{ .Values.tre.api.service.type }} - ports: - - port: {{ .Values.tre.api.service.port }} - targetPort: http-api - protocol: TCP - name: http-api - selector: - {{- include "agent.treSelectorLabels" . | nindent 4 }} - ---- - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "agent.fullname" . }}-tre-ui - labels: - {{- include "agent.treLabels" . | nindent 4 }} -spec: - type: {{ .Values.tre.ui.service.type }} - ports: - - port: {{ .Values.tre.ui.service.port }} - targetPort: http - protocol: TCP - name: http - selector: - {{- include "agent.treSelectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/charts/agent/templates/tre/ui/deployment.yaml b/charts/agent/templates/tre/ui/deployment.yaml new file mode 100644 index 000000000..a105199d4 --- /dev/null +++ b/charts/agent/templates/tre/ui/deployment.yaml @@ -0,0 +1,68 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "agent.fullname" . }}-tre-ui + labels: + {{- include "agent.treLabels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "agent.treUiSelectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "agent.treUiSelectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "agent.treServiceAccountName" . }}-tre + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: tre-ui + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.tre.ui.image.repository }}:{{ .Values.tre.ui.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.tre.ui.image.pullPolicy }} + ports: + - name: http + containerPort: 80 + protocol: TCP + # livenessProbe: + # httpGet: + # path: / + # port: http + # readinessProbe: + # httpGet: + # path: / + # port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + env: + {{- include "agent.commonEnvVars" . | nindent 12 }} + {{- include "agent.treKeycloakSettings" . | nindent 12 }} + - name: sslcookies + value: "{{ .Values.tre.config.useSslCookies }}" + - name: httpsRedirect + value: "{{ .Values.tre.config.httpsRedirect }}" + - name: TreAPISettings__Address + value: "http://{{ include "agent.fullname" . }}-tre-api:{{ .Values.tre.api.service.port }}" + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/agent/templates/tre/ingress-ui.yaml b/charts/agent/templates/tre/ui/ingress.yaml similarity index 100% rename from charts/agent/templates/tre/ingress-ui.yaml rename to charts/agent/templates/tre/ui/ingress.yaml diff --git a/charts/agent/templates/tre/ui/service.yaml b/charts/agent/templates/tre/ui/service.yaml new file mode 100644 index 000000000..c8233365f --- /dev/null +++ b/charts/agent/templates/tre/ui/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "agent.fullname" . }}-tre-ui + labels: + {{- include "agent.treLabels" . | nindent 4 }} +spec: + type: {{ .Values.tre.ui.service.type }} + ports: + - port: {{ .Values.tre.ui.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "agent.treUiSelectorLabels" . | nindent 4 }} \ No newline at end of file From f54a24cb62185a55b6283b98d4e11130f630129f Mon Sep 17 00:00:00 2001 From: Alex Date: Thu, 10 Oct 2024 09:07:08 +0100 Subject: [PATCH 20/20] fix: don't let the helper function call a non existent func --- charts/agent/templates/_helpers.tpl | 32 ++++++++++++++++--- .../templates/egress/api/deployment.yaml | 2 +- .../agent/templates/egress/api/ingress.yaml | 2 +- .../agent/templates/egress/api/service.yaml | 2 +- .../templates/egress/serviceaccount.yaml | 2 +- .../agent/templates/egress/ui/deployment.yaml | 2 +- charts/agent/templates/egress/ui/ingress.yaml | 2 +- charts/agent/templates/egress/ui/service.yaml | 2 +- .../agent/templates/tre/api/deployment.yaml | 2 +- charts/agent/templates/tre/api/ingress.yaml | 2 +- charts/agent/templates/tre/api/service.yaml | 2 +- .../agent/templates/tre/serviceaccount.yaml | 2 +- charts/agent/templates/tre/ui/deployment.yaml | 2 +- charts/agent/templates/tre/ui/service.yaml | 2 +- 14 files changed, 41 insertions(+), 17 deletions(-) diff --git a/charts/agent/templates/_helpers.tpl b/charts/agent/templates/_helpers.tpl index 670a675e7..91dd688c3 100644 --- a/charts/agent/templates/_helpers.tpl +++ b/charts/agent/templates/_helpers.tpl @@ -33,9 +33,33 @@ Create chart name and version as used by the chart label. {{/* Common labels - egress */}} -{{- define "agent.egressLabels" -}} +{{- define "agent.egressApiLabels" -}} helm.sh/chart: {{ include "agent.chart" . }} -{{ include "agent.egressSelectorLabels" . }} +{{ include "agent.egressApiSelectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Common labels - egress +*/}} +{{- define "agent.egressUiLabels" -}} +helm.sh/chart: {{ include "agent.chart" . }} +{{ include "agent.egressUiSelectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Common labels - tre +*/}} +{{- define "agent.treApiLabels" -}} +helm.sh/chart: {{ include "agent.chart" . }} +{{ include "agent.treApiSelectorLabels" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} @@ -45,9 +69,9 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{/* Common labels - tre */}} -{{- define "agent.treLabels" -}} +{{- define "agent.treUiLabels" -}} helm.sh/chart: {{ include "agent.chart" . }} -{{ include "agent.treSelectorLabels" . }} +{{ include "agent.treUiSelectorLabels" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} diff --git a/charts/agent/templates/egress/api/deployment.yaml b/charts/agent/templates/egress/api/deployment.yaml index f5db8f6b6..5fcd0f1f3 100644 --- a/charts/agent/templates/egress/api/deployment.yaml +++ b/charts/agent/templates/egress/api/deployment.yaml @@ -3,7 +3,7 @@ kind: Deployment metadata: name: {{ include "agent.fullname" . }}-egress-api labels: - {{- include "agent.egressLabels" . | nindent 4 }} + {{- include "agent.egressApiLabels" . | nindent 4 }} spec: replicas: 1 selector: diff --git a/charts/agent/templates/egress/api/ingress.yaml b/charts/agent/templates/egress/api/ingress.yaml index be7d66320..048a185a6 100644 --- a/charts/agent/templates/egress/api/ingress.yaml +++ b/charts/agent/templates/egress/api/ingress.yaml @@ -17,7 +17,7 @@ kind: Ingress metadata: name: {{ $fullName }}-api labels: - {{- include "agent.egressLabels" . | nindent 4 }} + {{- include "agent.egressApiLabels" . | nindent 4 }} {{- with .Values.egress.api.ingress.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/charts/agent/templates/egress/api/service.yaml b/charts/agent/templates/egress/api/service.yaml index 6a79b07a6..e5ba5fb60 100644 --- a/charts/agent/templates/egress/api/service.yaml +++ b/charts/agent/templates/egress/api/service.yaml @@ -3,7 +3,7 @@ kind: Service metadata: name: {{ include "agent.fullname" . }}-egress-api labels: - {{- include "agent.egressLabels" . | nindent 4 }} + {{- include "agent.egressApiLabels" . | nindent 4 }} spec: type: {{ .Values.egress.api.service.type }} ports: diff --git a/charts/agent/templates/egress/serviceaccount.yaml b/charts/agent/templates/egress/serviceaccount.yaml index 70f782d20..f2c0bec01 100644 --- a/charts/agent/templates/egress/serviceaccount.yaml +++ b/charts/agent/templates/egress/serviceaccount.yaml @@ -4,7 +4,7 @@ kind: ServiceAccount metadata: name: {{ include "agent.egressServiceAccountName" . }}-egress labels: - {{- include "agent.egressLabels" . | nindent 4 }} + {{- include "agent.egressUiLabels" . | nindent 4 }} {{- with .Values.egress.serviceAccount.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/charts/agent/templates/egress/ui/deployment.yaml b/charts/agent/templates/egress/ui/deployment.yaml index acaf3d7b4..f24e79950 100644 --- a/charts/agent/templates/egress/ui/deployment.yaml +++ b/charts/agent/templates/egress/ui/deployment.yaml @@ -3,7 +3,7 @@ kind: Deployment metadata: name: {{ include "agent.fullname" . }}-egress-ui labels: - {{- include "agent.egressLabels" . | nindent 4 }} + {{- include "agent.egressUiLabels" . | nindent 4 }} spec: replicas: 1 selector: diff --git a/charts/agent/templates/egress/ui/ingress.yaml b/charts/agent/templates/egress/ui/ingress.yaml index ba06121f5..7b86239bf 100644 --- a/charts/agent/templates/egress/ui/ingress.yaml +++ b/charts/agent/templates/egress/ui/ingress.yaml @@ -17,7 +17,7 @@ kind: Ingress metadata: name: {{ $fullName }}-ui labels: - {{- include "agent.egressLabels" . | nindent 4 }} + {{- include "agent.egressUiLabels" . | nindent 4 }} {{- with .Values.egress.ui.ingress.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/charts/agent/templates/egress/ui/service.yaml b/charts/agent/templates/egress/ui/service.yaml index afac1c7c1..47eaa6805 100644 --- a/charts/agent/templates/egress/ui/service.yaml +++ b/charts/agent/templates/egress/ui/service.yaml @@ -3,7 +3,7 @@ kind: Service metadata: name: {{ include "agent.fullname" . }}-egress-ui labels: - {{- include "agent.egressLabels" . | nindent 4 }} + {{- include "agent.egressUiLabels" . | nindent 4 }} spec: type: {{ .Values.egress.ui.service.type }} ports: diff --git a/charts/agent/templates/tre/api/deployment.yaml b/charts/agent/templates/tre/api/deployment.yaml index f2fcbc508..69cb64425 100644 --- a/charts/agent/templates/tre/api/deployment.yaml +++ b/charts/agent/templates/tre/api/deployment.yaml @@ -3,7 +3,7 @@ kind: Deployment metadata: name: {{ include "agent.fullname" . }}-tre-api labels: - {{- include "agent.treLabels" . | nindent 4 }} + {{- include "agent.treApiLabels" . | nindent 4 }} spec: replicas: 1 selector: diff --git a/charts/agent/templates/tre/api/ingress.yaml b/charts/agent/templates/tre/api/ingress.yaml index c7d9feadd..2c675e69e 100644 --- a/charts/agent/templates/tre/api/ingress.yaml +++ b/charts/agent/templates/tre/api/ingress.yaml @@ -17,7 +17,7 @@ kind: Ingress metadata: name: {{ $fullName }}-api labels: - {{- include "agent.treLabels" . | nindent 4 }} + {{- include "agent.treApiLabels" . | nindent 4 }} {{- with .Values.tre.api.ingress.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/charts/agent/templates/tre/api/service.yaml b/charts/agent/templates/tre/api/service.yaml index 257ee2ffa..8d02ed3e1 100644 --- a/charts/agent/templates/tre/api/service.yaml +++ b/charts/agent/templates/tre/api/service.yaml @@ -3,7 +3,7 @@ kind: Service metadata: name: {{ include "agent.fullname" . }}-tre-api labels: - {{- include "agent.treLabels" . | nindent 4 }} + {{- include "agent.treApiLabels" . | nindent 4 }} spec: type: {{ .Values.tre.api.service.type }} ports: diff --git a/charts/agent/templates/tre/serviceaccount.yaml b/charts/agent/templates/tre/serviceaccount.yaml index 29880254a..483574320 100644 --- a/charts/agent/templates/tre/serviceaccount.yaml +++ b/charts/agent/templates/tre/serviceaccount.yaml @@ -4,7 +4,7 @@ kind: ServiceAccount metadata: name: {{ include "agent.treServiceAccountName" . }}-tre labels: - {{- include "agent.treLabels" . | nindent 4 }} + {{- include "agent.treUiLabels" . | nindent 4 }} {{- with .Values.tre.serviceAccount.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/charts/agent/templates/tre/ui/deployment.yaml b/charts/agent/templates/tre/ui/deployment.yaml index a105199d4..956ea7b4d 100644 --- a/charts/agent/templates/tre/ui/deployment.yaml +++ b/charts/agent/templates/tre/ui/deployment.yaml @@ -3,7 +3,7 @@ kind: Deployment metadata: name: {{ include "agent.fullname" . }}-tre-ui labels: - {{- include "agent.treLabels" . | nindent 4 }} + {{- include "agent.treUiLabels" . | nindent 4 }} spec: replicas: 1 selector: diff --git a/charts/agent/templates/tre/ui/service.yaml b/charts/agent/templates/tre/ui/service.yaml index c8233365f..773de22c4 100644 --- a/charts/agent/templates/tre/ui/service.yaml +++ b/charts/agent/templates/tre/ui/service.yaml @@ -3,7 +3,7 @@ kind: Service metadata: name: {{ include "agent.fullname" . }}-tre-ui labels: - {{- include "agent.treLabels" . | nindent 4 }} + {{- include "agent.treUiLabels" . | nindent 4 }} spec: type: {{ .Values.tre.ui.service.type }} ports: